pega-helm-charts
pega-helm-charts copied to clipboard
pegasystems
Install TLS cert in Tomcat server truststore in k8s to securely integrate with backend APIs
Is your feature request related to a problem? Please describe. Yes, we need to configure TLS cert in Tomcat server truststore to integrate successfully with backend REST API.
Describe the solution you'd like Placeholder in values.yaml file for Pega helm chart to install the TLS cert in Tomcat server truststore.
Describe alternatives you've considered As a workaround, we are configuring cert at rule level. Since we have hundreds of rules, this is not a logn-term solution.
Hi Sunny, we aren't a member of PegaSystems ;-) Our name is just a bit confusing
Hi @sunnygoel8 , there is work in progress to better support certificate injection into the load balancer for edge encryption.
We support passthrough termination of TLS by extending the image and providing the appropriate configuration and certificates. Our roadmap includes eventually parameterizing the docker image to make that a bit easier - but it is not yet scheduled.
@dcasavant , Thanks for your response. There are 2 scenarios -
Scenario # 1 -> Push the custom TLS certificate at either Load Balancer or Traefik(if used as ingress controller) to secure front-end traffic.
Scenario # 2 -> Upload custom TLS cert for backend API in Tomcat server to secure the backend traffic. Presently, we are uploading cert at each rule level but this is not a long-term solution So how can we effectively achieve this in k8s ?
Hi @sunnygoel8 ,
Scenario 1 will be addressed by #78.
Scenario 2 would require extending the Pega Docker image and configuring Tomcat to use TLS. This may eventually be configurable via parameter, but is not yet.
@dcasavant , for 2nd scenario we can certainly extend the Pega Docker image to import the TLS cert of backend APIs. Let's say we do it 1st time and after 3 months, we have to integrate with another external API server who is completely using different TLS cert issued by some other CA, in that case do we again need to extend the Pega Docker image and do a helm upgrade again ??
if so, it doesn't seem a good solution to me in long run..
@dcasavant If you ever intend to do scenario 2 it would also be useful for our internal team, so give Octopodes a heads up if you intend to take that route
@dcasavant , for 2nd scenario we can certainly extend the Pega Docker image to import the TLS cert of backend APIs. Let's say we do it 1st time and after 3 months, we have to integrate with another external API server who is completely using different TLS cert issued by some other CA, in that case do we again need to extend the Pega Docker image and do a helm upgrade again ??
if so, it doesn't seem a good solution to me in long run..
@dcasavant , for 2nd scenario we can certainly extend the Pega Docker image to import the TLS cert of backend APIs. Let's say we do it 1st time and after 3 months, we have to integrate with another external API server who is completely using different TLS cert issued by some other CA, in that case do we again need to extend the Pega Docker image and do a helm upgrade again ??
if so, it doesn't seem a good solution to me in long run..
One possible solution could be to store the certs in a vault and decouple the image and the certs. This way when a certificate has to be added you can update the certs in the vault and restart the pods.
For outbound connections, certificate truststore injection is now supported. See #360 for more information. For inbound connections the plan is to leverage a re-encryption strategy that will encrypt the traffic between the load balancer and Tomcat. The charts will provide a default self-signed cert, which will need to be replaced if this communication is not already secured via other means.
This is done and released in the latest versions of helm chart from 2.3.0.
