TLS/SSL recomendations

[DwaneHall]

Hi all,
What are the current recommendations for enabling TLS for apicurio-registry? I believe this to be a common use case particularly when interacting with an OIDC provider like keycloak but I have been unable to find any examples of how to complete this for the apicurio-registry docker images. In Quarkus it's done by setting the quarkus.http.ssl.certificate... application.properties variables but I was unable to find them in the configuration options to be overridden by environment variables. This open issue looks to be in development to surface the TLS configuration options but is there a current recommendation on how to achieve this so I’m able to trust certs that are not trusted by default in the default image JDK’s? Any advice or direction would be appreciated.
Thanks,
Dwane

[DwaneHall]

I'm not sure how active this discussion board is based on the open questions on here but for those interested it looks like you can use the base Quarkus environment variables when enabling TLS/SSL. I could not find a comprehensive list of their exact names but they appear to align closely with the Quarkus application.properties and I was able to get a TLS connection using the below parameters in the docker compose file.

QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_FILE:
QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_PASSWORD:
QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_FILE_TYPE:
QUARKUS_HTTP_SSL_CERTIFICATE_TRUST_STORE_FILE:
QUARKUS_HTTP_SSL_CERTIFICATE_TRUST_STORE_PASSWORD:
QUARKUS_HTTP_SSL_CERTIFICATE_TRUST_STORE_FILE_TYPE:

[EricWittmann]

Thanks @DwaneHall - and sorry for the slow response. We've been a little slammed recently, and sometimes GH emails fall through the cracks.

@jsenko and @carlesarnal do you have anything to add on this?

[DwaneHall]

@EricWittmann no problem at all thanks for getting back to me! I'm not surprised you've been busy RedHat have been producing so much great content for the open source community so I'm happy to get in line. If someone can confirm the approach I've taken is the recommended one I'll close of the question and clear some air from the forum. Thanks again.

[jsenko]

Here is a blog post from @carlesarnal that may be useful https://developers.redhat.com/blog/2021/01/06/how-to-enable-https-and-ssl-termination-in-a-quarkus-app . It's interesting that the variables you discovered have different names than the ones mentioned. We are working on Operator support and the idea is to use such env. variables. That should make things easier for users in the near future:)

[DwaneHall]

Hey @jsenko I think the properties are the same it's just the example I used configured TLS/SSL using a keystore and the example in the blog post uses a certificate and key directly. It appears Quarkus supports both options. Thanks for the link and great news on surfacing the environment variables!

[carlesarnal]

Sorry for being late to the party. Yes, that blog post is a good entry point. One of the nice things about Registry being a Quarkus app is that if you need to customize anything that we do not expose directly in Registry you can do it using Quarkus capabilities.