Description
Problem statement
Spring Cloud Gateway currently supports passing in a list of filenames pointing to certificates in PEM format (property spring.cloud.gateway.httpclient.ssl.trusted-x509-certificates). If this list is non-empty, the certificates will be loaded, and they will be considered the only trusted certificates.
Applications I work on are provided a Java KeyStore that should be used as a source of trusted certificates. I wish to use this unmodified, if at all possible. This is currently not supported by Spring Cloud Gateway.
Desired solution
Support JKS and/or PKCS#12 "keystores" as a source of trusted certificates.
Considered alternatives
- I considered using a custom
PropertySourcethat is provided the path to a keystore as input, and solely provides thespring.cloud.gateway.httpclient.ssl.trusted-x509-certificatesproperty. To do this, the input keystore must be converted to a format understood by Spring Cloud Gateway as it is currently implemented. At first glance, this seems complex. - As we would be deploying our applications in Kubernetes, I could use an init container to do the work of transforming the truststore to a format currently understood by Spring Cloud Gateway
- Because we're deploying to Kubernetes, we could mount the provided truststore into the location where the JVM stores its truststore, thereby overriding it entirely
Closing comments
If there's interest in this feature, I'm willing to attempt creating a PR that implements this. I'm not sure what to do with the current configuration possibility though: would we maintain two different ways of adding sources of trusted certificates, which means we'd need to merge them? Or would one replace the other?