[teiid-issues] [JBoss JIRA] (TEIIDSB-92) Provide an openshfit example of a secure transport

Steven Hawkins (Jira) issues at jboss.org
Fri May 17 11:04:00 EDT 2019 

    [ https://issues.jboss.org/browse/TEIIDSB-92?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13734980#comment-13734980 ] 

Steven Hawkins commented on TEIIDSB-92:
---------------------------------------

> The fastest way to fix is provide a patch, but it was little cryptic when I looked at it, did not get the support I was looking for in a timely manner

I see that a lot looking at their issues.  If it's seen as a corner case it's likely to never get attention.  It seems like this could be a big effort as I'd first have to figure out what's wrong at a baseline with 4.1.0 / latest, then fix anything related to initContainers.  The alternatives are:

1. add keytool and openssl to our image and move the generation logic out of the initContainer.  The advantage of the service signed certificates is that it's possible for openshift clients to trust them (for java it likely means another init container to create the truststore).

2. use the keytool-maven-plugin to generate a self-signed cert at build time, then wire that in as a secret.  Of course this will rotate the private key on each build, so we'd just have to document using the trust all option for clients.  Realistically this is not any better than anonymous ssl - but I could not make anonymous work on openshift for some reason, even with overriding the disabled cipher suites.  Also we'd potentially have to know how to enable the anonymous cipher suite across a variety of pg clients - which could be more difficult than just trusting the self-signed certificate.

> Provide an openshfit example of a secure transport
> --------------------------------------------------
>
>                 Key: TEIIDSB-92
>                 URL: https://issues.jboss.org/browse/TEIIDSB-92
>             Project: Teiid Spring Boot
>          Issue Type: Sub-task
>          Components: OpenShift
>            Reporter: Steven Hawkins
>            Assignee: Steven Hawkins
>            Priority: Major
>         Attachments: screenshot-1.png
>
>
> Until we have kerberos support, usage of the pg transport will likely need to be secure to prevent plain-text username/password being sent unencrypted.
> It should also be a general option to enable secure transports from our ui.  External exposure is covered in TEIIDSB-86.
> We should use the private key from either based upon a self-signed certificate or using service signing certificates.  I'll provide an example demonstrating one of those approaches.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the teiid-issues mailing list