I deployed clustered WSO2 APIM 4.0.0 on openshift using this helm chart: https://github.com/wso2/kubernetes-apim/tree/master/advanced/am-pattern-4
And now I am checking it's API, I am trying to add SSL certificate for the endpoint I am testing, following this guide: https://apim.docs.wso2.com/en/4.1.0/design/endpoints/certificates/ But the connection to the endpoint still fails with this error:
ERROR - GlobalThrowableMapper Error while persisting API
ERROR - ApisApiServiceImpl Error occurred while sending the HEAD request
to the given endpoint url:
javax.net.ssl.SSLPeerUnverified Exception: peer not authenticated
Every time I add a certificate it requires a restart of the server to actually take effect. checking the client_truststore in cp1 pod I see that the certificate is added to the truststore, but apim does not read it back.
I followed version 5 section of this guide to mount the client_truststore on deployment: https://github.com/wso2/container-guide/blob/master/deploy/Managing_Keystores_And_Truststores.md
I tried Adding to deployment.toml the following:
[transport.passthru_https.sender.ssl_profile]
interval = 600000
Upon restart of the deployment, all of the changes that were made to client_truststore on pod cp1 on runtime are deleted and reuploded from the openshift secret that is mounted on the pods, so restart of the deployment also does not work. The only way to actually add an endpoint certificate is by downloading the current client_truststore locally to the pc and adding with keytool command the new certificate to the jks file. Then reupload the client_truststore back to the secret and warm restart all the pods.
However, I want the ability to dynamically upload a new certificate to the truststore on runtime without the need for restart, to work on my deployment because I want my clients to do it by themselves.
Is there any way to do this in openshift? Even if in openshift pods must be entirely immutable, maybe is there a way to put the truststore in the db server that resides on a physical server? Or any other trick? I would be thankfull for your help.
Your best option is to create a volume and add all the contents in wso2am-4.0.0/wso2am-4.0.0/repository/resources/security to this volume, update the Primary Keystore and the trustore if you want to update any certificates and then mount it to ${WSO2_SERVER_HOME}/repository/resources/security. Once you mount it through a PV what ever certs you import through the Publisher will be persisted and will remain there after a restart.