From 55d3217b47c279665ec6f389a4c0a81c764f3676 Mon Sep 17 00:00:00 2001 From: hamza-m-masood Date: Wed, 4 Sep 2024 01:02:26 +0100 Subject: [PATCH] removed in 8.5 --- .../deploy/openshift/redhat-openshift.md | 51 +++++-------------- 1 file changed, 13 insertions(+), 38 deletions(-) diff --git a/versioned_docs/version-8.5/self-managed/setup/deploy/openshift/redhat-openshift.md b/versioned_docs/version-8.5/self-managed/setup/deploy/openshift/redhat-openshift.md index 5915dfe289..753f7a3273 100644 --- a/versioned_docs/version-8.5/self-managed/setup/deploy/openshift/redhat-openshift.md +++ b/versioned_docs/version-8.5/self-managed/setup/deploy/openshift/redhat-openshift.md @@ -332,37 +332,6 @@ tasklist: The actual configuration properties can be reviewed [in the Tasklist configuration documentation](/self-managed/tasklist-deployment/tasklist-configuration.md#zeebe-broker-connection). 5. For Connectors: - :::note - -The following will no longer be required when [the Connectors component supports PKCS #1 and PKCS #8](https://github.com/camunda/connectors/issues/2806). - -::: - -The Connectors component only accepts a `jks` (Java KeyStore) certificate. -If you have followed our previous recommendation of generating a TLS certificate using the OpenShift annotation, you will have a `PKCS #1` certificate the Connectors component will not accept. - -Below are a number of commands that convert the `PKCS #1` certificate generated by OpenShift to a `jks` format the Connectors component accepts: - -```bash -# Grab OpenShift generated TLS certificate. -kubectl get secret -n camunda camunda-zeebe-gateway -o jsonpath="{.data['tls\.crt']}" | base64 --decode > tls.crt -# Grab OpenShift generated TLS key. -kubectl get secret -n camunda camunda-zeebe-gateway -o jsonpath="{.data['tls\.key']}" | base64 --decode > zeebe-key.key -# Convert Zeebe Gateway unencrypted TLS key to an encrypted key. You will be prompted to enter a password when running this command. Note down the password: -openssl pkcs8 -topk8 -inform PEM -outform PEM -in ./zeebe-key.key -out ./zeebe-encrypted-key-gen.pem -v2 des3 -# Convert PKCS #1 certificate to PKCS #12. Again, you will be prompted to enter the password. -openssl pkcs12 -export -in tls.crt -inkey zeebe-encrypted-key-gen.pem -out zeebe-p12-certificate.p12 -name "certificate" -# Convert PKCS #12 certificate to jks cert. -keytool -importkeystore -srckeystore zeebe-p12-certificate.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -``` - -Create a generic TLS secret from the `jks` file: - -```bash -kubectl create secret generic keystore -n camunda --from-file keystore.jks -``` - -Once the secret is created, follow the below example `values.yaml` config: ```yaml connectors: @@ -373,18 +342,24 @@ connectors: value: "camunda-zeebe-gateway.camunda.svc.cluster.local:26500" - name: ZEEBE_CLIENT_SECURITY_PLAINTEXT value: "false" - - name: JAVA_TOOL_OPTIONS - value: "-Djavax.net.ssl.trustStore=/usr/local/certificates/keystore.jks -Djavax.net.ssl.trustStorePassword=changeit" + - name: CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH + value: /usr/local/certificates/tls.crt extraVolumeMounts: - - name: keystore - readOnly: true - mountPath: /usr/local/certificates + - name: certificate + mountPath: /usr/local/certificates/tls.crt + subPath: tls.crt extraVolumes: - - name: keystore + - name: certificate secret: - secretName: keystore + secretName: camunda-platform-internal-service-certificate + items: + - key: tls.crt + path: tls.crt + defaultMode: 420 ``` +The actual configuration properties can be reviewed [in the Connectors configuration documentation](/self-managed/connectors-deployment/connectors-configuration.md#zeebe-broker-connection). + 6. Configure all other applications running inside the cluster and connecting to the Zeebe Gateway to also use TLS.