I see in some helm chart values.yaml files fields related to "sslTruststoreSecret", how are those used?

Dev Ops
1
  1. In Broadleaf, when you ran mvn flex:generate , it generated a set of security artifacts as depicted here:

407888142-86e010ac-fa1e-4409-9021-00c562875a7b
407888142-86e010ac-fa1e-4409-9021-00c562875a7b526×407 38.9 KB

Note: you can read more about the unique security artifacts that Broadleaf generates for you here: Broadleaf Dev Central

  1. The file that is “loaded” into the sslTruststoreSecret used in the Helm Charts is the https-truststore.jks file

  2. Notice that in the blc-common-env helm chart, there is a template called common-cfgsrvr-ssl-truststore.yaml , this is a K8 secret template which will be loaded with the actual base64 contents of the https-truststore.jks file during invocation of the install.sh script, and will be installed as part of the blc-common-env chart.

  3. In any of the flex package Helm Chart values.yaml you will see a section like below. Specifically, it has a property that references that you created in the previous step: common-cfgsrvr-ssl-truststore, gets the actual base64 contents of that secret, and mounts it as an actual file at the path cfg-server-ssl/https-truststore.jks in the pod. This strategy of mounting a secret as a specific file is common in K8: Mounting a Kubernetes Secret as a single file inside a Pod | Jeff Geerling

secrets:
  configServerClient:
    secretEnvsSecret:
      # Name of the optional existing K8s secret that can be used in envFrom to load secret env vars for connecting
      # to ConfigServer
      name: "common-cfgsrvr-secret-envs"
    sslTruststoreSecret:
      # Name of the optional existing K8s secret containing a truststore for verifying SSL with ConfigServer
      name: "common-cfgsrvr-ssl-truststore"
      # Key in the secret containing the truststore file contents. This will be mounted as a file.
      keyInSecret: "base64TruststoreFileContents"
      # The filename to mount the file as. This will be
      # under the base path of secrets.commonKeysProjectedVolume.name.
      mountedFilename: "cfg-server-ssl/https-truststore.jks"

From an application perspective - there is specific code in Broadleaf’s libraries that know how to look for that trust store file in that directory and configure various HTTP REST clients can make use of it (e.g. an HTTP client that allows connectivity from flex package → config service).