EJBCA Kubernetes problems (haproxy ingress controller, HSTS, Timeouts)

[fskale]

I'm currently evaluation EJBCA (which i used in the past as standard Linux VM and worked grear), for our company.
The kubernetes setup for the CE is not very well documented, so some questions came up during the setup.

1.) The setup for kubernetes mentions the fact, that you've to bootstrap using "initializeWithSelfSignedTls: true".
So far so good.
The docs than don't mention, that after the initial setup, there's already a ManagementCA in place, and no way to create the "Superadmin" user ;-)
After several retries, i found the URL to generate a new ManagementCA and create the superadmin account by entering the URL:
" https://ejbca.example.com/ejbca/adminweb/initpki.xhtml"
Before that, i renamed the auto setup management CA to ManagementCA_DEF ;-)
Btw. i'm not able to delete the managementCA_DEF ;-)

2.) ingress controller support for haproxy
In the docs there's stated that only Nginx ingress controller is supported at the ingress level and that there must be a http sidecar, even if a try to use anoth ingress controller.
The nginx ingress controller is out of support quite a while now, so i switched to haproxy some months ago. (works well !)
My values yaml snipped:

# Requires proxyAJP or proxyHttp service to be enabled for adminweb access
ingress:
  enabled: true
  className: "haproxy"
  sslBackend: true
  annotations:
    ## Do not redirect HTTP to HTTPS
    haproxy-ingress.github.io/server-ssl: "true"
    haproxy.org/server-ssl: "true"
    haproxy-ingress.github.io/ssl-passthrough: "true"
    haproxy.org/ssl-passthrough: "true"
    haproxy-ingress.github.io/ssl-redirect: "true"
    haproxy.org/ssl-redirect: "true"
  hosts:
    - host: "ejbca.example.com"
      paths:
        - path: /
          pathType: Prefix

It works as expected, but when switching over to the "go live" step as mentioned in the docs, HSTS comes in place and all the browsers won't allow a connection for obvious reasons ;-)
All the pods use the hostname which is the podman without any domain ;-)
Because haproxy uses SSL passthrough, the PODS MUST use a valid DNS name and not the pod name IMHO.
The browser blocks the connection due to the fact that HSTS is in place and the DNS name is wrong:
e.g: "Node hostname ejbca-ejbca-community-helm-7d58c4d857-x6jml"
The only browser that works so far is "Safari".
I imported all the certs into the System Key Chain was well as the superadmin P12.

How can i disable HSTS in ejbca ? I didn't find any hint !
Why would i need HSTS anyway when is have mTLS in place ?

3.) Since there are two pods running, the connection switches and i always run into timeouts which is quite annoying.
Why is EJBCA not using a database session store ?
Replicas are default at: "2" ;-)
This would be a problem for any Ingress controller though.

We really would consider buying the enterprise version but the CE should work as expected to do some example deplyoments using the cert-manager cluster issuer.

Any help would be greatly appreciated

Best
Franz

[fskale]

For HSTS, i answer myself.
Config Options:
importAppserverKeystore: false #appserverKeystoreSecret: keystore-secret importAppserverTruststore: false #appserverTruststoreSecret: truststore-secret
Will try that ;-)

i'm happy with replicacount: 1 (unless the sessions are somewhere stored in the DB).

Best
Franz

[dobicinaitis]

Hi! Could you please share you're full values.yaml file and clarify how you run helm install ...? Based on the above, I have a hunch that there's some mixing and matching going on between the old deprecated Helm community chart and the new OCI-based one.