Skip to content

feat(gateway): support extra trusted CAs via additionalTrustedCAs (3.9)#318

Merged
nic-6443 merged 2 commits into
release/3.9from
feat/gateway-additional-trusted-cas-3.9
Jul 14, 2026
Merged

feat(gateway): support extra trusted CAs via additionalTrustedCAs (3.9)#318
nic-6443 merged 2 commits into
release/3.9from
feat/gateway-additional-trusted-cas-3.9

Conversation

@jarvis9443

Copy link
Copy Markdown
Contributor

Problem

The gateway's outbound trust store (apisix.ssl.ssl_trusted_certificate) is exposed through a single CA-file slot: gateway.tls.existingCASecret + gateway.tls.certCAFilename, which render to ssl_trusted_certificate: "system,/usr/local/apisix/conf/ssl/<certCAFilename>".

In a Control Plane-managed deployment that slot is already taken: the CP sets existingCASecret=<release>-tls / certCAFilename=ca.crt (the CP/DP-Manager CA), and the gateway verifies the CP over this same trust store because etcd.auth.tls.verify=true. With only one slot, users who need the gateway to trust an additional private/enterprise CA — e.g. an openid-connect identity provider reached over TLS — had no clean way to add one.

Change

Add gateway.tls.additionalTrustedCAs, a list of { secretName, filename } entries. For each entry the chart mounts filename from Secret secretName into the gateway at /usr/local/apisix/conf/ssl/additional-ca-<i>/ and appends that path to ssl_trusted_certificate. The rendered value becomes system,<existingCA>,<additional...>, so the system CA bundle and the existing CP CA are both preserved. The ssl_trusted_certificate value is refactored into a gateway.sslTrustedCertificate helper.

gateway:
  tls:
    additionalTrustedCAs:
      - secretName: keycloak-ca
        filename: keycloak-ca.crt

Behavior / compatibility

  • When additionalTrustedCAs is empty (default), rendering is byte-identical to before — no change for existing deployments.
  • Takes effect after a gateway Pod restart, because APISIX merges the trust store into a combined file at startup.

3.9 chart line of #317. Chart version bumped 3.9.53.9.6; README.md regenerated via helm-docs.

The gateway outbound trust store (ssl_trusted_certificate) exposes a single
CA-file slot through gateway.tls.existingCASecret/certCAFilename. In a Control
Plane-managed deployment that slot already carries the CP/DP-Manager CA (the
gateway verifies the CP over the same trust store because etcd.auth.tls.verify
is true), so there was no clean way to trust an additional private/enterprise
CA (e.g. an openid-connect IdP reached over TLS) without merging it into the
CP-managed Secret and restarting.

Add gateway.tls.additionalTrustedCAs: a list of {secretName, filename} entries.
The chart mounts each file into the gateway and appends its path to
ssl_trusted_certificate, so the rendered value becomes
"system,<existingCA>,<additional...>" - system CAs and the existing CP CA are
preserved. Rendering is unchanged when the list is empty. Takes effect after a
gateway Pod restart, since the trust store is merged at startup.

Backport of the main-line change to the 3.9 chart line.
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 19a62cd0-a6e9-4e30-97d9-d084bcec892f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/gateway-additional-trusted-cas-3.9

Comment @coderabbitai help to get the list of available commands.

Add an items projection so each additionalTrustedCAs volume mounts only the
configured filename from the Secret, instead of every key. Least-privilege:
avoids exposing unrelated Secret keys in the gateway filesystem.
@nic-6443 nic-6443 merged commit 0ab48b1 into release/3.9 Jul 14, 2026
3 checks passed
@nic-6443 nic-6443 deleted the feat/gateway-additional-trusted-cas-3.9 branch July 14, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants