diff --git a/documentation/user/en/operate/configure.md b/documentation/user/en/operate/configure.md index 7da93d295..94fa5dcf9 100644 --- a/documentation/user/en/operate/configure.md +++ b/documentation/user/en/operate/configure.md @@ -84,6 +84,9 @@ api: # [see API configuration](#api exposeOn: "localhost:5555" tlsMode: FORCE_TLS keepAlive: true + mTLS: + enabled: false + allowedClientCertificatePaths: [] endpoints: system: # [see System API configuration](#system-api-configuration) enabled: null @@ -91,6 +94,9 @@ api: # [see API configuration](#api exposeOn: null tlsMode: FORCE_NO_TLS keepAlive: null + mTLS: + enabled: null + allowedClientCertificatePaths: null graphQL: # [see GraphQL API configuration](#graphql-api-configuration) enabled: null host: null @@ -98,12 +104,18 @@ api: # [see API configuration](#api tlsMode: null keepAlive: null parallelize: true + mTLS: + enabled: null + allowedClientCertificatePaths: null rest: # [see REST API configuration](#rest-api-configuration) enabled: null host: null exposeOn: null tlsMode: null keepAlive: null + mTLS: + enabled: null + allowedClientCertificatePaths: null gRPC: # [see gRPC API configuration](#grpc-api-configuration) enabled: null host: null @@ -112,8 +124,8 @@ api: # [see API configuration](#api keepAlive: null exposeDocsService: false mTLS: - enabled: false - allowedClientCertificatePaths: [] + enabled: null + allowedClientCertificatePaths: null lab: # [see evitaLab configuration](#evitalab-configuration) enabled: null host: null @@ -123,7 +135,10 @@ api: # [see API configuration](#api gui: enabled: true readOnly: false - preconfiguredConnections: null + preconfiguredConnections: null + mTLS: + enabled: null + allowedClientCertificatePaths: null observability: # [see Observability configuration](#observability-configuration) enabled: null host: null @@ -134,6 +149,9 @@ api: # [see API configuration](#api endpoint: null protocol: grpc allowedEvents: null + mTLS: + enabled: null + allowedClientCertificatePaths: null ``` @@ -778,6 +796,16 @@ This allows you to set common settings for all endpoints in one place.

**Default:** `true`

If this is set to false server closes connection via HTTP `connection: close` after each request.

+
mTls.enabled
+
+

**Default:** `false`

+

It enables / disables [mutual authentication](tls.md#mutual-tls-for-http) for a particular API.

+
+
mTls.allowedClientCertificatePaths
+
+

**Default:** `[]`

+

It allows you to define zero or more file paths pointing to public client certificates that can only communicate with the API.

+
### GraphQL API configuration @@ -808,6 +836,16 @@ This allows you to set common settings for all endpoints in one place.

**Default:** `true`

Controls whether queries that fetch data from evitaDB engine will be executed in parallel.

+
mTls.enabled
+
+

**Default:** `false`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
+
mTls.allowedClientCertificatePaths
+
+

**Default:** `[]`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
### REST API configuration @@ -833,6 +871,16 @@ This allows you to set common settings for all endpoints in one place.

**Default:** `FORCE_TLS`

See [default endpoint configuration](#default-endpoint-configuration)

+
mTls.enabled
+
+

**Default:** `false`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
+
mTls.allowedClientCertificatePaths
+
+

**Default:** `[]`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
### gRPC API configuration @@ -864,21 +912,15 @@ This allows you to set common settings for all endpoints in one place.

It enables / disables the gRPC service, which provides documentation for the gRPC API and allows to experimentally call any of the services from the web UI and examine its output.

- - -#### Mutual TLS configuration - -
-
enabled
+
mTls.enabled
-

**Default:** `true`

-

It enables / disables [mutual authentication](tls.md#mutual-tls-for-grpc).

+

**Default:** `false`

+

See [default endpoint configuration](#default-endpoint-configuration)

-
allowedClientCertificatePaths
+
mTls.allowedClientCertificatePaths
-

**Default:** `null`

-

It allows you to define zero or more file paths pointing to public client certificates. - Only clients that present the correct certificate will be allowed to communicate with the gRPC web API.

+

**Default:** `[]`

+

See [default endpoint configuration](#default-endpoint-configuration)

@@ -889,7 +931,7 @@ only exposed endpoint on the unsecured http protocol, it must run on a separate download the public part of the server certificate. It also allows downloading the default client private/public key pair if `api.certificate.generateAndUseSelfSigned` and -`api.gRPC.mTLS` are both set to `true`. See [default unsecure mTLS behaviour](tls.md#default-mtls-behaviour-not-secure) for +any of `api.*.mTLS` are both set to `true`. See [default unsecure mTLS behaviour](tls.md#default-mtls-behaviour-not-secure) for more information.
@@ -913,6 +955,16 @@ more information.

**Default:** `FORCE_NO_TLS`

See [default endpoint configuration](#default-endpoint-configuration)

+
mTls.enabled
+
+

**Default:** `false`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
+
mTls.allowedClientCertificatePaths
+
+

**Default:** `[]`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
### evitaLab configuration @@ -947,6 +999,16 @@ of other APIs.

[See config](#gui-configuration)

+
mTls.enabled
+
+

**Default:** `false`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
+
mTls.allowedClientCertificatePaths
+
+

**Default:** `[]`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
#### GUI configuration @@ -1034,4 +1096,14 @@ pro scraping Prometheus metrics, OTEL trace exporter and Java Flight Recorder ev

Specifies the protocol used between the application and the OTEL collector to pass the traces. Possible values are `grpc` and `http`. gRPC is much more performant and is the preferred option.

+
mTls.enabled
+
+

**Default:** `false`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
+
mTls.allowedClientCertificatePaths
+
+

**Default:** `[]`

+

See [default endpoint configuration](#default-endpoint-configuration)

+
diff --git a/documentation/user/en/operate/tls.md b/documentation/user/en/operate/tls.md index 56064b025..de1ef757f 100644 --- a/documentation/user/en/operate/tls.md +++ b/documentation/user/en/operate/tls.md @@ -48,10 +48,10 @@ proofreading: 'done' We don't want to make things complicated for developers and newcomers, but that doesn't mean that the default behavior -is secure, because it can't be. The evitaDB server automatically generates a self-signed certificate authority and -issues the server certificate required for TLS. This certificate will not be trusted by the clients unless you force -them to. Usually it's just a matter of toggling some switches and for development purposes it's good enough. For -production environments, we strongly recommend issuing your own certificate using the [Let's Encrypt](https://letsencrypt.org) +is secure, because it can't be. The evitaDB server automatically generates a self-signed server certificate. +This certificate will not be trusted by the clients unless you force them to. Usually it's just a matter of toggling +some switches and for development purposes it's good enough. For production environments, we strongly recommend issuing +your own certificate using the [Let's Encrypt](https://letsencrypt.org) authority, which can be automated and is part of all certificate trust chains these days. @@ -280,36 +280,23 @@ Both the server and the client can be provided with: -## Mutual TLS for gRPC +## Mutual TLS -The gRPC API, and thus evita_external_api/evita_external_api_grpc/client/src/main/java/io/evitadb/driver/EvitaClient.java, +All the APIs - including gRPC, and thus evita_external_api/evita_external_api_grpc/client/src/main/java/io/evitadb/driver/EvitaClient.java, also offers the possibility of authentication via [mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication), in which client and server verify their identities with the help of a certificate exchange. - - - - -##### Why the mutual TLS is not supported in GraphQL or REST API? - - -The gRPC API is used by evitaDB drivers and is expected to be a system API requiring a higher level of security. On the -other hand, GraphQL and REST APIs are usually used by end clients - maybe even directly from browsers or client -applications. From our point of view, these types of APIs are consumer level APIs with different authentication -requirements. - - - The mTLS can be controlled in the configuration file evita_server/src/main/resources/evita-configuration.yaml in the -section `api.endpoints.gRPC.mTLS`. At the same place it is possible to configure the list of client certificates that -are allowed to communicate with the gRPC server. The client that doesn't present itself with the accepted certificate -will be rejected by the server. +section `api.endpointDefaults.mTLS` (or in a particular section for each protocol separately). At the same place it is +possible to configure the list of client certificates that are allowed to communicate with the gRPC server. +The client that doesn't present itself with the accepted certificate will be rejected by the server. The client needs to configure path to its certificate, private key and optionally password to a private key in [configuration](../use/connectors/java.md). -We recommend the use of `mTLS` because it prevents a large number of attacks and thus emphasizes the security of -the communication. +We recommend the use of `mTLS`, when the communication is allowed from public domain, at least until proper authentication +and authorization is implemented in evitaDB (see issue [#25](https://github.com/FgForrest/evitaDB/issues/25)). +mTLS prevents a large number of attacks and thus emphasizes the security of the communication. Examples of attacks prevented: @@ -322,20 +309,18 @@ Examples of attacks prevented: ### Default mTLS behaviour (not-secure) -The `mTLS` is enabled by default but in a way that is not secure and should be used only in development. When the evitaDB -starts and `generateAndUseSelfSigned` is set to `true` (default), it generates three public/private key pairs: +mTLS is not enabled by default. If you enable it, the necessary certificates will be generated automatically, but it's +still **not secure** and should only be used in development. When evitaDB is started and `generateAndUseSelfSigned` is +set to `true` (default), it generates three public/private key pairs: -1. certificate authority in `evitaDB-CA-selfSigned.crt` and - its private key in `evitaDB-CA-selfSigned.key` files -2. server certificate in `server.crt` and its private key in `server.key` files -3. client certificate in `client.crt` and its private key in `client.key` files +1. server certificate in `server.crt` and its private key in `server.key` files +2. client certificate in `client.crt` and its private key in `client.key` files The `client.crt` is automatically added to the list of trusted client certificates. Both `client.crt` and `client.key` are available for downloading using `system` endpoint. You'll see those when the evitaDB server starts: ```plain API `system` listening on http://your-domain:5555/system/ - - server certificate served at: http://your-domain:5555/system/evitaDB-CA-selfSigned.crt - client certificate served at: http://your-domain:5555/system/client.crt - client private key served at: http://your-domain:5555/system/client.key ``` @@ -347,7 +332,8 @@ When the gRPC client starts and has the following settings (all are defaults): It automatically downloads the default client certificate along with private key and use it for communication. We are aware, that this is **not secure** and defies the logic of `mTLS`, but it allows us to test entire process and avoid -problems in test/production environments. +problems in test/production environments. But this is good enough for local development environments and allow to test +the mTLS functionality. @@ -365,7 +351,7 @@ the used certificate authority both on the server side and the clie The fingerprint is written to the console output when the server starts - it looks like this: ```plain -Root CA Certificate fingerprint: 84:F0:29:87:D8:F5:F6:92:B4:7B:AA:AE:F3:5A:29:A1:C1:86:C4:B2:4D:44:63:6B:2D:F2:AD:75:B7:C6:F2:7E +Server certificate fingerprint: 84:F0:29:87:D8:F5:F6:92:B4:7B:AA:AE:F3:5A:29:A1:C1:86:C4:B2:4D:44:63:6B:2D:F2:AD:75:B7:C6:F2:7E ``` **Client side fingerprint** @@ -373,7 +359,7 @@ Root CA Certificate fingerprint: 84:F0:29:87:D8:F5:F6:92:B4:7B:AA:AE:F3:5A:29:A1 Client logs the fingerprint using [configured logging library](run.md#control-logging) on `INFO` level in this form: ```plain -16:11:18.712 INFO i.e.d.c.ClientCertificateManager - Server's CA certificate fingerprint: 04:B0:9C:00:FB:32:D8:8A:7A:C9:34:19:5D:90:48:8A:BF:BF:E8:22:32:53:4C:4F:14:E1:EC:FA:C2:99:C3:DD +16:11:18.712 INFO i.e.d.c.ClientCertificateManager - Server's certificate fingerprint: 04:B0:9C:00:FB:32:D8:8A:7A:C9:34:19:5D:90:48:8A:BF:BF:E8:22:32:53:4C:4F:14:E1:EC:FA:C2:99:C3:DD ``` @@ -383,3 +369,17 @@ For each of the gRPC client generate their own certificate using tr (such as [Let's Encrypt](https://letsencrypt.org)), or your own [self-signed authority](#creating-certificate-authority). Disable `generateAndUseSelfSigned` and configure server certificate and each of client certificates in [configuration](configure.md#tls-configuration). + + + + + +##### Can the server certificate and allowed client certificates be changed without restarting the server? + + +Yes, you can change the server certificate and valid client certificates without restarting the server. The server +periodically checks the timestamps of the last changes to the server certificate and the list of paths configured for +client certificates. If either of these files change, the server automatically reloads the new configuration. +This allows you to change the server certificate and client certificates without stopping the server. + + \ No newline at end of file diff --git a/evita_external_api/evita_external_api_core/src/main/java/io/evitadb/externalApi/configuration/MtlsConfiguration.java b/evita_external_api/evita_external_api_core/src/main/java/io/evitadb/externalApi/configuration/MtlsConfiguration.java index 61492da2c..fff6139ae 100644 --- a/evita_external_api/evita_external_api_core/src/main/java/io/evitadb/externalApi/configuration/MtlsConfiguration.java +++ b/evita_external_api/evita_external_api_core/src/main/java/io/evitadb/externalApi/configuration/MtlsConfiguration.java @@ -25,7 +25,9 @@ import javax.annotation.Nonnull; import javax.annotation.Nullable; +import java.util.Collections; import java.util.List; +import java.util.Optional; /** * This DTO record encapsulates mTLS configuration that will be used to hold information about clients. @@ -38,7 +40,13 @@ */ public record MtlsConfiguration( @Nullable Boolean enabled, - @Nonnull List allowedClientCertificatePaths + @Nullable List allowedClientCertificatePaths ) { + @Override + @Nonnull + public List allowedClientCertificatePaths() { + return Optional.ofNullable(this.allowedClientCertificatePaths) + .orElse(Collections.emptyList()); + } } diff --git a/evita_external_api/evita_external_api_core/src/main/java/io/evitadb/externalApi/http/ExternalApiServer.java b/evita_external_api/evita_external_api_core/src/main/java/io/evitadb/externalApi/http/ExternalApiServer.java index e9a3d6884..994eb86ab 100644 --- a/evita_external_api/evita_external_api_core/src/main/java/io/evitadb/externalApi/http/ExternalApiServer.java +++ b/evita_external_api/evita_external_api_core/src/main/java/io/evitadb/externalApi/http/ExternalApiServer.java @@ -210,7 +210,7 @@ public static CertificatePath initCertificate( getServerCertificateFingerPrint(serverCertificateManager) .ifPresent(it -> { - ConsoleWriter.write(StringUtils.rightPad("Server Certificate fingerprint: ", " ", PADDING_START_UP)); + ConsoleWriter.write(StringUtils.rightPad("Server certificate fingerprint: ", " ", PADDING_START_UP)); ConsoleWriter.write(it, ConsoleColor.BRIGHT_YELLOW); ConsoleWriter.write("\n", ConsoleColor.WHITE); }); diff --git a/evita_external_api/evita_external_api_grpc/client/src/main/java/io/evitadb/driver/EvitaClient.java b/evita_external_api/evita_external_api_grpc/client/src/main/java/io/evitadb/driver/EvitaClient.java index 5deb1a8e1..3a14c4552 100644 --- a/evita_external_api/evita_external_api_grpc/client/src/main/java/io/evitadb/driver/EvitaClient.java +++ b/evita_external_api/evita_external_api_grpc/client/src/main/java/io/evitadb/driver/EvitaClient.java @@ -275,7 +275,7 @@ public EvitaClient( try { switch (certificateType) { case SERVER -> - log.info("Server's CA certificate fingerprint: {}", CertificateUtils.getCertificateFingerprint(certificate)); + log.info("Server's certificate fingerprint: {}", CertificateUtils.getCertificateFingerprint(certificate)); case CLIENT -> log.info("Client's certificate fingerprint: {}", CertificateUtils.getCertificateFingerprint(certificate)); } diff --git a/evita_external_api/evita_external_api_system/src/main/java/io/evitadb/externalApi/system/SystemProvider.java b/evita_external_api/evita_external_api_system/src/main/java/io/evitadb/externalApi/system/SystemProvider.java index 5ca34e40d..81ee67fb8 100644 --- a/evita_external_api/evita_external_api_system/src/main/java/io/evitadb/externalApi/system/SystemProvider.java +++ b/evita_external_api/evita_external_api_system/src/main/java/io/evitadb/externalApi/system/SystemProvider.java @@ -43,7 +43,6 @@ import javax.annotation.Nonnull; import java.util.LinkedHashMap; import java.util.Map; -import java.util.Optional; import java.util.function.Predicate; import static io.evitadb.externalApi.system.SystemProviderRegistrar.ENDPOINT_SERVER_NAME; @@ -57,7 +56,6 @@ @Slf4j public class SystemProvider implements ExternalApiProviderWithConsoleOutput { public static final String CODE = "system"; - public static final String ROOT_CERTIFICATE_URL = "rootCertificateUrl"; public static final String SERVER_CERTIFICATE_URL = "serverCertificateUrl"; public static final String CLIENT_CERTIFICATE_URL = "clientCertificateUrl"; public static final String CLIENT_PRIVATE_KEY_URL = "clientPrivateKeyUrl"; @@ -159,7 +157,6 @@ public Map getKeyEndPoints() { @Override public void writeToConsole() { writeLine(" - server name served at: ", SERVER_NAME_URL); - writeLine(" - CA certificate served at: ", ROOT_CERTIFICATE_URL); writeLine(" - server certificate served at: ", SERVER_CERTIFICATE_URL); writeLine(" - client certificate served at: ", CLIENT_CERTIFICATE_URL); writeLine(" - client private key served at: ", CLIENT_PRIVATE_KEY_URL); diff --git a/evita_external_api/evita_external_api_system/src/main/java/io/evitadb/externalApi/system/SystemProviderRegistrar.java b/evita_external_api/evita_external_api_system/src/main/java/io/evitadb/externalApi/system/SystemProviderRegistrar.java index b1ffaca47..1b88cbb1d 100644 --- a/evita_external_api/evita_external_api_system/src/main/java/io/evitadb/externalApi/system/SystemProviderRegistrar.java +++ b/evita_external_api/evita_external_api_system/src/main/java/io/evitadb/externalApi/system/SystemProviderRegistrar.java @@ -384,14 +384,6 @@ public ExternalApiProvider register( .map(it -> it + ENDPOINT_SERVER_NAME) .toArray(String[]::new) ); - if (fileName != null) { - endpoints.put( - SystemProvider.ROOT_CERTIFICATE_URL, - Arrays.stream(systemConfig.getBaseUrls()) - .map(it -> it + fileName) - .toArray(String[]::new) - ); - } if (certificateSettings.generateAndUseSelfSigned() && atLeastOnEndpointRequiresTls) { endpoints.put( SystemProvider.SERVER_CERTIFICATE_URL, diff --git a/evita_server/run-server.sh b/evita_server/run-server.sh index 81f0154f6..12508ac10 100755 --- a/evita_server/run-server.sh +++ b/evita_server/run-server.sh @@ -44,4 +44,4 @@ java \ "api.endpoints.lab.tlsMode=RELAXED" \ "api.endpoints.gRPC.tlsMode=RELAXED" \ "api.endpoints.gRPC.exposeDocsService=true" \ - "api.endpoints.gRPC.mTLS.enabled=false" + "api.endpoints.gRPC.mTLS.enabled=true" diff --git a/evita_server/src/main/resources/evita-configuration.yaml b/evita_server/src/main/resources/evita-configuration.yaml index 29da27be0..038b8446b 100644 --- a/evita_server/src/main/resources/evita-configuration.yaml +++ b/evita_server/src/main/resources/evita-configuration.yaml @@ -83,8 +83,8 @@ api: tlsMode: ${api.endpoints.system.tlsMode:FORCE_NO_TLS} keepAlive: ${api.endpoints.system.keepAlive:null} mTLS: - enabled: ${api.endpoints.system.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.system.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.system.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.system.mTLS.allowedClientCertificatesPaths:null} graphQL: enabled: ${api.endpoints.graphQL.enabled:null} host: ${api.endpoints.graphQL.host:null} @@ -93,8 +93,8 @@ api: keepAlive: ${api.endpoints.graphQL.keepAlive:null} parallelize: ${api.endpoints.graphQL.parallelize:true} mTLS: - enabled: ${api.endpoints.graphQL.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.graphQL.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.graphQL.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.graphQL.mTLS.allowedClientCertificatesPaths:null} rest: enabled: ${api.endpoints.rest.enabled:null} host: ${api.endpoints.rest.host:null} @@ -102,8 +102,8 @@ api: tlsMode: ${api.endpoints.rest.tlsMode:null} keepAlive: ${api.endpoints.rest.keepAlive:null} mTLS: - enabled: ${api.endpoints.rest.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.rest.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.rest.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.rest.mTLS.allowedClientCertificatesPaths:null} gRPC: enabled: ${api.endpoints.gRPC.enabled:true} host: ${api.endpoints.gRPC.host:null} @@ -112,8 +112,8 @@ api: keepAlive: ${api.endpoints.gRPC.keepAlive:null} exposeDocsService: ${api.endpoints.gRPC.exposeDocsService:false} mTLS: - enabled: ${api.endpoints.gRPC.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.gRPC.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.gRPC.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.gRPC.mTLS.allowedClientCertificatesPaths:null} lab: enabled: ${api.endpoints.lab.enabled:null} host: ${api.endpoints.lab.host:null} @@ -124,8 +124,8 @@ api: enabled: ${api.endpoints.lab.gui.enabled:true} readOnly: ${api.endpoints.lab.gui.readOnly:false} mTLS: - enabled: ${api.endpoints.lab.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.lab.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.lab.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.lab.mTLS.allowedClientCertificatesPaths:null} observability: enabled: ${api.endpoints.observability.enabled:null} host: ${api.endpoints.observability.host:null} @@ -137,5 +137,5 @@ api: protocol: ${api.endpoints.observability.tracing.protocol:grpc} allowedEvents: !include ${api.endpoints.observability.allowedEvents:null} mTLS: - enabled: ${api.endpoints.observability.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.observability.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.observability.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.observability.mTLS.allowedClientCertificatesPaths:null} diff --git a/evita_test_support/src/main/resources/evita-configuration.yaml b/evita_test_support/src/main/resources/evita-configuration.yaml index b2ebbab3c..e92bdbb84 100644 --- a/evita_test_support/src/main/resources/evita-configuration.yaml +++ b/evita_test_support/src/main/resources/evita-configuration.yaml @@ -83,8 +83,8 @@ api: tlsMode: ${api.endpoints.system.tlsMode:FORCE_NO_TLS} keepAlive: ${api.endpoints.system.keepAlive:null} mTLS: - enabled: ${api.endpoints.system.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.system.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.system.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.system.mTLS.allowedClientCertificatesPaths:null} graphQL: enabled: ${api.endpoints.graphQL.enabled:null} host: ${api.endpoints.graphQL.host:null} @@ -93,8 +93,8 @@ api: keepAlive: ${api.endpoints.graphQL.keepAlive:null} parallelize: ${api.endpoints.graphQL.parallelize:true} mTLS: - enabled: ${api.endpoints.graphQL.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.graphQL.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.graphQL.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.graphQL.mTLS.allowedClientCertificatesPaths:null} rest: enabled: ${api.endpoints.rest.enabled:null} host: ${api.endpoints.rest.host:null} @@ -102,8 +102,8 @@ api: tlsMode: ${api.endpoints.rest.tlsMode:null} keepAlive: ${api.endpoints.rest.keepAlive:null} mTLS: - enabled: ${api.endpoints.rest.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.rest.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.rest.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.rest.mTLS.allowedClientCertificatesPaths:null} gRPC: enabled: ${api.endpoints.gRPC.enabled:true} host: ${api.endpoints.gRPC.host:null} @@ -112,8 +112,8 @@ api: keepAlive: ${api.endpoints.gRPC.keepAlive:null} exposeDocsService: ${api.endpoints.gRPC.exposeDocsService:false} mTLS: - enabled: ${api.endpoints.gRPC.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.gRPC.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.gRPC.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.gRPC.mTLS.allowedClientCertificatesPaths:null} lab: enabled: ${api.endpoints.lab.enabled:null} host: ${api.endpoints.lab.host:null} @@ -124,8 +124,8 @@ api: enabled: false readOnly: ${api.endpoints.lab.gui.readOnly:false} mTLS: - enabled: ${api.endpoints.lab.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.lab.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.lab.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.lab.mTLS.allowedClientCertificatesPaths:null} observability: enabled: ${api.endpoints.observability.enabled:false} host: ${api.endpoints.observability.host:null} @@ -137,5 +137,5 @@ api: protocol: ${api.endpoints.observability.tracing.protocol:grpc} allowedEvents: !include ${api.endpoints.observability.allowedEvents:null} mTLS: - enabled: ${api.endpoints.observability.mTLS.enabled:false} - allowedClientCertificatePaths: ${api.endpoints.observability.mTLS.allowedClientCertificatesPaths:[]} + enabled: ${api.endpoints.observability.mTLS.enabled:null} + allowedClientCertificatePaths: ${api.endpoints.observability.mTLS.allowedClientCertificatesPaths:null}