Disable inter-cluster SSL

Overview

In general when deploying to a Kubernetes cluster, we recommend terminating SSL at the ingress. It is up to your implementation and infrastructure requirements whether or not to keep SSL communication between services within the cluster. Our default Flex Package starter projects are configured with SSL enabled for all communication using some default self-signed certs. You can choose to disable this by following these general directions:

Steps to Disable SSL behind the Ingress

Spring Boot Resource Services

For a majority of the backend Java Spring Boot microservices, you will notice that the   pom.xml  will contain a maven profile called  keygen  which loads the  keytool-maven-plugin  . This is marked as "active by default" and will run during the  generate-resources  phase of the maven lifecycle. After a build, you should notice a  local.keystore  file that is generated using the configurations defined for this plugin in your  src/main/resources  folder. 

The generated keystore file is a self-signed cert and is typically referenced in your main application.yml  file. So, in order to disable SSL with this self-signed cert, you should just remove the following configuration in your application configuration file:

server:
  ssl:
    key-store: classpath:local.keystore
    key-store-password: storepass

and then remove the plugin that generates the local keystore from the maven build.

React Storefront and Admin Console

The storefront and admin starters come pre-configured with a node server that listens on Https by default. To disable this, you'll want look at your main Node sample express server configuration (e.g. in the index.js) file and remove references to `https` and replace them with `http`. So your server initialization script may look something like:

http
  .createServer(
    {
    },
    app
  )
  .listen(PORT, function() {
    logger.info(
      `Express is now listening on port ${PORT} and the gateway on port ${GATEWAY_PORT}.`
    );
    logger.info(
      `The application should be accessible at ${GATEWAY_HOST}:${GATEWAY_PORT}.`
    );
  });

Gateway Routes

Now that all the backing services have been updated to listen on http, you'll also want to make sure that all the Gateway routes are properly updated as well. For example, on the storefront "commerce gateway" - you'll want to update all applicable  application.yml  configurations to be something like:

broadleaf:
  gateway:
    proxyurls:
      asset: http://localhost:8447
      authapi: http://localhost:8080
      auth: http://localhost:8080
      campaign: http://localhost:8451
      cartoperation: http://localhost:8447
      catalog: http://localhost:8447
      commerceweb: http://localhost:4000
      menu: http://localhost:8447
      offer: http://localhost:8447
      personalization: http://localhost:8447
      pricing: http://localhost:8447
      sandbox: http://localhost:8447
      search: http://localhost:8447
      tenant: http://localhost:8447
      customer: http://localhost:8447
      catalogbrowse: http://localhost:8447
      notification: http://localhost:8447
      inventory: http://localhost:8447
      orderoperation: http://localhost:8447