_language_specific_tls_config

export SSL_CERT_FILE="${HOME}/.speedscale/certs/tls.crt"

Go applications using OpenSSL will respect the SSL_CERT_FILE environment variable to locate trusted root certificates. This environment variable will be automatically populated by the Speedscale operator.

export NODE_EXTRA_CA_CERTS="${HOME}/.speedscale/certs/tls.crt"

For Node.js applications newer than v7.3.0.

export SSL_CERT_FILE="${HOME}/.speedscale/certs/tls.crt"

Ruby applications using OpenSSL will respect the SSL_CERT_FILE environment variable to locate trusted root certificates. This environment variable will be automatically populated by the Speedscale operator.

export SSL_CERT_FILE="${HOME}/.speedscale/certs/tls.crt"

info

.NET Core uses OpenSSL on Linux and Mac which respects default settings. The default Microsoft .NET Docker base images are Linux based which means these settings apply, however running Windows based workloads may require additional configuration.

Java applications utilize a truststore to specify certificates to be trusted.

On desktop:

Create the keystore with Speedscale certs.

proxymock certs --jks

Then apply these flags when running your app:

java \
  -Djavax.net.ssl.trustStore=/etc/ssl/speedscale/jks/cacerts.jks \
  -Djavax.net.ssl.trustStorePassword=changeit \
	-jar app.jar

In cluster:

During Operator installation a secret called speedscale-jks will be created that contains the speedscale-certs root CA along with a standard set of CA certs used by openjdk. This secret is automatically mounted when the tls-out setting is configured as shown below. The Java app itself needs to be configured to use this secret as well which requires configuring your JVM to use the truststore with these settings:

These can be automatically applied by adding to your JVM by setting JAVA_TOOL_OPTIONS. This can be set on your workload by adding the sidecar.speedscale.com/tls-java-tool-options: "true" annotation. Read more about this setting here.

When running in-cluster, these flags are also surfaced as an environment variable SPEEDSCALE_JAVA_OPTS if you need to merge with your own existing sets of Java flags.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: spring-boot-app
  annotations:
    sidecar.speedscale.com/inject: "true"
    sidecar.speedscale.com/tls-out: "true"
    sidecar.speedscale.com/tls-java-tool-options: "true"

If you already have a custom JKS

Sometimes your code is already using a Custom JKS, so you need to merge your current JKS with the one from Speedscale. In that case what you can do is import the Speedscale TLS cert into your existing JKS. Here is how to do that:

# 1) Make a copy of your existing keystore
cp custom.jks custom-with-speedscale.jks

# 2) Import Speedscale Root CA into the copy (non-interactive)
keytool -importcert \
  -noprompt \
  -alias speedscale-root \
  -file "$HOME/.speedscale/certs/tls.crt" \
  -keystore custom-with-speedscale.jks \
  -storepass changeit

# 3) Verify the Speedscale cert is present
keytool -list -keystore custom-with-speedscale.jks -storepass changeit | grep -i speedscale

# 4) Use the merged truststore when running your app
java \
  -Djavax.net.ssl.trustStore=custom-with-speedscale.jks \
  -Djavax.net.ssl.trustStorePassword=changeit \
  -jar app.jar

Notes:

If your truststore is PKCS12 instead of JKS, add -storetype pkcs12 to the keytool commands.
If the alias already exists, either choose a different alias (e.g., -alias speedscale-root-2) or remove the old one with: keytool -delete -alias speedscale-root -keystore "$KEYSTORE_OUT" -storepass "$KEYSTORE_PASS".

export SSL_CERT_FILE="${HOME}/.speedscale/certs/tls.crt"

C++ applications using OpenSSL will respect the SSL_CERT_FILE environment variable to locate trusted root certificates. This environment variable will be automatically populated by the Speedscale operator.

export REQUESTS_CA_BUNDLE="${HOME}/.speedscale/certs/tls.crt"

Python applications (including the popular requests library and many others) will use the REQUESTS_CA_BUNDLE environment variable to locate trusted root certificates.