[
https://issues.apache.org/jira/browse/KNOX-3297?focusedWorklogId=1015700&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1015700
]
ASF GitHub Bot logged work on KNOX-3297:
----------------------------------------
Author: ASF GitHub Bot
Created on: 15/Apr/26 12:01
Start Date: 15/Apr/26 12:01
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #1197:
URL: https://github.com/apache/knox/pull/1197#discussion_r3086266845
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,35 @@ then
importMultipleCerts "$CUSTOM_CERT"
fi
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-1 \
- -file /home/knox/cacrts/AmazonRootCA1.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-2 \
- -file /home/knox/cacrts/AmazonRootCA2.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-3 \
- -file /home/knox/cacrts/AmazonRootCA3.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-4 \
- -file /home/knox/cacrts/AmazonRootCA4.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias letsencrypt-stg-root \
- -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker
environment settings
+if [[ -z ${TRUSTSTORE_IMPORTS} ]]
+then
+ TRUSTSTORE_IMPORTS="
+ amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+ amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+ amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+ amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+ letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+for certinfo in ${TRUSTSTORE_IMPORTS}
Review Comment:
I might be wrong, but the new logic mimic what we had before: adding the
Amazon and Lets
Encrypt certificates to `${KEYSTORE_DIR}"/truststore.jks`. Nothing more,
nothing less.
The only difference is that you can now overide that with your own certs if
you want. But the change - IMO - is fully backward compatible and preserves the
previous behavior.
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,35 @@ then
importMultipleCerts "$CUSTOM_CERT"
fi
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-1 \
- -file /home/knox/cacrts/AmazonRootCA1.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-2 \
- -file /home/knox/cacrts/AmazonRootCA2.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-3 \
- -file /home/knox/cacrts/AmazonRootCA3.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-4 \
- -file /home/knox/cacrts/AmazonRootCA4.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias letsencrypt-stg-root \
- -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker
environment settings
+if [[ -z ${TRUSTSTORE_IMPORTS} ]]
+then
+ TRUSTSTORE_IMPORTS="
+ amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+ amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+ amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+ amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+ letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+for certinfo in ${TRUSTSTORE_IMPORTS}
Review Comment:
I might be wrong, but the new logic mimics what we had before: adding the
Amazon and Lets
Encrypt certificates to `${KEYSTORE_DIR}"/truststore.jks`. Nothing more,
nothing less.
The only difference is that you can now overide that with your own certs if
you want. But the change - IMO - is fully backward compatible and preserves the
previous behavior.
Issue Time Tracking
-------------------
Worklog Id: (was: 1015700)
Time Spent: 2h 20m (was: 2h 10m)
> Docker - entrypoint fails
> -------------------------
>
> Key: KNOX-3297
> URL: https://issues.apache.org/jira/browse/KNOX-3297
> Project: Apache Knox
> Issue Type: Bug
> Components: docker
> Reporter: Selvamohan Neethiraj
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> Issues:
> # keystore path was hardcoded to /usr/bin/keytool - JDK is installed in a
> different path.
> # The keystore passphrase was incorrect in the initialization process.
> # There are few truststore certs are being added in the entrypoint script.
> But, the certs are not found in the docker image.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
