[
https://issues.apache.org/jira/browse/KNOX-3333?focusedWorklogId=1023499&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1023499
]
ASF GitHub Bot logged work on KNOX-3333:
----------------------------------------
Author: ASF GitHub Bot
Created on: 03/Jun/26 12:35
Start Date: 03/Jun/26 12:35
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #1244:
URL: https://github.com/apache/knox/pull/1244#discussion_r3348468632
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -247,7 +287,16 @@ do
fi
done
-export KNOX_GATEWAY_DBG_OPTS="${KNOX_GATEWAY_DBG_OPTS}
-Djavax.net.ssl.trustStore=${KEYSTORE_DIR}/truststore.jks
-Djavax.net.ssl.trustStorePassword=${ALIAS_PASSPHRASE}"
+# To avoid leaking password into the process command line
+# we pass the trust options through a 0600 Java argument file.
+# Java launcher expands @file after exec, so only "@<path>" appears in the
process args.
+TRUSTSTORE_JVM_OPTS_FILE="${KEYSTORE_DIR}/truststore-jvm.options"
+cat > "${TRUSTSTORE_JVM_OPTS_FILE}" <<EOF
+-Djavax.net.ssl.trustStore=${KEYSTORE_DIR}/truststore.jks
+-Djavax.net.ssl.trustStorePassword="${ALIAS_PASSPHRASE}"
+EOF
+chmod 600 "${TRUSTSTORE_JVM_OPTS_FILE}"
Review Comment:
This is a nice addition, I like that a lot :)
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -30,6 +30,9 @@
# - DATABASE_CONNECTION_PASSWORD - (optional) gateway database password
# - DATABASE_CONNECTION_TRUSTSTORE_PASSWORD - (optional) gateway database ssl
truststore password
# - CUSTOM_CERT - (optional) the location of a file containing the custom certs
+# - IMPORT_DEFAULT_STAGING_CERTS - (optional) when 'true' (default), download
Let's Encrypt staging root
Review Comment:
I'd call this ENV variable `IMPORT_LETS_ENCRYPT_STAGING_CERTS` (to be honest
the `DEFAULT` word inside made me think what this is about).
Additionally: you indicate the default is `true`, but this isn't the case
(see below, line 47 sets it to `false` if not configured).
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -76,6 +82,27 @@ importMultipleCerts() {
return "$import_failed"
}
+## Download Let's Encrypt staging root CAs (best-effort) when
IMPORT_DEFAULT_STAGING_CERTS is true.
+downloadDefaultStagingCerts() {
Review Comment:
`downloadLetEncryptStagingCerts` maybe?
Issue Time Tracking
-------------------
Worklog Id: (was: 1023499)
Time Spent: 1h 10m (was: 1h)
> Update Letsencrypt staging certs
> --------------------------------
>
> Key: KNOX-3333
> URL: https://issues.apache.org/jira/browse/KNOX-3333
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> There are more staging certs that Letsencrypt has, we need to include them
> all just to be safe.
> [https://letsencrypt.org/docs/staging-environment/]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
