jstaf commented on issue #717:
URL: https://github.com/apache/solr-operator/issues/717#issuecomment-2291521058
I got this to work with a custom solr image with a custom version of
`solr.in.sh` and `zkcli.sh`. Still needs to be fixed in solr-operator though.
solr.in.sh (this change has `solr zk` auto-trust the zk tls certificate and
obey settings from `$SOLR_OPTS` set by `solrZkOpts`)
```bash
#!/bin/bash
set -eo pipefail
# import zk certificate into default system truststore if not present
if [ ! -f /tmp/cacerts.jks ]; then
# this step is extremely race-y for some reason
sleep $((RANDOM % 10))
echo |\
openssl s_client -connect $(echo $ZK_SERVER | sed 's/,.*//g')
-showcerts |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/ca.crt
# we create a copy of the system truststore in /tmp since the root
# filesystem is not writeable >:(
cp /opt/java/openjdk/lib/security/cacerts /tmp/cacerts.jks
keytool -import -noprompt -trustcacerts -alias solr-ca -file /tmp/ca.crt
-keystore /tmp/cacerts.jks -storepass changeit
fi
# have "solr zk" and zkcli.sh use $SOLR_OPTS
SOLR_TOOL_OPTS="$SOLR_OPTS
-Dzookeeper.ssl.trustStore.location=/tmp/cacerts.jks
-Dzookeeper.ssl.trustStore.password=changeit"
ZKCLI_JVM_FLAGS="$SOLR_TOOL_OPTS"
```
zkcli.sh (make this script actually obey `$SOLR_OPTS` by sourcing our custom
`solr.in.sh`)
```bash
#!/usr/bin/env bash
# You can override pass the following parameters to this script:
#
JVM="java"
# Find location of this script
sdir="`dirname \"$0\"`"
log4j_config="file:$sdir/../../resources/log4j2-console.xml"
solr_home="$sdir/../../solr"
# Settings for ZK ACL
#SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.DigestZkACLProvider
\
#
-DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider
\
#
-DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector
\
# -DzkDigestUsername=admin-user -DzkDigestPassword=CHANGEME-ADMIN-PASSWORD \
# -DzkDigestReadonlyUsername=readonly-user
-DzkDigestReadonlyPassword=CHANGEME-READONLY-PASSWORD"
# optionally, you can use using a a Java properties file
'zkDigestCredentialsFile'
#...
# -DzkDigestCredentialsFile=/path/to/zkDigestCredentialsFile.properties
#...
source /etc/default/solr.in.sh # this is the only change
PATH=$JAVA_HOME/bin:$PATH $JVM $SOLR_ZK_CREDS_AND_ACLS $ZKCLI_JVM_FLAGS
-Dlog4j.configurationFile=$log4j_config -Dsolr.home=$solr_home \
-classpath
"$sdir/../../solr-webapp/webapp/WEB-INF/lib/*:$sdir/../../lib/ext/*:$sdir/../../lib/*"
org.apache.solr.cloud.ZkCLI ${1+"$@"}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
