Re: [PR] KNOX-3297: Docker entrypoint script has issues that prevents this image being run as docker container and as a pod in k8s [knox]

via GitHub Sun, 12 Apr 2026 23:20:27 -0700


smolnar82 commented on code in PR #1197:
URL: https://github.com/apache/knox/pull/1197#discussion_r3071136926



##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,40 @@ then
   importMultipleCerts "$CUSTOM_CERT"
 fi
 
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-1 \
-  -file /home/knox/cacrts/AmazonRootCA1.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-2 \
-  -file /home/knox/cacrts/AmazonRootCA2.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-3 \
-  -file /home/knox/cacrts/AmazonRootCA3.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-4 \
-  -file /home/knox/cacrts/AmazonRootCA4.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias letsencrypt-stg-root \
-  -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker 
environment settings
+if [[ ! -n ${TRUSTSTORE_IMPORTS} ]]
+then
+       TRUSTSTORE_IMPORTS="
+        amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+     amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+     amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+        amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+     letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+if [[ -n ${TRUSTSTORE_IMPORTS} ]]

Review Comment:
   This is redundant: end-users either define their own `TRUSTSTORE_IMPORTS` or 
we set to default above -> the if is unnecesary.



##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -86,11 +86,12 @@ fi
 
 if [[ -n ${MASTER_SECRET} ]]
 then
-  echo "Using provided knox master secret"
-  /home/knox/knox/bin/knoxcli.sh create-master --master "${MASTER_SECRET}"
+  echo "Using provided knox master secret [env:MASTER_SECRET}]"

Review Comment:
   nit: `}` is not needed.



##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,40 @@ then
   importMultipleCerts "$CUSTOM_CERT"
 fi
 
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-1 \
-  -file /home/knox/cacrts/AmazonRootCA1.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-2 \
-  -file /home/knox/cacrts/AmazonRootCA2.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-3 \
-  -file /home/knox/cacrts/AmazonRootCA3.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-4 \
-  -file /home/knox/cacrts/AmazonRootCA4.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias letsencrypt-stg-root \
-  -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker 
environment settings
+if [[ ! -n ${TRUSTSTORE_IMPORTS} ]]
+then
+       TRUSTSTORE_IMPORTS="
+        amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+     amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+     amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+        amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+     letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+if [[ -n ${TRUSTSTORE_IMPORTS} ]]
+then
+    for certinfo in ${TRUSTSTORE_IMPORTS}
+    do
+        aliasId="`echo ${certinfo} | awk -F: '{ print $1 }'`"

Review Comment:
   Use $(...) notation instead of legacy backticks `...`.



##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,40 @@ then
   importMultipleCerts "$CUSTOM_CERT"
 fi
 
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-1 \
-  -file /home/knox/cacrts/AmazonRootCA1.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-2 \
-  -file /home/knox/cacrts/AmazonRootCA2.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-3 \
-  -file /home/knox/cacrts/AmazonRootCA3.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias amazon-ca-4 \
-  -file /home/knox/cacrts/AmazonRootCA4.cer \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
-  -keystore "${KEYSTORE_DIR}"/truststore.jks \
-  -alias letsencrypt-stg-root \
-  -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
-  -storepass "${ALIAS_PASSPHRASE}" \
-  -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker 
environment settings
+if [[ ! -n ${TRUSTSTORE_IMPORTS} ]]
+then
+       TRUSTSTORE_IMPORTS="
+        amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+     amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+     amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+        amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+     letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+if [[ -n ${TRUSTSTORE_IMPORTS} ]]
+then
+    for certinfo in ${TRUSTSTORE_IMPORTS}
+    do
+        aliasId="`echo ${certinfo} | awk -F: '{ print $1 }'`"
+        certPath="`echo ${certinfo} | awk -F: '{ print $2 }'`"

Review Comment:
   Use $(...) notation instead of legacy backticks `...`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] KNOX-3297: Docker entrypoint script has issues that prevents this image being run as docker container and as a pod in k8s [knox]

Reply via email to