[
https://issues.apache.org/jira/browse/KNOX-3297?focusedWorklogId=1015045&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1015045
]
ASF GitHub Bot logged work on KNOX-3297:
----------------------------------------
Author: ASF GitHub Bot
Created on: 13/Apr/26 06:20
Start Date: 13/Apr/26 06:20
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #1197:
URL: https://github.com/apache/knox/pull/1197#discussion_r3071136926
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,40 @@ then
importMultipleCerts "$CUSTOM_CERT"
fi
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-1 \
- -file /home/knox/cacrts/AmazonRootCA1.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-2 \
- -file /home/knox/cacrts/AmazonRootCA2.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-3 \
- -file /home/knox/cacrts/AmazonRootCA3.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-4 \
- -file /home/knox/cacrts/AmazonRootCA4.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias letsencrypt-stg-root \
- -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker
environment settings
+if [[ ! -n ${TRUSTSTORE_IMPORTS} ]]
+then
+ TRUSTSTORE_IMPORTS="
+ amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+ amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+ amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+ amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+ letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+if [[ -n ${TRUSTSTORE_IMPORTS} ]]
Review Comment:
This is redundant: end-users either define their own `TRUSTSTORE_IMPORTS` or
we set to default above -> the if is unnecesary.
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -86,11 +86,12 @@ fi
if [[ -n ${MASTER_SECRET} ]]
then
- echo "Using provided knox master secret"
- /home/knox/knox/bin/knoxcli.sh create-master --master "${MASTER_SECRET}"
+ echo "Using provided knox master secret [env:MASTER_SECRET}]"
Review Comment:
nit: `}` is not needed.
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,40 @@ then
importMultipleCerts "$CUSTOM_CERT"
fi
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-1 \
- -file /home/knox/cacrts/AmazonRootCA1.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-2 \
- -file /home/knox/cacrts/AmazonRootCA2.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-3 \
- -file /home/knox/cacrts/AmazonRootCA3.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-4 \
- -file /home/knox/cacrts/AmazonRootCA4.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias letsencrypt-stg-root \
- -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker
environment settings
+if [[ ! -n ${TRUSTSTORE_IMPORTS} ]]
+then
+ TRUSTSTORE_IMPORTS="
+ amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+ amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+ amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+ amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+ letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+if [[ -n ${TRUSTSTORE_IMPORTS} ]]
+then
+ for certinfo in ${TRUSTSTORE_IMPORTS}
+ do
+ aliasId="`echo ${certinfo} | awk -F: '{ print $1 }'`"
Review Comment:
Use $(...) notation instead of legacy backticks `...`.
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,40 @@ then
importMultipleCerts "$CUSTOM_CERT"
fi
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-1 \
- -file /home/knox/cacrts/AmazonRootCA1.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-2 \
- -file /home/knox/cacrts/AmazonRootCA2.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-3 \
- -file /home/knox/cacrts/AmazonRootCA3.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-4 \
- -file /home/knox/cacrts/AmazonRootCA4.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias letsencrypt-stg-root \
- -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker
environment settings
+if [[ ! -n ${TRUSTSTORE_IMPORTS} ]]
+then
+ TRUSTSTORE_IMPORTS="
+ amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+ amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+ amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+ amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+ letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+if [[ -n ${TRUSTSTORE_IMPORTS} ]]
+then
+ for certinfo in ${TRUSTSTORE_IMPORTS}
+ do
+ aliasId="`echo ${certinfo} | awk -F: '{ print $1 }'`"
+ certPath="`echo ${certinfo} | awk -F: '{ print $2 }'`"
Review Comment:
Use $(...) notation instead of legacy backticks `...`.
Issue Time Tracking
-------------------
Worklog Id: (was: 1015045)
Time Spent: 0.5h (was: 20m)
> Docker - entrypoint fails
> -------------------------
>
> Key: KNOX-3297
> URL: https://issues.apache.org/jira/browse/KNOX-3297
> Project: Apache Knox
> Issue Type: Bug
> Components: docker
> Reporter: Selvamohan Neethiraj
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Issues:
> # keystore path was hardcoded to /usr/bin/keytool - JDK is installed in a
> different path.
> # The keystore passphrase was incorrect in the initialization process.
> # There are few truststore certs are being added in the entrypoint script.
> But, the certs are not found in the docker image.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
