moresandeep commented on code in PR #1197:
URL: https://github.com/apache/knox/pull/1197#discussion_r3085956184
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,35 @@ then
importMultipleCerts "$CUSTOM_CERT"
fi
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-1 \
- -file /home/knox/cacrts/AmazonRootCA1.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-2 \
- -file /home/knox/cacrts/AmazonRootCA2.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-3 \
- -file /home/knox/cacrts/AmazonRootCA3.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-4 \
- -file /home/knox/cacrts/AmazonRootCA4.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias letsencrypt-stg-root \
- -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker
environment settings
+if [[ -z ${TRUSTSTORE_IMPORTS} ]]
+then
+ TRUSTSTORE_IMPORTS="
+ amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+ amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+ amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+ amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+ letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+for certinfo in ${TRUSTSTORE_IMPORTS}
Review Comment:
When we specify `TRUSTSTORE_IMPORTS` then the OOTB certs are not included?
this might be a problem here is why: In docker we do not use system keystore
which means we do not have green certs that are provisioned in the keystore as
a result ALL communication to certs signed by public CAs will fail :(
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -86,11 +86,12 @@ fi
if [[ -n ${MASTER_SECRET} ]]
then
- echo "Using provided knox master secret"
- /home/knox/knox/bin/knoxcli.sh create-master --master "${MASTER_SECRET}"
+ echo "Using provided knox master secret [env:MASTER_SECRET]"
Review Comment:
We are echoing the secret, that can be an issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
