[
https://issues.apache.org/jira/browse/KNOX-3297?focusedWorklogId=1015680&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1015680
]
ASF GitHub Bot logged work on KNOX-3297:
----------------------------------------
Author: ASF GitHub Bot
Created on: 15/Apr/26 11:06
Start Date: 15/Apr/26 11:06
Worklog Time Spent: 10m
Work Description: moresandeep commented on code in PR #1197:
URL: https://github.com/apache/knox/pull/1197#discussion_r3085956184
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -187,45 +188,35 @@ then
importMultipleCerts "$CUSTOM_CERT"
fi
-# Add Amazon Root CA 1
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-1 \
- -file /home/knox/cacrts/AmazonRootCA1.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 2
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-2 \
- -file /home/knox/cacrts/AmazonRootCA2.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 3
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-3 \
- -file /home/knox/cacrts/AmazonRootCA3.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add Amazon Root CA 4
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias amazon-ca-4 \
- -file /home/knox/cacrts/AmazonRootCA4.cer \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
-
-# Add letsencrypt staging root CA
-/usr/bin/keytool -importcert \
- -keystore "${KEYSTORE_DIR}"/truststore.jks \
- -alias letsencrypt-stg-root \
- -file /home/knox/cacrts/letsencrypt-stg-root-x1.pem \
- -storepass "${ALIAS_PASSPHRASE}" \
- -noprompt || true
+# This default was set to emulate the existing behaviour
+# Customer should be able to override this by specifying this via Docker
environment settings
+if [[ -z ${TRUSTSTORE_IMPORTS} ]]
+then
+ TRUSTSTORE_IMPORTS="
+ amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
+ amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
+ amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
+ amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
+ letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+fi
+
+for certinfo in ${TRUSTSTORE_IMPORTS}
Review Comment:
When we specify `TRUSTSTORE_IMPORTS` then the OOTB certs are not included?
this might be a problem here is why: In docker we do not use system keystore
which means we do not have green certs that are provisioned in the keystore as
a result ALL communication to certs signed by public CAs will fail :(
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -86,11 +86,12 @@ fi
if [[ -n ${MASTER_SECRET} ]]
then
- echo "Using provided knox master secret"
- /home/knox/knox/bin/knoxcli.sh create-master --master "${MASTER_SECRET}"
+ echo "Using provided knox master secret [env:MASTER_SECRET]"
Review Comment:
We are echoing the secret, that can be an issue.
Issue Time Tracking
-------------------
Worklog Id: (was: 1015680)
Time Spent: 1h 40m (was: 1.5h)
> Docker - entrypoint fails
> -------------------------
>
> Key: KNOX-3297
> URL: https://issues.apache.org/jira/browse/KNOX-3297
> Project: Apache Knox
> Issue Type: Bug
> Components: docker
> Reporter: Selvamohan Neethiraj
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> Issues:
> # keystore path was hardcoded to /usr/bin/keytool - JDK is installed in a
> different path.
> # The keystore passphrase was incorrect in the initialization process.
> # There are few truststore certs are being added in the entrypoint script.
> But, the certs are not found in the docker image.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
