Add an ability to add public key certificate to Java trust store (#16006)

2020-03-04 10:50:33 +02:00 · 2020-03-04 10:50:33 +02:00 · 95fc64fdc9
parent cbaf94e69c
commit 95fc64fdc9
3 changed files with 56 additions and 16 deletions
--- a/deploy/kubernetes/helm/che/templates/deployment.yaml
+++ b/deploy/kubernetes/helm/che/templates/deployment.yaml
@ -156,15 +156,31 @@ spec:
            memory: 600Mi
          requests:
            memory: 256Mi
-{{- if not .Values.global.multiuser }}
+{{- if or (not .Values.global.multiuser) (not (eq .Values.global.tls.serverTrustStoreConfigMapName "")) }}
        volumeMounts:
+{{- if not .Values.global.multiuser }}
        - mountPath: /data
          name: che-data-volume
+{{- end }}
+# If serverTrustStoreConfigMapName is defined, then add the che-public-certs volume mount with certificate contents
+# to propagate them to trust store.
+{{- if not (eq .Values.global.tls.serverTrustStoreConfigMapName "") }}
+        - mountPath: /public-certs
+          name: che-public-certs
+{{- end }}
      volumes:
+{{- if not .Values.global.multiuser }}
      - name: che-data-volume
        persistentVolumeClaim:
          claimName: che-data-volume
 {{- end }}
+# If serverTrustStoreConfigMapName is defined, then add config-map volume.
+{{- if not (eq .Values.global.tls.serverTrustStoreConfigMapName "") }}
+      - name: che-public-certs
+        configMap:
+          name: {{ .Values.global.tls.serverTrustStoreConfigMapName }}
+{{- end }}
+{{- end }}
 {{- if .Values.registry }}
 {{- if and .Values.registry.password .Values.registry.username }}
      imagePullSecrets:
--- a/deploy/kubernetes/helm/che/values.yaml
+++ b/deploy/kubernetes/helm/che/values.yaml
@ -49,6 +49,9 @@ global:
    ## then CA certificate from `tls.secretName` will be propagated to Che components' trust stores
    useSelfSignedCerts: false

+    ## Name of the config-map with public certificates to add to Java trust store of the Che server.
+    serverTrustStoreConfigMapName: ""
+

  ## If using git self-signed certificate is enabled
  ## then certificate from `cheGitSelfSignedCertConfigMapName` will be propagated to Che components'
--- a/dockerfiles/che/entrypoint.sh
+++ b/dockerfiles/che/entrypoint.sh
@ -291,30 +291,50 @@ init() {
 }

 add_cert_to_truststore() {
-  if [ "${CHE_SELF__SIGNED__CERT}" != "" ]; then
-    DEFAULT_JAVA_TRUST_STORE=$JAVA_HOME/lib/security/cacerts
-    DEFAULT_JAVA_TRUST_STOREPASS="changeit"
+  DEFAULT_JAVA_TRUST_STORE=$JAVA_HOME/lib/security/cacerts
+  DEFAULT_JAVA_TRUST_STOREPASS="changeit"

-    JAVA_TRUST_STORE=/home/user/cacerts
-    SELF_SIGNED_CERT=/home/user/self-signed.crt
+  JAVA_TRUST_STORE=/home/user/cacerts
+  SELF_SIGNED_CERT=/home/user/self-signed.crt

-    echo "Found a custom cert. Adding it to java trust store based on $DEFAULT_JAVA_TRUST_STORE"
+  MESSAGE="Found a custom cert. Adding it to java trust store $JAVA_TRUST_STORE"
+  if [ ! -f "$JAVA_TRUST_STORE" ]; then
+    echo "$MESSAGE based on $DEFAULT_JAVA_TRUST_STORE"
    cp $DEFAULT_JAVA_TRUST_STORE $JAVA_TRUST_STORE
+  else
+    echo "$MESSAGE"
+  fi

-    echo "$CHE_SELF__SIGNED__CERT" > $SELF_SIGNED_CERT
+  echo "$1" > $SELF_SIGNED_CERT

-    # make sure that owner has permissions to write and other groups have permissions to read
-    chmod 644 $JAVA_TRUST_STORE
-
-    echo yes | keytool -keystore $JAVA_TRUST_STORE -importcert -alias HOSTDOMAIN -file $SELF_SIGNED_CERT -storepass $DEFAULT_JAVA_TRUST_STOREPASS > /dev/null
-
-    # allow only read by all groups
-    chmod 444 $JAVA_TRUST_STORE
+  # make sure that owner has permissions to write and other groups have permissions to read
+  chmod 644 $JAVA_TRUST_STORE

+  echo yes | keytool -keystore $JAVA_TRUST_STORE -importcert -alias "$2" -file $SELF_SIGNED_CERT -storepass $DEFAULT_JAVA_TRUST_STOREPASS > /dev/null
+  # allow only read by all groups
+  chmod 444 $JAVA_TRUST_STORE
+  if [[ "$JAVA_OPTS" != *"-Djavax.net.ssl.trustStore"* && "$JAVA_OPTS" != *"-Djavax.net.ssl.trustStorePassword"* ]]; then
    export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=$JAVA_TRUST_STORE -Djavax.net.ssl.trustStorePassword=$DEFAULT_JAVA_TRUST_STOREPASS"
  fi
 }

+add_che_cert_to_truststore() {
+  if [ "${CHE_SELF__SIGNED__CERT}" != "" ]; then
+    add_cert_to_truststore "${CHE_SELF__SIGNED__CERT}" "HOSTDOMAIN"
+  fi
+}
+
+add_public_cert_to_truststore() {
+  CUSTOM_PUBLIC_CERTIFICATES="/public-certs"
+  if [[ -d "$CUSTOM_PUBLIC_CERTIFICATES" && -n "$(find $CUSTOM_PUBLIC_CERTIFICATES -type f)" ]]; then
+    FILES="$CUSTOM_PUBLIC_CERTIFICATES/*"
+    for cert in $FILES
+    do
+      add_cert_to_truststore "$(<$cert)" "HOSTDOMAIN-$(basename $cert)"
+    done
+  fi
+}
+
 get_che_data_from_host() {
  DEFAULT_DATA_HOST_PATH=/data
  CHE_SERVER_CONTAINER_ID=$(get_che_server_container_id)
@ -374,7 +394,8 @@ trap 'responsible_shutdown' SIGHUP SIGTERM SIGINT
 init
 init_global_variables
 set_environment_variables
-add_cert_to_truststore
+add_che_cert_to_truststore
+add_public_cert_to_truststore

 # run che
 start_che_server &