From 95fc64fdc9d4668d655df98161efbfb7d19597c7 Mon Sep 17 00:00:00 2001
From: Igor Vinokur <ivinokur@redhat.com>
Date: Wed, 4 Mar 2020 10:50:33 +0200
Subject: [PATCH] Add an ability to add public key certificate to Java trust
 store (#16006)

---
 .../helm/che/templates/deployment.yaml        | 18 ++++++-
 deploy/kubernetes/helm/che/values.yaml        |  3 ++
 dockerfiles/che/entrypoint.sh                 | 51 +++++++++++++------
 3 files changed, 56 insertions(+), 16 deletions(-)

diff --git a/deploy/kubernetes/helm/che/templates/deployment.yaml b/deploy/kubernetes/helm/che/templates/deployment.yaml
index c09aa4bae6..8ac15e1b3b 100644
--- a/deploy/kubernetes/helm/che/templates/deployment.yaml
+++ b/deploy/kubernetes/helm/che/templates/deployment.yaml
@@ -156,15 +156,31 @@ spec:
             memory: 600Mi
           requests:
             memory: 256Mi
-{{- if not .Values.global.multiuser }}
+{{- if or (not .Values.global.multiuser) (not (eq .Values.global.tls.serverTrustStoreConfigMapName "")) }}
         volumeMounts:
+{{- if not .Values.global.multiuser }}
         - mountPath: /data
           name: che-data-volume
+{{- end }}
+# If serverTrustStoreConfigMapName is defined, then add the che-public-certs volume mount with certificate contents
+# to propagate them to trust store.
+{{- if not (eq .Values.global.tls.serverTrustStoreConfigMapName "") }}
+        - mountPath: /public-certs
+          name: che-public-certs
+{{- end }}
       volumes:
+{{- if not .Values.global.multiuser }}
       - name: che-data-volume
         persistentVolumeClaim:
           claimName: che-data-volume
 {{- end }}
+# If serverTrustStoreConfigMapName is defined, then add config-map volume.
+{{- if not (eq .Values.global.tls.serverTrustStoreConfigMapName "") }}
+      - name: che-public-certs
+        configMap:
+          name: {{ .Values.global.tls.serverTrustStoreConfigMapName }}
+{{- end }}
+{{- end }}
 {{- if .Values.registry }}
 {{- if and .Values.registry.password .Values.registry.username }}
       imagePullSecrets:
diff --git a/deploy/kubernetes/helm/che/values.yaml b/deploy/kubernetes/helm/che/values.yaml
index 4054f503b9..be710856f0 100644
--- a/deploy/kubernetes/helm/che/values.yaml
+++ b/deploy/kubernetes/helm/che/values.yaml
@@ -49,6 +49,9 @@ global:
     ## then CA certificate from `tls.secretName` will be propagated to Che components' trust stores
     useSelfSignedCerts: false
 
+    ## Name of the config-map with public certificates to add to Java trust store of the Che server.
+    serverTrustStoreConfigMapName: ""
+
 
   ## If using git self-signed certificate is enabled
   ## then certificate from `cheGitSelfSignedCertConfigMapName` will be propagated to Che components'
diff --git a/dockerfiles/che/entrypoint.sh b/dockerfiles/che/entrypoint.sh
index 54fa69919a..550605f67f 100755
--- a/dockerfiles/che/entrypoint.sh
+++ b/dockerfiles/che/entrypoint.sh
@@ -291,30 +291,50 @@ init() {
 }
 
 add_cert_to_truststore() {
-  if [ "${CHE_SELF__SIGNED__CERT}" != "" ]; then
-    DEFAULT_JAVA_TRUST_STORE=$JAVA_HOME/lib/security/cacerts
-    DEFAULT_JAVA_TRUST_STOREPASS="changeit"
+  DEFAULT_JAVA_TRUST_STORE=$JAVA_HOME/lib/security/cacerts
+  DEFAULT_JAVA_TRUST_STOREPASS="changeit"
 
-    JAVA_TRUST_STORE=/home/user/cacerts
-    SELF_SIGNED_CERT=/home/user/self-signed.crt
+  JAVA_TRUST_STORE=/home/user/cacerts
+  SELF_SIGNED_CERT=/home/user/self-signed.crt
 
-    echo "Found a custom cert. Adding it to java trust store based on $DEFAULT_JAVA_TRUST_STORE"
+  MESSAGE="Found a custom cert. Adding it to java trust store $JAVA_TRUST_STORE"
+  if [ ! -f "$JAVA_TRUST_STORE" ]; then
+    echo "$MESSAGE based on $DEFAULT_JAVA_TRUST_STORE"
     cp $DEFAULT_JAVA_TRUST_STORE $JAVA_TRUST_STORE
+  else
+    echo "$MESSAGE"
+  fi
 
-    echo "$CHE_SELF__SIGNED__CERT" > $SELF_SIGNED_CERT
+  echo "$1" > $SELF_SIGNED_CERT
 
-    # make sure that owner has permissions to write and other groups have permissions to read
-    chmod 644 $JAVA_TRUST_STORE
-
-    echo yes | keytool -keystore $JAVA_TRUST_STORE -importcert -alias HOSTDOMAIN -file $SELF_SIGNED_CERT -storepass $DEFAULT_JAVA_TRUST_STOREPASS > /dev/null
-
-    # allow only read by all groups
-    chmod 444 $JAVA_TRUST_STORE
+  # make sure that owner has permissions to write and other groups have permissions to read
+  chmod 644 $JAVA_TRUST_STORE
 
+  echo yes | keytool -keystore $JAVA_TRUST_STORE -importcert -alias "$2" -file $SELF_SIGNED_CERT -storepass $DEFAULT_JAVA_TRUST_STOREPASS > /dev/null
+  # allow only read by all groups
+  chmod 444 $JAVA_TRUST_STORE
+  if [[ "$JAVA_OPTS" != *"-Djavax.net.ssl.trustStore"* && "$JAVA_OPTS" != *"-Djavax.net.ssl.trustStorePassword"* ]]; then
     export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=$JAVA_TRUST_STORE -Djavax.net.ssl.trustStorePassword=$DEFAULT_JAVA_TRUST_STOREPASS"
   fi
 }
 
+add_che_cert_to_truststore() {
+  if [ "${CHE_SELF__SIGNED__CERT}" != "" ]; then
+    add_cert_to_truststore "${CHE_SELF__SIGNED__CERT}" "HOSTDOMAIN"
+  fi
+}
+
+add_public_cert_to_truststore() {
+  CUSTOM_PUBLIC_CERTIFICATES="/public-certs"
+  if [[ -d "$CUSTOM_PUBLIC_CERTIFICATES" && -n "$(find $CUSTOM_PUBLIC_CERTIFICATES -type f)" ]]; then
+    FILES="$CUSTOM_PUBLIC_CERTIFICATES/*"
+    for cert in $FILES
+    do
+      add_cert_to_truststore "$(<$cert)" "HOSTDOMAIN-$(basename $cert)"
+    done
+  fi
+}
+
 get_che_data_from_host() {
   DEFAULT_DATA_HOST_PATH=/data
   CHE_SERVER_CONTAINER_ID=$(get_che_server_container_id)
@@ -374,7 +394,8 @@ trap 'responsible_shutdown' SIGHUP SIGTERM SIGINT
 init
 init_global_variables
 set_environment_variables
-add_cert_to_truststore
+add_che_cert_to_truststore
+add_public_cert_to_truststore
 
 # run che
 start_che_server &