-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLIP-1826: Add user provided certificates to the default Java truststore #663
Conversation
caed505
to
39476b5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great improvement @bianchi2! It is great to streamline the experience of setting up the certificates for all users.
Do you think it would be worth adding a paragraph or two to the user facing documentation?
Something along the lines:
How to use custom certificates
{{- if .Values.bamboo.additionalCertificates.customCmd}} | ||
{{ .Values.bamboo.additionalCertificates.customCmd}} | ||
{{- else }} | ||
set -e; for crt in /tmp/crt/*.*; do echo "Adding $crt to keystore"; keytool -import -cacerts -storepass changeit -noprompt -alias $(echo $(basename $crt)) -file $crt; done; cp $JAVA_HOME/lib/security/cacerts /var/ssl/cacerts |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens when customer has or wants to define different passkey than the default changeit
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We assume that the official image is used. In case of a custom truststore, it should be already mounted as a secret. So, if a user already mounts a custom truststore, importing new certs happens outside helm then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right and if customer wants to do something specific in this command, they can always redefine the customCmd
.
@@ -55,6 +55,18 @@ spec: | |||
command: ["sh", "-c", {{ include "bamboo.sharedHome.permissionFix.command" . | quote }}] | |||
{{- end }} | |||
{{- include "common.jmx.initContainer" . | nindent 8 }} | |||
{{- if .Values.bamboo.additionalCertificates.secretName }} | |||
- name: import-certs | |||
image: {{ include "bamboo.image" . | quote }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we are running this image because we want to run the keytool
util? I am just wondering whether it is necessary to spin up the large product image to run a simple command.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great question :) In fact, it does not really matter if we use temurin image for keytool init container. This won't save us any time since product image needs to be pulled anyways. It's a matter of which phase takes longer - init or containers start. If we pull product image in the init phase, container runtime will have it available when the product container starts. No gains/benefits with either of the approaches, imho.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for confirming this. I was thinking that because we pull the image anyway, it is faster on the pull time but for a very short period we take more resources than we need but as the execution is super quick, it is negligible.
Last thing, if this fails, does it stop container execution, and how will customers get to the error logs (are they sufficient to understand why it failed?)
@nanux yes, adding docs with examples is a good idea. UPDATE. Docs added |
{{- if .Values.bamboo.additionalCertificates.customCmd}} | ||
{{ .Values.bamboo.additionalCertificates.customCmd}} | ||
{{- else }} | ||
set -e; for crt in /tmp/crt/*.*; do echo "Adding $crt to keystore"; keytool -import -cacerts -storepass changeit -noprompt -alias $(echo $(basename $crt)) -file $crt; done; cp $JAVA_HOME/lib/security/cacerts /var/ssl/cacerts |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right and if customer wants to do something specific in this command, they can always redefine the customCmd
.
@@ -55,6 +55,18 @@ spec: | |||
command: ["sh", "-c", {{ include "bamboo.sharedHome.permissionFix.command" . | quote }}] | |||
{{- end }} | |||
{{- include "common.jmx.initContainer" . | nindent 8 }} | |||
{{- if .Values.bamboo.additionalCertificates.secretName }} | |||
- name: import-certs | |||
image: {{ include "bamboo.image" . | quote }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for confirming this. I was thinking that because we pull the image anyway, it is faster on the pull time but for a very short period we take more resources than we need but as the execution is super quick, it is negligible.
Last thing, if this fails, does it stop container execution, and how will customers get to the error logs (are they sufficient to understand why it failed?)
We do |
|
||
## :material-certificate: Self Signed Certificates | ||
|
||
Accessing applications or websites that are encrypted with SSL using certificates not signed by a public authority will result in a connection error. The stacktrace will contain the following: | ||
|
||
```shell | ||
caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | ||
``` | ||
|
||
To fix the issue, self signed certificates need to be added to Java truststore. First off, you need to create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create a secret from 2 local files: | ||
|
||
```shell | ||
kubectl create secret generic dev-certificates \ | ||
--from-file=stg.crt=./stg.crt \ | ||
--from-file=dev.crt=./dev.crt -n $namespace | ||
``` | ||
|
||
The resulting secret will have the following data: | ||
|
||
```yaml | ||
data: | ||
stg.crt: base64encodedstgcrt | ||
dev.crt: base64encodeddevcrt | ||
``` | ||
|
||
!!!info "You can have as many keys (certificates) in the secret as required. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore. In the example above, certificates will be mounted as `/tmp/crt/stg.crt` and `/tmp/crt/dev.crt`. File extension in the secret keys does not matter as long as the file is a valid certificate." | ||
|
||
Once done, provide the secret name in Helm values: | ||
|
||
```yaml | ||
jira: | ||
additionalCertificates: | ||
secretName: dev-certificates | ||
``` | ||
|
||
Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: | ||
|
||
* copy the default Java cacerts to a runtime volume shared between the init container and the main container at `/var/ssl` | ||
* run [keytool -import](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html){.external} to import all certificates in `/tmp/crt` mounted from `dev-certificates` secret to `/var/ssl/cacerts` | ||
|
||
`-Djavax.net.ssl.trustStore=/var/ssl/cacerts` system property will be automatically added to `JVM_SUPPORT_RECOMMENDED_ARGS` environment variable. | ||
|
||
If necessary, it is possible to override the default `keytool -import` command: | ||
|
||
```yaml | ||
jira: | ||
additionalCertificates: | ||
secretName: dev-certificates | ||
customCmd: keytool -import ... | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bianchi2 Im just wondering if it makes more sense for this to go under the TROUBLESHOOTING
section? Maybe not, but as a compromise a section in the troubleshooter page talking to PKIX
exceptions with a link to the fix might be good?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a good idea! I'll raise another PR with docs changes as this one has been merged.
secretName: dev-certificates | ||
``` | ||
|
||
Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: | |
The product Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: |
While it is possible to create a custom truststore and mount it as a secret using
additionalFiles
and addadditionalJvmArguments
, it takes a lot of steps. This PR makes adding custom certs a lot easier.If secretName is defined (it must be the secret that has been pre-created outside helm), then:
/var/ssl
/tmp/crt
in the init container/tmp/crt
into the default java truststore at$JAVA_HOME/lib/security/cacerts
$JAVA_HOME/lib/security/cacerts
is copied to/var/ssl/cacerts
which is available to the main container-Djavax.net.ssl.trustStore=/var/ssl/cacerts
sysprop is added to JVM args to instruct the server to use a custom truststoreThe secret can contain multiple certificates, for example:
Certs will be mounted as
/tmp/crt/stg.crt
,/tmp/crt/dev.srt
. When certs are imported, filenames are used as aliases.In addition to unit tests, this feature is enabled in KinD tests to make sure that the init containers don't fail and main containers can find the custom trust store. Here's KinD run.
Checklist
e2e
label)