Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for custom root certificates in Java keystore #671

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions api/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# The tag is ignored when a sha is included but the reason to add it are:
# The tag is ignored when a sha is included but the reason to add it are:
# 1. Self Documentation: It is difficult to find out what the expected tag is given a sha alone
# 2. Helps dependabot during discovery of upgrades
FROM azul/zulu-openjdk-alpine:17-jre-headless-latest@sha256:af4df00adaec356d092651af50d9e80fd179f96722d267e79acb564aede10fda
Expand All @@ -11,7 +11,10 @@ RUN apk add --no-cache \
RUN addgroup -S kafkaui && adduser -S kafkaui -G kafkaui

# creating folder for dynamic config usage (certificates uploads, etc)
RUN mkdir /etc/kafkaui/
RUN mkdir -p /etc/kafkaui/certs
COPY ./import-certs.sh /usr/local/bin/import-certs.sh
RUN chmod +x /usr/local/bin/import-certs.sh

RUN chown kafkaui /etc/kafkaui

USER kafkaui
Expand All @@ -24,4 +27,4 @@ ENV JAVA_OPTS=
EXPOSE 8080

# see JmxSslSocketFactory docs to understand why add-opens is needed
CMD java --add-opens java.rmi/javax.rmi.ssl=ALL-UNNAMED $JAVA_OPTS -jar api.jar
CMD ["sh", "-c", "/usr/local/bin/import-certs.sh && java --add-opens java.rmi/javax.rmi.ssl=ALL-UNNAMED $JAVA_OPTS -jar api.jar"]
18 changes: 18 additions & 0 deletions api/import-certs.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/bin/sh

CERT_DIR="/etc/kafkaui/certs"
KEYSTORE="$JAVA_HOME/lib/security/cacerts"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather see a custom truststore created and passed via these spring properties

server:
  ssl:
    trust-store: classpath:keycloak-truststore.jks
    trust-store-password: changeit

rather than messing with jre's truststore, what do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where configure spring properties?
do I need to add a certificate to keycloak-truststore.jks ?

Copy link
Member

@Haarolean Haarolean Nov 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do I need to add a certificate to keycloak-truststore.jks ?

we can build a new truststore from scratch within the same script and put it somewhere

where configure spring properties?

I believe we can try setting env vars like SERVER_SSL_TRUST-STORE: xxx, or leave this to the user (given this will be well documented, adding a few config properties is way easier than building a truststore from scratch)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not Java developer. I don`t know spring. Could you share simple example without kubernetes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Haarolean Could you share simple example without kubernetes?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay. This is a config property, it has nothing to do with k8s.
My suggestion is to create a truststore from scratch and have it mounted into the container, so the user can set the location via SERVER_SSL_TRUST-STORE themselves. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to just specify the k8s secret or k8s configmap with the certificate, and it created the certificate store itself inside

STOREPASS="changeit"

if [ -d "$CERT_DIR" ]; then
for cert in $CERT_DIR/*.crt; do
if [ -f "$cert" ]; then
alias=$(basename "$cert" .crt)
echo "Importing $cert with alias $alias"
keytool -import -noprompt -trustcacerts -alias "$alias" -file "$cert" -keystore "$KEYSTORE" -storepass "$STOREPASS"
fi
done
else
echo "No certificates directory found at $CERT_DIR"
fi

Loading