-
-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add support for custom root certificates in Java keystore #671
Open
patsevanton
wants to merge
6
commits into
kafbat:main
Choose a base branch
from
patsevanton:certs
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
758c04b
feat: Add support for custom root certificates in Java keystore
patsevanton a581626
feat: Add support for custom root certificates in Java keystore
patsevanton e016869
feat: Add support for custom root certificates in Java keystore
patsevanton 2a1fcdf
feat: Add support for custom root certificates in Java keystore
patsevanton 5d18e31
feat: Add support for custom root certificates in Java keystore
patsevanton b1d9182
feat: Add support for custom root certificates in Java keystore
patsevanton File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#!/bin/sh | ||
|
||
CERT_DIR="/etc/kafkaui/certs" | ||
KEYSTORE="$JAVA_HOME/lib/security/cacerts" | ||
STOREPASS="changeit" | ||
|
||
if [ -d "$CERT_DIR" ]; then | ||
for cert in $CERT_DIR/*.crt; do | ||
if [ -f "$cert" ]; then | ||
alias=$(basename "$cert" .crt) | ||
echo "Importing $cert with alias $alias" | ||
keytool -import -noprompt -trustcacerts -alias "$alias" -file "$cert" -keystore "$KEYSTORE" -storepass "$STOREPASS" | ||
fi | ||
done | ||
else | ||
echo "No certificates directory found at $CERT_DIR" | ||
fi | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather see a custom truststore created and passed via these spring properties
rather than messing with jre's truststore, what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where configure spring properties?
do I need to add a certificate to keycloak-truststore.jks ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can build a new truststore from scratch within the same script and put it somewhere
I believe we can try setting env vars like
SERVER_SSL_TRUST-STORE: xxx
, or leave this to the user (given this will be well documented, adding a few config properties is way easier than building a truststore from scratch)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not Java developer. I don`t know spring. Could you share simple example without kubernetes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Haarolean Could you share simple example without kubernetes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay. This is a config property, it has nothing to do with k8s.
My suggestion is to create a truststore from scratch and have it mounted into the container, so the user can set the location via
SERVER_SSL_TRUST-STORE
themselves. What do you think?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to just specify the k8s secret or k8s configmap with the certificate, and it created the certificate store itself inside