CLIP-1826: Add user provided certificates to the default Java truststore #663
Conversation
bianchi2
requested review from
nanux,
errcode1202,
yzha645,
jjeongatl,
bconroyA and
ealliaume
as code owners
bianchi2
force-pushed
the
add-crt-to-keystore
branch
from
caed505
to
39476b5
Compare
There was a problem hiding this comment.
Great improvement @bianchi2! It is great to streamline the experience of setting up the certificates for all users.
Do you think it would be worth adding a paragraph or two to the user facing documentation?
Something along the lines:
How to use custom certificates
| {{- if .Values.bamboo.additionalCertificates.customCmd}} | ||
| {{ .Values.bamboo.additionalCertificates.customCmd}} | ||
| {{- else }} | ||
| set -e; for crt in /tmp/crt/*.*; do echo "Adding $crt to keystore"; keytool -import -cacerts -storepass changeit -noprompt -alias $(echo $(basename $crt)) -file $crt; done; cp $JAVA_HOME/lib/security/cacerts /var/ssl/cacerts |
There was a problem hiding this comment.
What happens when customer has or wants to define different passkey than the default changeit?
There was a problem hiding this comment.
We assume that the official image is used. In case of a custom truststore, it should be already mounted as a secret. So, if a user already mounts a custom truststore, importing new certs happens outside helm then.
There was a problem hiding this comment.
Right and if customer wants to do something specific in this command, they can always redefine the customCmd.
| @@ -55,6 +55,18 @@ spec: | |||
| command: ["sh", "-c", {{ include "bamboo.sharedHome.permissionFix.command" . | quote }}] | |||
| {{- end }} | |||
| {{- include "common.jmx.initContainer" . | nindent 8 }} | |||
| {{- if .Values.bamboo.additionalCertificates.secretName }} | |||
| - name: import-certs | |||
| image: {{ include "bamboo.image" . | quote }} | |||
There was a problem hiding this comment.
I guess we are running this image because we want to run the keytool util? I am just wondering whether it is necessary to spin up the large product image to run a simple command.
There was a problem hiding this comment.
Great question :) In fact, it does not really matter if we use temurin image for keytool init container. This won't save us any time since product image needs to be pulled anyways. It's a matter of which phase takes longer - init or containers start. If we pull product image in the init phase, container runtime will have it available when the product container starts. No gains/benefits with either of the approaches, imho.
There was a problem hiding this comment.
Thanks for confirming this. I was thinking that because we pull the image anyway, it is faster on the pull time but for a very short period we take more resources than we need but as the execution is super quick, it is negligible.
Last thing, if this fails, does it stop container execution, and how will customers get to the error logs (are they sufficient to understand why it failed?)
|
@nanux yes, adding docs with examples is a good idea. UPDATE. Docs added |
| {{- if .Values.bamboo.additionalCertificates.customCmd}} | ||
| {{ .Values.bamboo.additionalCertificates.customCmd}} | ||
| {{- else }} | ||
| set -e; for crt in /tmp/crt/*.*; do echo "Adding $crt to keystore"; keytool -import -cacerts -storepass changeit -noprompt -alias $(echo $(basename $crt)) -file $crt; done; cp $JAVA_HOME/lib/security/cacerts /var/ssl/cacerts |
There was a problem hiding this comment.
Right and if customer wants to do something specific in this command, they can always redefine the customCmd.
| @@ -55,6 +55,18 @@ spec: | |||
| command: ["sh", "-c", {{ include "bamboo.sharedHome.permissionFix.command" . | quote }}] | |||
| {{- end }} | |||
| {{- include "common.jmx.initContainer" . | nindent 8 }} | |||
| {{- if .Values.bamboo.additionalCertificates.secretName }} | |||
| - name: import-certs | |||
| image: {{ include "bamboo.image" . | quote }} | |||
There was a problem hiding this comment.
Thanks for confirming this. I was thinking that because we pull the image anyway, it is faster on the pull time but for a very short period we take more resources than we need but as the execution is super quick, it is negligible.
Last thing, if this fails, does it stop container execution, and how will customers get to the error logs (are they sufficient to understand why it failed?)
|
We do |
|
|
||
| ## :material-certificate: Self Signed Certificates | ||
|
|
||
| Accessing applications or websites that are encrypted with SSL using certificates not signed by a public authority will result in a connection error. The stacktrace will contain the following: | ||
|
|
||
| ```shell | ||
| caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target | ||
| ``` | ||
|
|
||
| To fix the issue, self signed certificates need to be added to Java truststore. First off, you need to create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create a secret from 2 local files: | ||
|
|
||
| ```shell | ||
| kubectl create secret generic dev-certificates \ | ||
| --from-file=stg.crt=./stg.crt \ | ||
| --from-file=dev.crt=./dev.crt -n $namespace | ||
| ``` | ||
|
|
||
| The resulting secret will have the following data: | ||
|
|
||
| ```yaml | ||
| data: | ||
| stg.crt: base64encodedstgcrt | ||
| dev.crt: base64encodeddevcrt | ||
| ``` | ||
|
|
||
| !!!info "You can have as many keys (certificates) in the secret as required. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore. In the example above, certificates will be mounted as `/tmp/crt/stg.crt` and `/tmp/crt/dev.crt`. File extension in the secret keys does not matter as long as the file is a valid certificate." | ||
|
|
||
| Once done, provide the secret name in Helm values: | ||
|
|
||
| ```yaml | ||
| jira: | ||
| additionalCertificates: | ||
| secretName: dev-certificates | ||
| ``` | ||
|
|
||
| Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: | ||
|
|
||
| * copy the default Java cacerts to a runtime volume shared between the init container and the main container at `/var/ssl` | ||
| * run [keytool -import](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html){.external} to import all certificates in `/tmp/crt` mounted from `dev-certificates` secret to `/var/ssl/cacerts` | ||
|
|
||
| `-Djavax.net.ssl.trustStore=/var/ssl/cacerts` system property will be automatically added to `JVM_SUPPORT_RECOMMENDED_ARGS` environment variable. | ||
|
|
||
| If necessary, it is possible to override the default `keytool -import` command: | ||
|
|
||
| ```yaml | ||
| jira: | ||
| additionalCertificates: | ||
| secretName: dev-certificates | ||
| customCmd: keytool -import ... | ||
| ``` |
There was a problem hiding this comment.
@bianchi2 Im just wondering if it makes more sense for this to go under the TROUBLESHOOTING section? Maybe not, but as a compromise a section in the troubleshooter page talking to PKIX exceptions with a link to the fix might be good?
There was a problem hiding this comment.
It's a good idea! I'll raise another PR with docs changes as this one has been merged.
| secretName: dev-certificates | ||
| ``` | ||
|
|
||
| Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: |
There was a problem hiding this comment.
| Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: | |
| The product Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will: |
While it is possible to create a custom truststore and mount it as a secret using
additionalFilesand addadditionalJvmArguments, it takes a lot of steps. This PR makes adding custom certs a lot easier.If secretName is defined (it must be the secret that has been pre-created outside helm), then:
/var/ssl/tmp/crtin the init container/tmp/crtinto the default java truststore at$JAVA_HOME/lib/security/cacerts$JAVA_HOME/lib/security/cacertsis copied to/var/ssl/cacertswhich is available to the main container-Djavax.net.ssl.trustStore=/var/ssl/cacertssysprop is added to JVM args to instruct the server to use a custom truststoreThe secret can contain multiple certificates, for example:
Certs will be mounted as
/tmp/crt/stg.crt,/tmp/crt/dev.srt. When certs are imported, filenames are used as aliases.In addition to unit tests, this feature is enabled in KinD tests to make sure that the init containers don't fail and main containers can find the custom trust store. Here's KinD run.
Checklist
e2elabel)