Rfd updates (#1)

Add support for multiple custom CA certificates to be trusted * Initial commit * Factor out cert updates. Handles multiple certs * Removed extra brace * Uses system trust store unless custom keystore is given. The system keystore now holds the CA certs that are passed to CUSTOM_CERT_URL in Dockerfile. * Only used for intermediate development. Unused now. * Undoing changes to config_ssl as it is for server ssl cert * OPTIONAL_CERT_ARG unneeded in this image * Update for minor shell optimizations. * Add quotes to prevent unnecessary internal operations * $@ -> $* * Update for minor shell optimizations. * Add quotes to prevent unnecessary internal operations * $@ -> $*
JeffersonLab · Jun 6, 2023 · 7fabbed · 7fabbed
1 parent b17fc7a
commit 7fabbed
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 25 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,20 +1,15 @@
 ARG BUILD_IMAGE=gradle:7.4-jdk17
 ARG RUN_IMAGE=quay.io/wildfly/wildfly:26.1.3.Final-jdk17
 ARG ORACLE_DRIVER_PATH=/ojdbc11-21.7.0.0.jar
-ARG CUSTOM_CRT_URL=http://pki.jlab.org/JLabCA.crt
+ARG CUSTOM_CRT_URL="http://crl.acc.jlab.org/acc-ca.crt http://pki.jlab.org/JLabCA.crt"
 
 ################## Stage 0
 FROM ${BUILD_IMAGE} as builder
 ARG CUSTOM_CRT_URL
 USER root
 WORKDIR /
-RUN if [ -z "${CUSTOM_CRT_URL}" ] ; then echo "No custom cert needed"; else \
-       wget -O /usr/local/share/ca-certificates/customcert.crt $CUSTOM_CRT_URL \
-       && update-ca-certificates \
-       && keytool -import -alias custom -file /usr/local/share/ca-certificates/customcert.crt -cacerts -storepass changeit -noprompt \
-       && export OPTIONAL_CERT_ARG=--cert=/etc/ssl/certs/ca-certificates.crt \
-    ; fi
 COPY . /app
+RUN /app/scripts/update-certs-builder.sh ${CUSTOM_CRT_URL}
 
 ## Let's minimize layers in final-product by organizing files into a single copy structure
 RUN mkdir /unicopy \
@@ -23,7 +18,8 @@ RUN mkdir /unicopy \
     && cp /app/scripts/docker-entrypoint.sh /unicopy \
     && cp /app/scripts/server-setup.sh /unicopy \
     && cp /app/scripts/provided-setup.sh /unicopy \
-    && cp /app/scripts/app-setup.sh /unicopy
+    && cp /app/scripts/app-setup.sh /unicopy \
+    && cp /app/scripts/update-certs-runner.sh /unicopy
 
 ################## Stage 1
 FROM ${RUN_IMAGE} as runner
@@ -32,11 +28,7 @@ ARG RUN_USER=jboss:jboss
 ARG ORACLE_DRIVER_PATH
 USER root
 COPY --from=builder /unicopy /
-RUN if [ -z "${CUSTOM_CRT_URL}" ] ; then echo "No custom cert needed"; else \
-       curl -sS -o /etc/pki/ca-trust/source/anchors/customcert.crt $CUSTOM_CRT_URL \
-       && update-ca-trust \
-       && keytool -import -alias custom -file /etc/pki/ca-trust/source/anchors/customcert.crt -cacerts -storepass changeit -noprompt \
-    ; fi \
+RUN /update-certs-runner.sh ${CUSTOM_CRT_URL} \
     && chsh -s /bin/bash jboss \
     && /server-setup.sh /docker-server.env \
     && rm -rf /opt/jboss/wildfly/standalone/configuration/standalone_xml_history

diff --git a/scripts/server-setup.sh b/scripts/server-setup.sh
@@ -97,7 +97,7 @@ EOF
 }
 
 apply_elytron_patch() {
-if [[ -z "${APPLY_ELYTRON_PATCH}}" ]]; then
+if [[ -z "${APPLY_ELYTRON_PATCH}" ]]; then
   echo "Skipping elytron patch because APPLY_ELYTRON_PATCH undefined"
   return 0
 fi
@@ -106,7 +106,7 @@ wget -O "${WILDFLY_APP_HOME}/modules/system/layers/base/org/wildfly/security/ely
 }
 
 config_admin_user() {
-if [[ -z "${APPLY_ELYTRON_PATCH}}" ]]; then
+if [[ -z "${APPLY_ELYTRON_PATCH}" ]]; then
   echo "Skipping config admin because WILDFLY_USER undefined"
   return 0
 fi
@@ -118,17 +118,17 @@ config_ssl() {
 if [[ -z "${KEYSTORE_NAME}" ]]; then
   echo "Skipping config ssl because KEYSTORE_NAME undefined"
   return 0
-fi
-
-${WILDFLY_CLI_PATH} -c <<EOF
-batch
-/subsystem=elytron/key-store=httpsKS:add(path=${KEYSTORE_NAME},relative-to=jboss.server.config.dir,credential-reference={clear-text=${KEYSTORE_PASS}},type=PKCS12)
-/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=${KEYSTORE_PASS}})
-/subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])
-/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
-/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
-run-batch
+else
+  ${WILDFLY_CLI_PATH} -c <<EOF
+  batch
+  /subsystem=elytron/key-store=httpsKS:add(path=${KEYSTORE_NAME},relative-to=jboss.server.config.dir,credential-reference={clear-text=${KEYSTORE_PASS}},type=PKCS12)
+  /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,credential-reference={clear-text=${KEYSTORE_PASS}})
+  /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"])
+  /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
+  /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
+  run-batch
 EOF
+fi
 }
 
 config_proxy() {

diff --git a/scripts/update-certs-builder.sh b/scripts/update-certs-builder.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# All arguments are treated as certificates
+CUSTOM_CRT_URL="$*"
+
+if [ -z "${CUSTOM_CRT_URL}" ] ; then
+  echo "No custom certs passed.  Nothing to update"
+  exit 0
+fi
+
+for cert in $CUSTOM_CRT_URL
+do
+  echo Downloading "$cert"
+  name=$(echo "$cert" | rev | cut -f1 -d"/" | rev | cut -f1 -d'.') || exit 1
+  wget -O "/usr/local/share/ca-certificates/custom-${name}.crt" "$cert" || exit 1
+done
+
+update-ca-certificates || exit 1
+
+for cert in $CUSTOM_CRT_URL
+do
+  echo Importing "$cert"
+  name=$(echo "$cert" | rev | cut -f1 -d"/" | rev | cut -f1 -d'.') || exit 1
+  keytool -import -alias "custom_${name}" -file "/usr/local/share/ca-certificates/custom-${name}.crt" -cacerts -storepass changeit -noprompt || exit 1
+done
diff --git a/scripts/update-certs-runner.sh b/scripts/update-certs-runner.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# All arguments are treated as certificates
+CUSTOM_CRT_URL="$*"
+
+if [ -z "${CUSTOM_CRT_URL}" ] ; then
+  echo "No custom certs passed.  Nothing to update"
+  exit 0
+fi
+
+for cert in $CUSTOM_CRT_URL
+do
+  echo Downloading "$cert"
+  name=$(echo "$cert" | rev | cut -f1 -d"/" | rev | cut -f1 -d'.')
+  curl -sS -o "/etc/pki/ca-trust/source/anchors/custom-${name}.crt" "$cert"  || exit 1
+done
+
+update-ca-trust || exit 1
+
+for cert in $CUSTOM_CRT_URL
+do
+  echo Importing "$cert"
+  name=$(echo "$cert" | rev | cut -f1 -d"/" | rev | cut -f1 -d'.')
+  keytool -import -alias "custom_${name}" -file "/etc/pki/ca-trust/source/anchors/custom-${name}.crt" -cacerts -storepass changeit -noprompt || exit 1
+done