diff --git a/roles/manage/files/__cacert_entrypoint.sh b/roles/manage/files/__cacert_entrypoint.sh new file mode 100644 index 000000000..715e7a1d1 --- /dev/null +++ b/roles/manage/files/__cacert_entrypoint.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ -n "$(ls -A /certificates 2>/dev/null)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT="$JAVA_HOME/lib/security/cacerts" + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT="$JAVA_HOME/jre/lib/security/cacerts" + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml index 1d19bef6d..5eeeb2e1c 100644 --- a/roles/manage/tasks/main.yml +++ b/roles/manage/tasks/main.yml @@ -18,7 +18,7 @@ mode: "0644" - name: copy invite certificate - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/certs/invite/public_key.pem" dest: "/opt/openconext/manage/public_invite_key.pem" owner: root @@ -40,6 +40,14 @@ - manage-api-users.yml notify: restart manageserver +- name: Place old __cacert_entrypoint.sh script + ansible.builtin.copy: + src: "__cacert_entrypoint.sh" + dest: "/opt/openconext/manage" + owner: "root" + group: "root" + mode: "0755" + - name: copy metadata configuration ansible.builtin.template: src: "metadata_configuration/{{ item }}.schema.json.j2" @@ -81,6 +89,10 @@ - source: /opt/openconext/manage/mongoca.pem target: /certificates/mongoca.crt type: bind + - source: /opt/openconext/manage/__cacert_entrypoint.sh + target: /__cacert_entrypoint.sh + type: bind + command: "java -jar /app.jar -Xmx512m --spring.config.location=./config/" etc_hosts: host.docker.internal: host-gateway diff --git a/roles/myconext/files/__cacert_entrypoint.sh b/roles/myconext/files/__cacert_entrypoint.sh new file mode 100644 index 000000000..715e7a1d1 --- /dev/null +++ b/roles/myconext/files/__cacert_entrypoint.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ -n "$(ls -A /certificates 2>/dev/null)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT="$JAVA_HOME/lib/security/cacerts" + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT="$JAVA_HOME/jre/lib/security/cacerts" + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index 3bb0cc2d6..9b0fd9bfe 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -84,6 +84,14 @@ group: "root" mode: "0750" +- name: Place old __cacert_entrypoint.sh script + ansible.builtin.copy: + src: "__cacert_entrypoint.sh" + dest: "/opt/openconext/myconext" + owner: "root" + group: "root" + mode: "0755" + - name: Create and start the server container community.docker.docker_container: name: myconextserver @@ -92,7 +100,7 @@ restart_policy: "always" state: started env: - USE_SYSTEM_CA_CERTS: "true" + USE_SYSTEM_CA_CERTS: "1" TZ: "{{ timezone }}" networks: - name: "loadbalancer" @@ -103,17 +111,14 @@ - source: /opt/openconext/certs/mongoca.crt target: /certificates/mongoca.crt type: bind - entrypoint: /__cacert_entrypoint.sh - command: 'java -jar /app.jar -Xmx256M --spring.config.location=./config/' + - source: /opt/openconext/myconext/__cacert_entrypoint.sh + target: /__cacert_entrypoint.sh + type: bind + entrypoint: ["sh","/__cacert_entrypoint.sh"] + command: ["java" , "-jar" , "/app.jar" , "-Xmx256M" , "--spring.config.location=./config/"] etc_hosts: host.docker.internal: host-gateway - healthcheck: - test: ["CMD", "wget", "-no-verbose", "--tries=1", "--spider", "http://localhost:8080/internal/health" ] - interval: 10s - timeout: 10s - retries: 3 - start_period: 10s - notify: restart myconextserver + tags: bart - name: Create the client container community.docker.docker_container: diff --git a/roles/oidcng/files/__cacert_entrypoint.sh b/roles/oidcng/files/__cacert_entrypoint.sh new file mode 100644 index 000000000..715e7a1d1 --- /dev/null +++ b/roles/oidcng/files/__cacert_entrypoint.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env sh +# Converted to POSIX shell to avoid the need for bash in the image + +set -e + +# Opt-in is only activated if the environment variable is set +if [ -n "$USE_SYSTEM_CA_CERTS" ]; then + + # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty. + # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the + # system location, for whatever reason. + if [ -d /certificates ] && [ -n "$(ls -A /certificates 2>/dev/null)" ]; then + cp -a /certificates/* /usr/local/share/ca-certificates/ + fi + + CACERT="$JAVA_HOME/lib/security/cacerts" + + # JDK8 puts its JRE in a subdirectory + if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then + CACERT="$JAVA_HOME/jre/lib/security/cacerts" + fi + + # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we + # might as well just generate the truststore and skip the hooks. + update-ca-certificates + + trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT" +fi + +exec "$@" diff --git a/roles/oidcng/tasks/main.yml b/roles/oidcng/tasks/main.yml index d1e2ce47b..d0ebee277 100644 --- a/roles/oidcng/tasks/main.yml +++ b/roles/oidcng/tasks/main.yml @@ -80,6 +80,14 @@ notify: - "restart oidcng" +- name: Place old __cacert_entrypoint.sh script + ansible.builtin.copy: + src: "__cacert_entrypoint.sh" + dest: "/opt/openconext/oidcng" + owner: "root" + group: "root" + mode: "0755" + - name: Create and start the server container community.docker.docker_container: name: oidcngserver @@ -94,9 +102,12 @@ - source: "{{ oidcng_dir }}" target: /config/ type: bind - - source: /opt/openconext/manage/mongoca.pem + - source: /opt/openconext/certs/mongoca.crt target: /certificates/mongoca.crt type: bind + - source: /opt/openconext/oidcng/__cacert_entrypoint.sh + target: /__cacert_entrypoint.sh + type: bind command: "java -jar /app.jar -Xmx512m --spring.config.location=./config/" etc_hosts: host.docker.internal: host-gateway