From 758c04b995129268de730cd4b6919167ee380562 Mon Sep 17 00:00:00 2001 From: Anton Patsev Date: Sat, 23 Nov 2024 11:46:00 +0600 Subject: [PATCH 1/6] feat: Add support for custom root certificates in Java keystore --- api/Dockerfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/api/Dockerfile b/api/Dockerfile index 82ac8c023..92f50ce71 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -1,4 +1,4 @@ -# The tag is ignored when a sha is included but the reason to add it are: +# The tag is ignored when a sha is included but the reason to add it are: # 1. Self Documentation: It is difficult to find out what the expected tag is given a sha alone # 2. Helps dependabot during discovery of upgrades FROM azul/zulu-openjdk-alpine:17-jre-headless-latest@sha256:af4df00adaec356d092651af50d9e80fd179f96722d267e79acb564aede10fda @@ -10,6 +10,12 @@ RUN apk add --no-cache \ tzdata RUN addgroup -S kafkaui && adduser -S kafkaui -G kafkaui +RUN mkdir /etc/kafkaui/certs + +RUN for cert in /etc/kafkaui/certs/*.crt; do \ + keytool -import -noprompt -trustcacerts -alias $(basename $cert .crt) -file $cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; \ + done + # creating folder for dynamic config usage (certificates uploads, etc) RUN mkdir /etc/kafkaui/ RUN chown kafkaui /etc/kafkaui From a58162646a36b2f5cd5a2956c68c1294dc1ea776 Mon Sep 17 00:00:00 2001 From: Anton Patsev Date: Sat, 23 Nov 2024 12:04:47 +0600 Subject: [PATCH 2/6] feat: Add support for custom root certificates in Java keystore --- api/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/Dockerfile b/api/Dockerfile index 92f50ce71..6d3d271a7 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -10,7 +10,7 @@ RUN apk add --no-cache \ tzdata RUN addgroup -S kafkaui && adduser -S kafkaui -G kafkaui -RUN mkdir /etc/kafkaui/certs +RUN mkdir -p /etc/kafkaui/certs RUN for cert in /etc/kafkaui/certs/*.crt; do \ keytool -import -noprompt -trustcacerts -alias $(basename $cert .crt) -file $cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; \ From e016869ffa43d70c03a4485e5d39ad56d0dfc035 Mon Sep 17 00:00:00 2001 From: Anton Patsev Date: Sat, 23 Nov 2024 12:05:42 +0600 Subject: [PATCH 3/6] feat: Add support for custom root certificates in Java keystore --- api/Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/api/Dockerfile b/api/Dockerfile index 6d3d271a7..1df4a46b9 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -10,14 +10,12 @@ RUN apk add --no-cache \ tzdata RUN addgroup -S kafkaui && adduser -S kafkaui -G kafkaui +# creating folder for dynamic config usage (certificates uploads, etc) RUN mkdir -p /etc/kafkaui/certs - RUN for cert in /etc/kafkaui/certs/*.crt; do \ keytool -import -noprompt -trustcacerts -alias $(basename $cert .crt) -file $cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; \ done -# creating folder for dynamic config usage (certificates uploads, etc) -RUN mkdir /etc/kafkaui/ RUN chown kafkaui /etc/kafkaui USER kafkaui From 2a1fcdf5f4195e66df08c9d8c4c24e4519c07081 Mon Sep 17 00:00:00 2001 From: Anton Patsev Date: Sat, 23 Nov 2024 12:07:10 +0600 Subject: [PATCH 4/6] feat: Add support for custom root certificates in Java keystore --- api/Dockerfile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/api/Dockerfile b/api/Dockerfile index 1df4a46b9..37524d9e7 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -12,9 +12,13 @@ RUN addgroup -S kafkaui && adduser -S kafkaui -G kafkaui # creating folder for dynamic config usage (certificates uploads, etc) RUN mkdir -p /etc/kafkaui/certs -RUN for cert in /etc/kafkaui/certs/*.crt; do \ - keytool -import -noprompt -trustcacerts -alias $(basename $cert .crt) -file $cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; \ - done +RUN if ls /etc/kafkaui/certs/*.crt 1> /dev/null 2>&1; then \ + for cert in /etc/kafkaui/certs/*.crt; do \ + keytool -import -noprompt -trustcacerts -alias $(basename $cert .crt) -file $cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; \ + done \ + else \ + echo "No certificates found in /etc/kafkaui/certs/"; \ + fi RUN chown kafkaui /etc/kafkaui From 5d18e31ccfbb3fb7c14802919971cfc54b7ef502 Mon Sep 17 00:00:00 2001 From: Anton Patsev Date: Sat, 23 Nov 2024 12:12:27 +0600 Subject: [PATCH 5/6] feat: Add support for custom root certificates in Java keystore --- api/Dockerfile | 10 +--------- api/import-certs.sh | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 9 deletions(-) create mode 100644 api/import-certs.sh diff --git a/api/Dockerfile b/api/Dockerfile index 37524d9e7..178b486c8 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -11,15 +11,7 @@ RUN apk add --no-cache \ RUN addgroup -S kafkaui && adduser -S kafkaui -G kafkaui # creating folder for dynamic config usage (certificates uploads, etc) -RUN mkdir -p /etc/kafkaui/certs -RUN if ls /etc/kafkaui/certs/*.crt 1> /dev/null 2>&1; then \ - for cert in /etc/kafkaui/certs/*.crt; do \ - keytool -import -noprompt -trustcacerts -alias $(basename $cert .crt) -file $cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; \ - done \ - else \ - echo "No certificates found in /etc/kafkaui/certs/"; \ - fi - +RUN mkdir /etc/kafkaui/ RUN chown kafkaui /etc/kafkaui USER kafkaui diff --git a/api/import-certs.sh b/api/import-certs.sh new file mode 100644 index 000000000..2c99b7f7f --- /dev/null +++ b/api/import-certs.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +CERT_DIR="/etc/kafkaui/certs" +KEYSTORE="$JAVA_HOME/lib/security/cacerts" +STOREPASS="changeit" + +if [ -d "$CERT_DIR" ]; then + for cert in $CERT_DIR/*.crt; do + if [ -f "$cert" ]; then + alias=$(basename "$cert" .crt) + echo "Importing $cert with alias $alias" + keytool -import -noprompt -trustcacerts -alias "$alias" -file "$cert" -keystore "$KEYSTORE" -storepass "$STOREPASS" + fi + done +else + echo "No certificates directory found at $CERT_DIR" +fi + From b1d91820775e8f320b60a89de8dec638cd20a84f Mon Sep 17 00:00:00 2001 From: Anton Patsev Date: Sat, 23 Nov 2024 12:14:41 +0600 Subject: [PATCH 6/6] feat: Add support for custom root certificates in Java keystore --- api/Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/api/Dockerfile b/api/Dockerfile index 178b486c8..f4f3d9cf1 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -11,7 +11,10 @@ RUN apk add --no-cache \ RUN addgroup -S kafkaui && adduser -S kafkaui -G kafkaui # creating folder for dynamic config usage (certificates uploads, etc) -RUN mkdir /etc/kafkaui/ +RUN mkdir -p /etc/kafkaui/certs +COPY ./import-certs.sh /usr/local/bin/import-certs.sh +RUN chmod +x /usr/local/bin/import-certs.sh + RUN chown kafkaui /etc/kafkaui USER kafkaui @@ -24,4 +27,4 @@ ENV JAVA_OPTS= EXPOSE 8080 # see JmxSslSocketFactory docs to understand why add-opens is needed -CMD java --add-opens java.rmi/javax.rmi.ssl=ALL-UNNAMED $JAVA_OPTS -jar api.jar +CMD ["sh", "-c", "/usr/local/bin/import-certs.sh && java --add-opens java.rmi/javax.rmi.ssl=ALL-UNNAMED $JAVA_OPTS -jar api.jar"]