diff --git a/charts/sn-platform-slim/templates/tls/keytool.yaml b/charts/sn-platform-slim/templates/tls/keytool.yaml new file mode 100644 index 000000000..2aac89f42 --- /dev/null +++ b/charts/sn-platform-slim/templates/tls/keytool.yaml @@ -0,0 +1,112 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# script to process key/cert to keystore and truststore +{{- if .Values.tls.enabled }} +{{- if (and .Values.tls.broker.enabled .Values.broker.kop.enabled)}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "pulsar.fullname" . }}-keytool-configmap" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: keytool +data: + keytool.sh: | + #!/bin/bash + component=$1 + name=$2 + isClient=$3 + crtFile=/pulsar/certs/${component}/tls.crt + keyFile=/pulsar/certs/${component}/tls.key + caFile=/pulsar/certs/ca/ca.crt + p12File=/pulsar/${component}.p12 + keyStoreFile=/pulsar/${component}.keystore.jks + trustStoreFile=/pulsar/${component}.truststore.jks + + function checkFile() { + local file=$1 + local len=$(wc -c ${file} | awk '{print $1}') + echo "processing ${file} : len = ${len}" + if [ ! -f ${file} ]; then + echo "${file} is not found" + return -1 + fi + if [ $len -le 0 ]; then + echo "${file} is empty" + return -1 + fi + } + + function ensureFileNotEmpty() { + local file=$1 + until checkFile ${file}; do + echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3; + done; + } + + ensureFileNotEmpty ${crtFile} + ensureFileNotEmpty ${keyFile} + ensureFileNotEmpty ${caFile} + + export PASSWORD=$(head /dev/urandom | base64 | head -c 24) + + openssl pkcs12 \ + -export \ + -in ${crtFile} \ + -inkey ${keyFile} \ + -out ${p12File} \ + -name ${name} \ + -passout "pass:${PASSWORD}" + + keytool -importkeystore \ + -srckeystore ${p12File} \ + -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \ + -alias ${name} \ + -destkeystore ${keyStoreFile} \ + -deststorepass "${PASSWORD}" + + keytool -import \ + -file ${caFile} \ + -storetype JKS \ + -alias ${name} \ + -keystore ${trustStoreFile} \ + -storepass "${PASSWORD}" \ + -trustcacerts -noprompt + + ensureFileNotEmpty ${keyStoreFile} + ensureFileNotEmpty ${trustStoreFile} + + if [[ "x${isClient}" == "xtrue" ]]; then + echo "update tls client settings ..." +{{- if and .Values.tls.broker.enabled .Values.broker.kop.enabled }} + echo $'\n' >> conf/broker.conf + echo "kopSslKeystorePassword=${PASSWORD}" >> conf/broker.conf + echo $'\n' >> conf/broker.conf + echo "kopSslKeyPassword=${PASSWORD}" >> conf/broker.conf + echo $'\n' >> conf/broker.conf + echo "kopSslTruststorePassword=${PASSWORD}" >> conf/broker.conf +{{- end }} + else + echo "update tls client settings ..." + fi + echo ${PASSWORD} > conf/password +{{- end }} +{{- end }} \ No newline at end of file