Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for custom root certificates in Java keystore #671

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

patsevanton
Copy link
Contributor

@patsevanton patsevanton commented Nov 23, 2024

Feature: Custom Root Certificates in Java Keystore

Description

This pull request introduces support for importing custom root certificates into the Java keystore during the Docker image build process. This enhancement allows the application to trust additional certificates, which is particularly useful for environments where custom certificates are required.

Changes

  • Dockerfile:
    • Added a step to create a directory for certificates (/etc/kafkaui/certs).
    • Added a loop to import any .crt files found in the /etc/kafkaui/certs directory into the Java keystore using keytool.

Please review and provide feedback.

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to
  • Manually (please, describe, if necessary)
  • Unit checks
  • Integration checks
  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

@patsevanton patsevanton requested a review from a team as a code owner November 23, 2024 05:47
@kapybro kapybro bot added status/triage Issues pending maintainers triage status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Nov 23, 2024
@patsevanton
Copy link
Contributor Author

patsevanton commented Nov 23, 2024

I run ./mvnw clean install -Dmaven.test.skip=true -Pprod

What commands do I need to run before launching docker build?
What commands should I use to build a custom docker image?
Maybe there is a docker-compose in which the docker image is assembled?

#!/bin/sh

CERT_DIR="/etc/kafkaui/certs"
KEYSTORE="$JAVA_HOME/lib/security/cacerts"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather see a custom truststore created and passed via these spring properties

server:
  ssl:
    trust-store: classpath:keycloak-truststore.jks
    trust-store-password: changeit

rather than messing with jre's truststore, what do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where configure spring properties?
do I need to add a certificate to keycloak-truststore.jks ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do I need to add a certificate to keycloak-truststore.jks ?
we can build a new truststore from scratch within the same script and put it somewhere

where configure spring properties?
I believe we can try setting env vars like SERVER_SSL_TRUST-STORE: xxx, or leave this to the user (given this will be well documented, adding a few config properties is way easier than building a truststore from scratch)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not Java developer. I don`t know spring. Could you share simple example without kubernetes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Haarolean Could you share simple example without kubernetes?

@Haarolean
Copy link
Member

I run ./mvnw clean install -Dmaven.test.skip=true -Pprod

What commands do I need to run before launching docker build? What commands should I use to build a custom docker image? Maybe there is a docker-compose in which the docker image is assembled?

clean install with prod profile enabled will build the image, you don't have to do this manually.

@Haarolean Haarolean added type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes and removed status/triage/manual Manual triage in progress labels Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants