docker: make TLS configurable (uses JKS keystore with password)

b252b950 · Robert Butora · 4ee07f4b · b252b950 · b252b950 · b252b950
Commit b252b950 authored 8 months ago by Robert Butora
--- a/docker/Dockerfile.soda
+++ b/docker/Dockerfile.soda
@@ -41,7 +41,7 @@ RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
 && echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties

 # change webapps-dir and preconfigure port 8080 (no SSL)
-COPY deps/server.xml deps/server-connector.xml ${CATALINA_BASE}/conf/
+COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
 COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
 COPY deps/setenv.sh ${CATALINA_BASE}/bin/


--- a/docker/Dockerfile.soda.temurin-jammy
+++ b/docker/Dockerfile.soda.temurin-jammy
@@ -37,7 +37,7 @@ RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
 && echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties

 # pre-configure port 8080 (no TSL)
-COPY deps/server.xml deps/server-connector.xml ${CATALINA_BASE}/conf/
+COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
 COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
 COPY deps/setenv.sh ${CATALINA_BASE}/bin/


--- a/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
+++ b/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
@@ -4,7 +4,7 @@
        <SSLHostConfig>
            <Certificate certificateKeyAlias="tomcat"
                         certificateKeystoreFile="/etc/pki/tls/keystore.jks"
-                         certificateKeystorePassword="tomcatskassl"
+                         certificateKeystorePasswordFile="/etc/pki/tls/keystore.pwd"
                         type="RSA" />
        </SSLHostConfig>
   </Connector>

--- a/docker/start-soda.sh.soda
+++ b/docker/start-soda.sh.soda
@@ -8,13 +8,26 @@ whoami
 env


-## configure SODA
+# configure SODA

 mkdir -p $CATALINA_BASE/conf/Catalina/localhost
 cp $WEBAPP_DIR/META-INF/context.xml $CATALINA_BASE/conf/Catalina/localhost/$ACCESS_CONTEXT_ROOT.xml

+# configure TLS

-## Security
+if [ -f /etc/pki/tls/keystore.jks ] && [ -f /etc/pki/tls/keystore.pwd ];
+then
+   cp $CATALINA_BASE/conf/server-connector.xml-8443 $CATALINA_BASE/conf/server-connector.xml
+fi
+
+case $KEYSTORE_ALIAS in
+   *)
+      echo $KEYSTORE_ALIAS
+      sed -i "s/tomcat/$KEYSTORE_ALIAS/" $CATALINA_BASE/conf/server-connector.xml
+      ;;
+esac
+
+# env SECURITY (deprecated)

 case $SECURITY in
   iamtoken)
@@ -23,12 +36,8 @@ case $SECURITY in
      cp /etc/pki/tls/iamtoken.properties $WEBAPP_DIR/WEB-INF/classes/
      rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*0.11*.jar
      ;;
-   tls)
-      cp /etc/pki/tls/server-connector.xml $CATALINA_BASE/conf
-      rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*.jar
-      ;;
   *)
-      echo "Security not configured, runs open."
+      echo "SECURITY not configured."
      ;;
 esac