From b252b950000ddfe1ba6033749564a383aa56997d Mon Sep 17 00:00:00 2001
From: Robert Butora <robert.butora@inaf.it>
Date: Mon, 23 Sep 2024 15:53:14 +0200
Subject: [PATCH] docker: make TLS configurable (uses JKS keystore with
password)
---
docker/Dockerfile.soda | 2 +-
docker/Dockerfile.soda.temurin-jammy | 2 +-
.../server-connector.xml-8443} | 2 +-
docker/start-soda.sh.soda | 23 +++++++++++++------
4 files changed, 19 insertions(+), 10 deletions(-)
rename docker/{example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks => deps/server-connector.xml-8443} (83%)
diff --git a/docker/Dockerfile.soda b/docker/Dockerfile.soda
index 155b29c..305e9df 100644
--- a/docker/Dockerfile.soda
+++ b/docker/Dockerfile.soda
@@ -41,7 +41,7 @@ RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
&& echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties
# change webapps-dir and preconfigure port 8080 (no SSL)
-COPY deps/server.xml deps/server-connector.xml ${CATALINA_BASE}/conf/
+COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
COPY deps/setenv.sh ${CATALINA_BASE}/bin/
diff --git a/docker/Dockerfile.soda.temurin-jammy b/docker/Dockerfile.soda.temurin-jammy
index 893dd84..709444e 100644
--- a/docker/Dockerfile.soda.temurin-jammy
+++ b/docker/Dockerfile.soda.temurin-jammy
@@ -37,7 +37,7 @@ RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
&& echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties
# pre-configure port 8080 (no TSL)
-COPY deps/server.xml deps/server-connector.xml ${CATALINA_BASE}/conf/
+COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
COPY deps/setenv.sh ${CATALINA_BASE}/bin/
diff --git a/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks b/docker/deps/server-connector.xml-8443
similarity index 83%
rename from docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
rename to docker/deps/server-connector.xml-8443
index 02ca450..4ad63d4 100644
--- a/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
+++ b/docker/deps/server-connector.xml-8443
@@ -4,7 +4,7 @@
<SSLHostConfig>
<Certificate certificateKeyAlias="tomcat"
certificateKeystoreFile="/etc/pki/tls/keystore.jks"
- certificateKeystorePassword="tomcatskassl"
+ certificateKeystorePasswordFile="/etc/pki/tls/keystore.pwd"
type="RSA" />
</SSLHostConfig>
</Connector>
diff --git a/docker/start-soda.sh.soda b/docker/start-soda.sh.soda
index 90da39c..5f722c9 100755
--- a/docker/start-soda.sh.soda
+++ b/docker/start-soda.sh.soda
@@ -8,13 +8,26 @@ whoami
env
-## configure SODA
+# configure SODA
mkdir -p $CATALINA_BASE/conf/Catalina/localhost
cp $WEBAPP_DIR/META-INF/context.xml $CATALINA_BASE/conf/Catalina/localhost/$ACCESS_CONTEXT_ROOT.xml
+# configure TLS
-## Security
+if [ -f /etc/pki/tls/keystore.jks ] && [ -f /etc/pki/tls/keystore.pwd ];
+then
+ cp $CATALINA_BASE/conf/server-connector.xml-8443 $CATALINA_BASE/conf/server-connector.xml
+fi
+
+case $KEYSTORE_ALIAS in
+ *)
+ echo $KEYSTORE_ALIAS
+ sed -i "s/tomcat/$KEYSTORE_ALIAS/" $CATALINA_BASE/conf/server-connector.xml
+ ;;
+esac
+
+# env SECURITY (deprecated)
case $SECURITY in
iamtoken)
@@ -23,12 +36,8 @@ case $SECURITY in
cp /etc/pki/tls/iamtoken.properties $WEBAPP_DIR/WEB-INF/classes/
rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*0.11*.jar
;;
- tls)
- cp /etc/pki/tls/server-connector.xml $CATALINA_BASE/conf
- rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*.jar
- ;;
*)
- echo "Security not configured, runs open."
+ echo "SECURITY not configured."
;;
esac
--
GitLab