Skip to content

Commit e87dd18

Browse files
idlewisidlewis
committed
Add keystore.xml to overrides not defaults
This prevents a keystore password conflict, if the user has copied a template server.xml (which may include keystore config + password)
1 parent 053c812 commit e87dd18

5 files changed

Lines changed: 75 additions & 25 deletions

File tree

releases/24.0.0.1/full/helpers/runtime/docker-server.sh

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ function importKeyCert() {
2323

2424
# Import the private key and certificate into new keystore
2525
if [ -f "${CERT_FOLDER}/${KEY_FILE}" ] && [ -f "${CERT_FOLDER}/${CRT_FILE}" ]; then
26+
# Mounted certificates found. Assume the user wants to overwrite any existing keystore
27+
# and add these certificates
2628
echo "Found mounted TLS certificates, generating keystore"
2729
setPasswords PASSWORD TRUSTSTORE_PASSWORD
2830
mkdir -p /output/resources/security
@@ -44,7 +46,14 @@ function importKeyCert() {
4446
fi
4547

4648
# Since we are creating new keystore, always write new password to a file
47-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
49+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathOverride
50+
# If configure.sh was run at container build time, there will be a keystore.xml in configDropins/defaults
51+
# This will cause a conflict and a warning on server startup, so we should try to delete it
52+
if [ -e "$keystorePathDefault" ];
53+
then
54+
echo "Attempting to remove a previous keystore.xml"
55+
rm "$keystorePathDefault"
56+
fi
4857

4958
# Add mounted CA to the truststore
5059
if [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
@@ -70,10 +79,10 @@ function importKeyCert() {
7079
rm -rf /tmp/certs
7180
fi
7281

73-
# Add the keystore password to server configuration
74-
if [ ! -e $keystorePath ]; then
82+
# If no keystore has been created, add a keystore password to server configuration
83+
if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then
7584
setPasswords PASSWORD TRUSTSTORE_PASSWORD
76-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
85+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathDefault
7786
fi
7887
if [ -e $TRUSTSTORE_FILE ]; then
7988
setPasswords PASSWORD TRUSTSTORE_PASSWORD
@@ -89,7 +98,8 @@ SNIPPETS_SOURCE=/opt/ol/helpers/build/configuration_snippets
8998
SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
9099
SNIPPETS_TARGET_OVERRIDES=/config/configDropins/overrides
91100

92-
keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
101+
keystorePathDefault="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
102+
keystorePathOverride="$SNIPPETS_TARGET_OVERRIDES/keystore.xml"
93103

94104
if [ "$SSL" = "true" ] || [ "$TLS" = "true" ]; then
95105
cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET_OVERRIDES/tls.xml

releases/24.0.0.1/kernel-slim/helpers/runtime/docker-server.sh

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ function importKeyCert() {
2323

2424
# Import the private key and certificate into new keystore
2525
if [ -f "${CERT_FOLDER}/${KEY_FILE}" ] && [ -f "${CERT_FOLDER}/${CRT_FILE}" ]; then
26+
# Mounted certificates found. Assume the user wants to overwrite any existing keystore
27+
# and add these certificates
2628
echo "Found mounted TLS certificates, generating keystore"
2729
setPasswords PASSWORD TRUSTSTORE_PASSWORD
2830
mkdir -p /output/resources/security
@@ -44,7 +46,14 @@ function importKeyCert() {
4446
fi
4547

4648
# Since we are creating new keystore, always write new password to a file
47-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
49+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathOverride
50+
# If configure.sh was run at container build time, there will be a keystore.xml in configDropins/defaults
51+
# This will cause a conflict and a warning on server startup, so we should try to delete it
52+
if [ -e "$keystorePathDefault" ];
53+
then
54+
echo "Attempting to remove a previous keystore.xml"
55+
rm "$keystorePathDefault"
56+
fi
4857

4958
# Add mounted CA to the truststore
5059
if [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
@@ -70,10 +79,10 @@ function importKeyCert() {
7079
rm -rf /tmp/certs
7180
fi
7281

73-
# Add the keystore password to server configuration
74-
if [ ! -e $keystorePath ]; then
82+
# If no keystore has been created, add a keystore password to server configuration
83+
if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then
7584
setPasswords PASSWORD TRUSTSTORE_PASSWORD
76-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
85+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathDefault
7786
fi
7887
if [ -e $TRUSTSTORE_FILE ]; then
7988
setPasswords PASSWORD TRUSTSTORE_PASSWORD
@@ -89,7 +98,8 @@ SNIPPETS_SOURCE=/opt/ol/helpers/build/configuration_snippets
8998
SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
9099
SNIPPETS_TARGET_OVERRIDES=/config/configDropins/overrides
91100

92-
keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
101+
keystorePathDefault="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
102+
keystorePathOverride="$SNIPPETS_TARGET_OVERRIDES/keystore.xml"
93103

94104
if [ "$SSL" = "true" ] || [ "$TLS" = "true" ]; then
95105
cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET_OVERRIDES/tls.xml

releases/latest/beta/helpers/runtime/docker-server.sh

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ function importKeyCert() {
2323

2424
# Import the private key and certificate into new keystore
2525
if [ -f "${CERT_FOLDER}/${KEY_FILE}" ] && [ -f "${CERT_FOLDER}/${CRT_FILE}" ]; then
26+
# Mounted certificates found. Assume the user wants to overwrite any existing keystore
27+
# and add these certificates
2628
echo "Found mounted TLS certificates, generating keystore"
2729
setPasswords PASSWORD TRUSTSTORE_PASSWORD
2830
mkdir -p /output/resources/security
@@ -44,7 +46,14 @@ function importKeyCert() {
4446
fi
4547

4648
# Since we are creating new keystore, always write new password to a file
47-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
49+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathOverride
50+
# If configure.sh was run at container build time, there will be a keystore.xml in configDropins/defaults
51+
# This will cause a conflict and a warning on server startup, so we should try to delete it
52+
if [ -e "$keystorePathDefault" ];
53+
then
54+
echo "Attempting to remove a previous keystore.xml"
55+
rm "$keystorePathDefault"
56+
fi
4857

4958
# Add mounted CA to the truststore
5059
if [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
@@ -70,10 +79,10 @@ function importKeyCert() {
7079
rm -rf /tmp/certs
7180
fi
7281

73-
# Add the keystore password to server configuration
74-
if [ ! -e $keystorePath ]; then
82+
# If no keystore has been created, add a keystore password to server configuration
83+
if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then
7584
setPasswords PASSWORD TRUSTSTORE_PASSWORD
76-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
85+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathDefault
7786
fi
7887
if [ -e $TRUSTSTORE_FILE ]; then
7988
setPasswords PASSWORD TRUSTSTORE_PASSWORD
@@ -89,7 +98,8 @@ SNIPPETS_SOURCE=/opt/ol/helpers/build/configuration_snippets
8998
SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
9099
SNIPPETS_TARGET_OVERRIDES=/config/configDropins/overrides
91100

92-
keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
101+
keystorePathDefault="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
102+
keystorePathOverride="$SNIPPETS_TARGET_OVERRIDES/keystore.xml"
93103

94104
if [ "$SSL" = "true" ] || [ "$TLS" = "true" ]; then
95105
cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET_OVERRIDES/tls.xml

releases/latest/full/helpers/runtime/docker-server.sh

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ function importKeyCert() {
2323

2424
# Import the private key and certificate into new keystore
2525
if [ -f "${CERT_FOLDER}/${KEY_FILE}" ] && [ -f "${CERT_FOLDER}/${CRT_FILE}" ]; then
26+
# Mounted certificates found. Assume the user wants to overwrite any existing keystore
27+
# and add these certificates
2628
echo "Found mounted TLS certificates, generating keystore"
2729
setPasswords PASSWORD TRUSTSTORE_PASSWORD
2830
mkdir -p /output/resources/security
@@ -44,7 +46,14 @@ function importKeyCert() {
4446
fi
4547

4648
# Since we are creating new keystore, always write new password to a file
47-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
49+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathOverride
50+
# If configure.sh was run at container build time, there will be a keystore.xml in configDropins/defaults
51+
# This will cause a conflict and a warning on server startup, so we should try to delete it
52+
if [ -e "$keystorePathDefault" ];
53+
then
54+
echo "Attempting to remove a previous keystore.xml"
55+
rm "$keystorePathDefault"
56+
fi
4857

4958
# Add mounted CA to the truststore
5059
if [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
@@ -70,10 +79,10 @@ function importKeyCert() {
7079
rm -rf /tmp/certs
7180
fi
7281

73-
# Add the keystore password to server configuration
74-
if [ ! -e $keystorePath ]; then
82+
# If no keystore has been created, add a keystore password to server configuration
83+
if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then
7584
setPasswords PASSWORD TRUSTSTORE_PASSWORD
76-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
85+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathDefault
7786
fi
7887
if [ -e $TRUSTSTORE_FILE ]; then
7988
setPasswords PASSWORD TRUSTSTORE_PASSWORD
@@ -89,7 +98,8 @@ SNIPPETS_SOURCE=/opt/ol/helpers/build/configuration_snippets
8998
SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
9099
SNIPPETS_TARGET_OVERRIDES=/config/configDropins/overrides
91100

92-
keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
101+
keystorePathDefault="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
102+
keystorePathOverride="$SNIPPETS_TARGET_OVERRIDES/keystore.xml"
93103

94104
if [ "$SSL" = "true" ] || [ "$TLS" = "true" ]; then
95105
cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET_OVERRIDES/tls.xml

releases/latest/kernel-slim/helpers/runtime/docker-server.sh

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ function importKeyCert() {
2323

2424
# Import the private key and certificate into new keystore
2525
if [ -f "${CERT_FOLDER}/${KEY_FILE}" ] && [ -f "${CERT_FOLDER}/${CRT_FILE}" ]; then
26+
# Mounted certificates found. Assume the user wants to overwrite any existing keystore
27+
# and add these certificates
2628
echo "Found mounted TLS certificates, generating keystore"
2729
setPasswords PASSWORD TRUSTSTORE_PASSWORD
2830
mkdir -p /output/resources/security
@@ -44,7 +46,14 @@ function importKeyCert() {
4446
fi
4547

4648
# Since we are creating new keystore, always write new password to a file
47-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
49+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathOverride
50+
# If configure.sh was run at container build time, there will be a keystore.xml in configDropins/defaults
51+
# This will cause a conflict and a warning on server startup, so we should try to delete it
52+
if [ -e "$keystorePathDefault" ];
53+
then
54+
echo "Attempting to remove a previous keystore.xml"
55+
rm "$keystorePathDefault"
56+
fi
4857

4958
# Add mounted CA to the truststore
5059
if [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
@@ -70,10 +79,10 @@ function importKeyCert() {
7079
rm -rf /tmp/certs
7180
fi
7281

73-
# Add the keystore password to server configuration
74-
if [ ! -e $keystorePath ]; then
82+
# If no keystore has been created, add a keystore password to server configuration
83+
if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then
7584
setPasswords PASSWORD TRUSTSTORE_PASSWORD
76-
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
85+
sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathDefault
7786
fi
7887
if [ -e $TRUSTSTORE_FILE ]; then
7988
setPasswords PASSWORD TRUSTSTORE_PASSWORD
@@ -89,7 +98,8 @@ SNIPPETS_SOURCE=/opt/ol/helpers/build/configuration_snippets
8998
SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
9099
SNIPPETS_TARGET_OVERRIDES=/config/configDropins/overrides
91100

92-
keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
101+
keystorePathDefault="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
102+
keystorePathOverride="$SNIPPETS_TARGET_OVERRIDES/keystore.xml"
93103

94104
if [ "$SSL" = "true" ] || [ "$TLS" = "true" ]; then
95105
cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET_OVERRIDES/tls.xml

0 commit comments

Comments
 (0)