Merge pull request #321 from TIBCOSoftware/feature-cert-manager

Add certificate manager support

cloud/docker/build_image.bat

@@ -781,6 +781,9 @@ if "!IMAGE_NAME!" NEQ "!TEA_IMAGE!" (
             ) else if "!CP!" EQU "gvcyberark" (
                 mkdir !TEMP_FOLDER!\configproviders\!CP!
                 xcopy /Q /C /Y .\configproviders\!CP!\*!SCRIPT_EXTN! !TEMP_FOLDER!\configproviders\!CP! > NUL
+            ) else if "!CP!" EQU "cmcncf" (
+                mkdir !TEMP_FOLDER!\configproviders\!CP!
+                xcopy /Q /C /Y .\configproviders\!CP!\*!SCRIPT_EXTN! !TEMP_FOLDER!\configproviders\!CP! > NUL    
             ) else (
                 if EXIST ".\configproviders\!CP!" (
                     if NOT EXIST ".\configproviders\!CP!\setup!SCRIPT_EXTN!" (
@@ -1050,7 +1053,7 @@ EXIT /B 0
     echo.
     echo  [-d/--docker-file]   :    Dockerfile to be used for generating image [optional]
     echo.
-    echo  [--config-provider]  :    Name of Config Provider to be included in the image ("gvconsul"^|"gvhttp"^|"gvcyberark"^|"custom") [optional]
+    echo  [--config-provider]  :    Name of Config Provider to be included in the image ("gvconsul"^|"gvhttp"^|"gvcyberark"^|"cmcncf"^|"custom") [optional]
     echo                            To add more than one Config Provider use comma separated format ex: "gvconsul,gvhttp"
     echo                            Note: This flag is ignored if --image-type is "!TEA_IMAGE!"
     echo.

cloud/docker/build_image.sh

@@ -131,7 +131,7 @@ USAGE+="                                 Ignored  if --image-type is \"$TEA_IMAG
 USAGE+="\n\n [-s/--source]        :    Path to BE_HOME or TIBCO installers (BusinessEvents, Activespaces or FTL) are present (default \"../../\")"
 USAGE+="\n\n [-t/--tag]           :    Name and optionally a tag in the 'name:tag' format [optional]"
 USAGE+="\n\n [-d/--docker-file]   :    Dockerfile to be used for generating image [optional]"
-USAGE+="\n\n [--config-provider]  :    Name of Config Provider to be included in the image (\"gvconsul\"|\"gvhttp\"|\"gvcyberark\"|\"custom\") [optional]\n"
+USAGE+="\n\n [--config-provider]  :    Name of Config Provider to be included in the image (\"gvconsul\"|\"gvhttp\"|\"gvcyberark\"|\"cmcncf\"|\"custom\") [optional]\n"
 USAGE+="                           To add more than one Config Provider use comma separated format ex: \"gvconsul,gvhttp\" \n"
 USAGE+="                           Note: This flag is ignored if --image-type is \"$TEA_IMAGE\""
 USAGE+="\n\n [--disable-tests]    :    Disables docker unit tests on created image (applicable only for \"$APP_IMAGE\" and \"$BUILDER_IMAGE\" image types) [optional]"
@@ -796,7 +796,7 @@ if [ "$IMAGE_NAME" != "$TEA_IMAGE" ]; then
 
         for CP in "${CPs[@]}"
         do
-            if [ "$CP" = "gvhttp" -o "$CP" = "gvconsul" -o "$CP" = "gvcyberark" ]; then
+            if [ "$CP" = "gvhttp" -o "$CP" = "gvconsul" -o "$CP" = "gvcyberark" -o "$CP" = "cmcncf" ]; then
                 mkdir -p $TEMP_FOLDER/configproviders/$CP
                 cp -a ./configproviders/$CP/*.sh $TEMP_FOLDER/configproviders/$CP
             else

cloud/docker/configproviders/cmcncf/run.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2023. TIBCO Software Inc.
+# This file is subject to the license terms contained in the license file that is distributed with this file.
+#
+
+SECRETS_PATH=/opt/tibco/certs
+
+if ! [ -d $CERTS_PATH ]; then
+  echo "INFO: Creating trustfolder directory: $CERTS_PATH"
+  mkdir -p $CERTS_PATH 
+fi
+
+generate_key_store_certs()
+{
+
+  oIFS="$IFS"; IFS=','; declare -a CNCF_KEYSTORE_CERTs=($CNCF_KEYSTORE_CERT); IFS="$oIFS"; unset oIFS
+
+  #Remove duplicate k8s secret names list
+  CNCF_SRVR_CERT=( `for i in ${CNCF_KEYSTORE_CERTs[@]}; do echo $i; done | sort -u` )
+
+  for (( i=0; i < "${#CNCF_SRVR_CERT[@]}"; i++ ));
+  do    
+    echo "INFO: Adding "${CNCF_SRVR_CERT[$i]}" Private keypair to keystore.jks"
+    P12CERT=$SECRETS_PATH/${CNCF_SRVR_CERT[$i]}.p12
+
+    # Convert the crt files to p12 and add it to cert_keystore
+    openssl pkcs12 -inkey $SECRETS_PATH/${CNCF_SRVR_CERT[$i]}/tls.key -in $SECRETS_PATH/${CNCF_SRVR_CERT[$i]}/tls.crt -export -out $P12CERT -name ${CNCF_SRVR_CERT[$i]} -passin pass:$KEYSTORE_PASSPHRASE -passout pass:$KEYSTORE_PASSPHRASE -password pass:$KEYSTORE_PASSPHRASE
+    keytool -importkeystore -srckeystore $P12CERT -srcstoretype PKCS12 -destkeystore $CERT_KEYSTORE -deststoretype PKCS12 -srcstorepass $KEYSTORE_PASSPHRASE -deststorepass $KEYSTORE_PASSPHRASE -srcalias ${CNCF_SRVR_CERT[$i]} -destalias ${CNCF_SRVR_CERT[$i]} -srckeypass $KEYSTORE_PASSPHRASE -destkeypass $KEYSTORE_PASSPHRASE -noprompt
+
+    # Add ca root certificate to cert_keystore 
+    keytool -keystore $CERT_KEYSTORE -alias CA-${CNCF_SRVR_CERT[$i]} -import -file $SECRETS_PATH/${CNCF_SRVR_CERT[$i]}/ca.crt -storepass $KEYSTORE_PASSPHRASE -keypass $KEYSTORE_PASSPHRASE -noprompt
+
+    # Copy ca.crt file to certs_path
+    cp $SECRETS_PATH/${CNCF_SRVR_CERT[$i]}/ca.crt $CERTS_PATH/ca-cncf-server-$i.crt
+
+    # Delete download private and public certs
+    rm -rf $P12CERT
+  done
+}
+
+generate_trust_store_certs()
+{
+
+  oIFS="$IFS"; IFS=','; declare -a CNCF_TRUSTSTORE_CERTs=($CNCF_TRUSTSTORE_CERT); IFS="$oIFS"; unset oIFS
+
+  #Remove duplicate k8s secret names list
+  CNCF_CLNT_CERT=( `for i in ${CNCF_TRUSTSTORE_CERTs[@]}; do echo $i; done | sort -u` )
+
+  for (( i=0; i < "${#CNCF_CLNT_CERT[@]}"; i++ ));
+  do    
+    echo "INFO: Adding "${CNCF_CLNT_CERT[$i]}" to truststore.jks"
+    #Convert convert certs to p12 and jks, generate truststore jks 
+    keytool -keystore $CERT_TRUSTSTORE -alias localhost-$i -import -file $SECRETS_PATH/${CNCF_CLNT_CERT[$i]}/tls.crt -storepass $TRUSTSTORE_PASSPHRASE -keypass $TRUSTSTORE_PASSPHRASE -noprompt
+
+    # Add ca.crt to truststore jks
+    keytool -keystore $CERT_TRUSTSTORE -alias CARoot-$i -import -file $SECRETS_PATH/${CNCF_CLNT_CERT[$i]}/ca.crt -storepass $TRUSTSTORE_PASSPHRASE -keypass $TRUSTSTORE_PASSPHRASE -noprompt
+    # Copy ca.crt file to certs_path
+    cp $SECRETS_PATH/${CNCF_CLNT_CERT[$i]}/ca.crt $CERTS_PATH/ca-cncf-client-$i.crt
+  done  
+}
+
+if [[ -z "$CNCF_KEYSTORE_CERT" ]]; then
+  echo "WARN: Config Provider[cmcnf] is configured but env variable CNCF_KEYSTORE_CERT is empty OR not supplied."
+  echo "WARN: Skip converting certificates to JKS"
+else
+  generate_key_store_certs
+fi
+
+if [[ -z "$CNCF_TRUSTSTORE_CERT" ]]; then
+  echo "WARN: Config Provider[cmcnf] is configured but env variable CNCF_TRUSTSTORE_CERT is empty OR not supplied."
+  echo "WARN: Skip converting certificates to JKS"
+else
+  generate_trust_store_certs
+fi
+

cloud/docker/configproviders/cmcncf/setup.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2023. TIBCO Software Inc.
+# This file is subject to the license terms contained in the license file that is distributed with this file.
+#
+
+source /home/tibco/be/configproviders/cputils.sh
+
+echo "INFO: Check for openssl and keytool utilites"
+
+if ! [ -x $(command -v openssl) ] ; then
+    REQUIRED_PKGS="openssl"    
+fi
+
+if ! [ -x $(command -v keytool) ] ; then
+    echo "ERROR: keytool utility is required and it doesnot exists, exiting the build"
+    exit 1;
+fi
+
+# fill this variable with packages used only during build time. Multiple packages can be represented in a space separated format ex: "curl unzip".
+INSTALL_PKGS_LIST=$( getInstallPkgs "$REQUIRED_PKGS" )
+CLEANUP_PKGS_LIST=$( getCleanupPkgs "$BUILD_PKGS" "$INSTALL_PKGS_LIST" )
+
+# installing required packages
+if [ "$INSTALL_PKGS_LIST" != "" ]; then
+    package-manager install -y $INSTALL_PKGS_LIST
+fi  
+

cloud/docker/configproviders/custom/cmazure/run.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2023. TIBCO Software Inc.
+# This file is subject to the license terms contained in the license file that is distributed with this file.
+#
+
+if [[ -z "$AZ_CLIENT_ID" ]]; then
+  echo "ERROR: Cannot read certificates from Azure Key Vault."
+  echo "ERROR: Specify env variable AZ_CLIENT_ID"
+  exit 1
+fi
+
+if [[ -z "$AZ_CLIENT_PASSWORD" ]]; then
+  echo "ERROR: Cannot read certificates from Azure Key Vault."
+  echo "ERROR: Specify env variable AZ_CLIENT_PASSWORD"
+  exit 1
+fi
+
+if [[ -z "$AZ_TENANT_ID" ]]; then
+  echo "ERROR: Cannot read certificates from Azure Key Vault."
+  echo "ERROR: Specify env variable AZ_TENANT_ID"
+  exit 1
+fi
+
+if [[ -z "$AZ_KV_NAME" ]]; then
+  echo "ERROR: Cannot read certificates from Azure Key Vault."
+  echo "ERROR: Specify env variable AZ_KV_NAME"
+  exit 1
+fi
+
+#Login to Azure using service principal
+az login --service-principal -u $AZ_CLIENT_ID -p $AZ_CLIENT_PASSWORD --tenant $AZ_TENANT_ID
+
+if ! [ -d $CERTS_PATH ]; then
+  echo "INFO: Creating $CERTS_PATH directory"
+  mkdir -p $CERTS_PATH 
+fi
+
+generate_key_store_certs(){
+
+  oIFS="$IFS"; IFS=','; declare -a AZ_KV_KEYSTORE_CERTs=($AZ_KV_KEYSTORE_CERT); IFS="$oIFS"; unset oIFS
+
+  #Remove duplicate cert names's
+  KEYSTORE_CERT=( `for i in ${AZ_KV_KEYSTORE_CERTs[@]}; do echo $i; done | sort -u` )
+
+  for (( i=0; i < "${#KEYSTORE_CERT[@]}"; i++ ));
+  do
+    FULL_CERT=$SECRETS_PATH/fullcertificate-$i.pfx
+    P12CERT=$SECRETS_PATH/client-$i.p12
+
+    #Download azure client private cert, certificate body and ceritifate chain
+    echo "INFO: Downloading certs : ${KEYSTORE_CERT[$i]}"
+    az keyvault secret download --file $FULL_CERT --name ${KEYSTORE_CERT[$i]} --vault-name $AZ_KV_NAME
+
+    # Convert downloaded azure certs to p12 and jks, generate client jks keystore using CAcert and azure certs
+    openssl pkcs12 -in $FULL_CERT -export -out $P12CERT -name azure-$i -passin pass:$KEYSTORE_PASSPHRASE -passout pass:$KEYSTORE_PASSPHRASE -password  pass:$KEYSTORE_PASSPHRASE
+    keytool -importkeystore -srckeystore $P12CERT -srcstoretype PKCS12 -destkeystore $CERT_KEYSTORE -deststoretype PKCS12 -srcstorepass $KEYSTORE_PASSPHRASE -deststorepass $KEYSTORE_PASSPHRASE -srcalias azure-$i -destalias azure-$i -srckeypass $KEYSTORE_PASSPHRASE -destkeypass $KEYSTORE_PASSPHRASE -noprompt
+
+    # # Delete download private and public certs except CAroot cert
+    rm -rf $P12CERT $FULL_CERT
+  done
+
+}
+
+generate_trust_store_certs(){
+
+  oIFS="$IFS"; IFS=','; declare -a AZ_KV_TRUSTSTORE_CERTs=($AZ_KV_TRUSTSTORE_CERT); IFS="$oIFS"; unset oIFS
+
+  #Remove duplicate cert names's
+  TRUSTSTORE_CERT=( `for i in ${AZ_KV_TRUSTSTORE_CERTs[@]}; do echo $i; done | sort -u` )
+
+  for (( i=0; i < "${#TRUSTSTORE_CERT[@]}"; i++ ));
+  do
+    PUBLIC_CERT=$SECRETS_PATH/certificate-$i.pem
+
+    #Download  azure client private cert, certificate body and ceritifate chain
+    echo "INFO: Downloading certs : ${TRUSTSTORE_CERT[$i]}"
+    az keyvault certificate download --file $PUBLIC_CERT --name ${TRUSTSTORE_CERT[$i]} --vault-name $AZ_KV_NAME
+
+    # Convert downloaded azure certs to p12 and jks, generate client jks keystore using CAcert and azure certs
+    keytool -keystore $CERT_TRUSTSTORE -alias azure-$i -import -file $PUBLIC_CERT -storepass $TRUSTSTORE_PASSPHRASE -keypass $TRUSTSTORE_PASSPHRASE -noprompt
+    cp $PUBLIC_CERT $CERTS_PATH/ca-certificate-$i.pem
+
+    # Delete download private and public certs except CAroot cert
+    rm -rf $PUBLIC_CERT
+  done
+
+}
+
+if [[ -z "$AZ_KV_KEYSTORE_CERT" ]]; then
+  echo "WARN: Config Provider[custom/cmazure] is configured but env variable AZ_KV_KEYSTORE_CERT is empty OR not supplied."
+  echo "WARN: Skip fetching certificates from Azure Key Vault."
+else
+  generate_key_store_certs
+fi
+
+if [[ -z "$AZ_KV_TRUSTSTORE_CERT" ]]; then
+  echo "WARN: Config Provider[custom/cmazure] is configured but env variable AZ_KV_TRUSTSTORE_CERT is empty OR not supplied."
+  echo "WARN: Skip fetching certificates from Azure Key Vault."
+else
+  generate_trust_store_certs
+fi
+
+# Safe to logout
+az logout
+

cloud/docker/configproviders/custom/cmazure/setup.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+#
+# Copyright (c) 2023. TIBCO Software Inc.
+# This file is subject to the license terms contained in the license file that is distributed with this file.
+#
+
+source /home/tibco/be/configproviders/cputils.sh
+
+
+# fill this variable with required packages to be installed. Multiple packages can be represented in a space separated format ex: "curl unzip".
+REQUIRED_PKGS="curl"
+
+# fill this variable with packages used only during build time. Multiple packages can be represented in a space separated format ex: "curl unzip".
+# BUILD_PKGS="unzip"
+
+echo "INFO: Check for openssl and keytool utilites"
+
+if  ! [ -x $(command -v openssl) ] ; then
+    REQUIRED_PKGS="$REQUIRED_PKGS openssl"    
+fi
+
+if ! [ -x $(command -v keytool) ] ; then
+    echo "ERROR: keytool utility is required and it doesnot exists, exiting the build"
+    exit 1;
+fi
+
+INSTALL_PKGS_LIST=$( getInstallPkgs "$REQUIRED_PKGS" )
+CLEANUP_PKGS_LIST=$( getCleanupPkgs "$BUILD_PKGS" "$INSTALL_PKGS_LIST" )
+
+# installing required packages
+if [ "$INSTALL_PKGS_LIST" != "" ]; then
+    package-manager install -y $INSTALL_PKGS_LIST
+fi      
+
+# install az cli
+curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+
+az version
+
+if [ "$CLEANUP_PKGS_LIST" != "" ]; then
+    package-manager remove -y $CLEANUP_PKGS_LIST
+fi
+

cloud/docker/configproviders/run.sh

@@ -46,6 +46,17 @@ do
 
     # cleanup
     rm -f "${JSON_FILE}"
+  elif [[ $CP = cm* ]] || [[ $CP = custom/cm* ]] ; then
+    echo "INFO: Running Config Provider [${CP}]"
+    TRA_FILE="bin/be-engine.tra"
+    TIB_JAVA_HOME=$(cat $BE_HOME/$TRA_FILE | grep ^tibco.env.TIB_JAVA_HOME | cut -d'=' -f 2 | sed -e 's/\r$//')
+    export PATH=$PATH:$TIB_JAVA_HOME/bin
+    export CERTS_PATH=/opt/tibco/be/certstore
+    export CERT_TRUSTSTORE=$CERTS_PATH/truststore.jks
+    export CERT_KEYSTORE=$CERTS_PATH/keystore.jks
+    export KEYSTORE_PASSPHRASE=password
+    export TRUSTSTORE_PASSPHRASE=password
+    ./configproviders/${CP}/run.sh
   else
     echo "INFO: Running Config Provider [${CP}]"
     ./configproviders/${CP}/run.sh

cloud/docker/configproviders/setup.sh

@@ -38,6 +38,13 @@ for CP in "${CPs[@]}"
 do
   echo "INFO: setting up the Config Provider[${CP}]..."
   chmod +x /home/tibco/be/configproviders/${CP}/*.sh
+  # set javabin path in path variables to check existance of keytool utility
+  if [[ $CP = cm* ]] || [[ $CP = custom/cm* ]] ; then
+    TRA_FILE="bin/be-engine.tra"
+    TIB_JAVA_HOME=$(cat $BE_HOME/$TRA_FILE | grep ^tibco.env.TIB_JAVA_HOME | cut -d'=' -f 2 | sed -e 's/\r$//')
+    echo "INFO: Setting java bin path"
+    export PATH=$PATH:$TIB_JAVA_HOME/bin
+  fi
   if [ -f /home/tibco/be/configproviders/${CP}/setup.sh ]; then /home/tibco/be/configproviders/${CP}/setup.sh; fi
 
   if [ "$?" != 0 ]; then

cloud/docker/lib/optimize.json

@@ -186,9 +186,7 @@
             "JAVA_HOME/lib/server/libjsig.so",
             "JAVA_HOME/lib/server/Xusage.txt",
             "JAVA_HOME/lib/libattach.so",
-            "JAVA_HOME/lib/libjsound.so",
-            "JAVA_HOME/lib/jvm.cfg",
-            "JAVA_HOME/bin"
+            "JAVA_HOME/lib/libjsound.so"
         ],
         "kafka": [
             "BE_HOME/lib/cep-kafka.jar",

cloud/docker/scripts/util.bat

@@ -51,7 +51,7 @@ GOTO :EOF
         set "CP=!CP:custom\=!"
         set "CP=!CP:custom/=!"
 
-        if "!CP!" NEQ "gvhttp" if "!CP!" NEQ "gvconsul" if "!CP!" NEQ "gvcyberark" set "CP=custom\!CP!"
+        if "!CP!" NEQ "gvhttp" if "!CP!" NEQ "gvconsul" if "!CP!" NEQ "gvcyberark" if "!CP!" NEQ "cmcncf" set "CP=custom\!CP!"
 
         SET DUPLICATE_FOUND=false
         if "!ARG_CP_RESULT!" EQU "" (

cloud/docker/scripts/utils.sh

@@ -19,7 +19,7 @@ RemoveDuplicatesAndFormatCPs()
 
     for key in "${values[@]}"; do
 
-        if ! [ "$key" = "gvhttp" -o "$key" = "gvconsul" -o "$key" = "gvcyberark" ]; then
+        if ! [ "$key" = "gvhttp" -o "$key" = "gvconsul" -o "$key" = "gvcyberark" -o "$key" = "cmcncf" ]; then
             key=${key/custom\//}
             key=${key/custom\\/}
             key="custom/$key"

cloud/kubernetes/helm/values.yaml

@@ -59,6 +59,8 @@ envVarsFromSecrets: []
 
 # envVars Specify environment variables (yaml key value format) you want to pass on to BE agents (pods)
 envVars: {}
+  # # BE_GLOBAL_TRUSTED_CA_STORE is special gv for passing certificates outside project folder
+  # BE_GLOBAL_TRUSTED_CA_STORE: file:///opt/tibco/be/certstore
   # # env flag to specify which CDD file to use.
   # # In case RMS container, It contains 3 different CDD files with RMS.cdd as default. You can use this flag to run BE app with diffent CDD.
   # CDD_FILE: "<CDD file path>"