SSL for Broker container

Signed-off-by: Claudio Mezzasalma <claudio.mezzasalma@eurotech.com>
eclipse · Jan 15, 2019 · a333386 · a333386
1 parent 992ef82
commit a333386
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 5 deletions.
diff --git a/assembly/broker/docker/Dockerfile b/assembly/broker/docker/Dockerfile
@@ -41,6 +41,6 @@ ENV ACTIVEMQ_OPTS "-Dcommons.db.schema.update=true \
 
 EXPOSE 1883 8883 61614 61615 8161
 
-VOLUME /var/opt/activemq/data
+VOLUME /opt/activemq/data
 
 ENTRYPOINT /var/opt/activemq/run-broker
diff --git a/assembly/broker/entrypoint/run-broker b/assembly/broker/entrypoint/run-broker
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 ################################################################################
 #    Copyright (c) 2011, 2018 Eurotech and/or its affiliates and others
 #
@@ -11,10 +11,48 @@
 #        Eurotech
 ################################################################################
 
+ACTIVEMQ_BASE="/var/opt/activemq"
+
 # Generate X509 certificate and private key
-openssl req -x509 -newkey rsa:4096 -keyout /var/opt/activemq/key.pem -out /var/opt/activemq/cert.pem -days 365 -nodes -subj '/O=Eclipse Kapua/C=XX'
-openssl pkcs8 -topk8 -in /var/opt/activemq/key.pem -out /var/opt/activemq/key.pk8 -nocrypt
-rm /var/opt/activemq/key.pem
+openssl req -x509 -newkey rsa:4096 -keyout ${ACTIVEMQ_BASE}/key.pem -out ${ACTIVEMQ_BASE}/cert.pem -days 365 -nodes -subj '/O=Eclipse Kapua/C=XX'
+openssl pkcs8 -topk8 -in ${ACTIVEMQ_BASE}/key.pem -out ${ACTIVEMQ_BASE}/key.pk8 -nocrypt
+rm ${ACTIVEMQ_BASE}/key.pem
+
+## Certificate Options
+
+: ${KAPUA_DISABLE_SSL:="true"}
+
+if [ "${KAPUA_DISABLE_SSL}" == "false" ]; then
+
+    # Certificates directory configuration
+    CERTIFICATES_PATH="tls"
+
+    if [ ! -d "${ACTIVEMQ_BASE}/${CERTIFICATES_PATH}" ]; then
+        mkdir -p "${ACTIVEMQ_BASE}/${CERTIFICATES_PATH}"
+    fi
+
+    # Keystore configuration
+    : ${KEYSTORE_NAME:="kapua.jks"}
+    : ${KAPUA_KEYSTORE_PASSWORD:="changeit"}
+
+    if [ ! -f "${ACTIVEMQ_BASE}/${CERTIFICATES_PATH}/${KEYSTORE_NAME}" ]; then
+      if [ -z "${KAPUA_KEYSTORE}" ]; then
+          if [ ! -z "${KAPUA_KEY_PASSWORD}" ]; then
+              PASSWORD_PARAM="-passin pass:${KAPUA_KEY_PASSWORD}";
+          fi
+          openssl pkcs12 -export -in <(echo "${KAPUA_CRT}"; echo "${KAPUA_CA}") -inkey <(echo "${KAPUA_KEY}") ${PASSWORD_PARAM} -name kapua -password pass:"${KAPUA_KEYSTORE_PASSWORD}" -out "${ACTIVEMQ_BASE}/${CERTIFICATES_PATH}/${KEYSTORE_NAME}"
+      else
+          echo "${KAPUA_KEYSTORE}" | base64 --decode > "${ACTIVEMQ_BASE}/${CERTIFICATES_PATH}/${KEYSTORE_NAME}"
+      fi
+    fi
+
+    ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.keyStore=${ACTIVEMQ_BASE}/${CERTIFICATES_PATH}/${KEYSTORE_NAME}"
+    ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.keyStorePassword=${KAPUA_KEYSTORE_PASSWORD}"
+    ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.trustStore=${ACTIVEMQ_BASE}/${CERTIFICATES_PATH}/${KEYSTORE_NAME}"
+    ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.trustStorePassword=${KAPUA_KEYSTORE_PASSWORD}"
+
+    export ACTIVEMQ_SSL_OPTS
+fi
 
 # Run broker
 /opt/activemq/bin/activemq console
diff --git a/deployment/docker/compose/docker-compose.yml b/deployment/docker/compose/docker-compose.yml
@@ -25,11 +25,20 @@ services:
     image: kapua/kapua-broker:${IMAGE_VERSION}
     ports:
       - 1883:1883
+      - 8883:8883
       - 61614:61614
     depends_on:
       - db
       - es
       - events-broker
+    environment:
+      - KAPUA_DISABLE_SSL
+      - KAPUA_CRT
+      - KAPUA_CA
+      - KAPUA_KEY
+      - KAPUA_KEY_PASSWORD
+      - KAPUA_KEYSTORE
+      - KAPUA_KEYSTORE_PASSWORD
   kapua-console:
     image: kapua/kapua-console:${IMAGE_VERSION}
     ports: