Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLOUD-2689: jboss.container.java.certs module #312

Closed
wants to merge 5 commits into from
Closed

CLOUD-2689: jboss.container.java.certs module #312

wants to merge 5 commits into from

Commits on Nov 5, 2018

  1. CLOUD-2689: jboss.container.java.certs module 

    This module enables the trusting of CA certificates provided to
running containers by OpenShift.

At build-time: various system PKI paths are made world writeable-by-all,
in order that the random-UID runtime user can insert CA certificates
into the trusted store

At run-time: copy the CA file into place and invoke /usr/bin/update-ca-trust
To generate derivative trust stores (e.g. OpenSSL & Java JKS)

Signed-off-by: Jonathan Dowland <jdowland@redhat.com>
    @jmtd
    jmtd committed Nov 5, 2018
    Configuration menu
    Copy the full SHA
    15ddbeb View commit details
    Browse the repository at this point in the history

  2. Hook trust-ose-cert into s2i-core-hooks 

    This ensures the script will be invoked for all S2I entrypoints

Signed-off-by: Jonathan Dowland <jdowland@redhat.com>
    @jmtd
    jmtd committed Nov 5, 2018
    Configuration menu
    Copy the full SHA
    87f9745 View commit details
    Browse the repository at this point in the history

Commits on Nov 7, 2018

  1. add JAVA_DISABLE_TRUST_OPENSHIFT_CA to override CA trust 

    When JAVA_DISABLE_TRUST_OPENSHIFT_CA is defined the trust-openshift-supplied-CA
code will not run.

Signed-off-by: Jonathan Dowland <jdowland@redhat.com>
    @jmtd
    jmtd committed Nov 7, 2018
    Configuration menu
    Copy the full SHA
    d00642a View commit details
    Browse the repository at this point in the history

Commits on Dec 3, 2018

  1. Narrow chmod permissions for PKI/ca-trust files 

    g+w is sufficent (group is root, and OpenShift running user is in
group root) for this approach to work.

Signed-off-by: Jonathan Dowland <jdowland@redhat.com>
    @jmtd
    jmtd committed Dec 3, 2018
    Configuration menu
    Copy the full SHA
    133ac25 View commit details
    Browse the repository at this point in the history

Commits on Dec 4, 2018

  1. symlink OpenShift CA cert rather than copy it 

    Install a static symlink from the OS TLS/PKI trust store to the
location that OpenShift uses for its CA certificate, instead of
copying it at run-time.

Signed-off-by: Jonathan Dowland <jdowland@redhat.com>
    @jmtd
    jmtd committed Dec 4, 2018
    Configuration menu
    Copy the full SHA
    3ced417 View commit details
    Browse the repository at this point in the history