[
https://issues.apache.org/jira/browse/KNOX-3304?focusedWorklogId=1016973&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1016973
]
ASF GitHub Bot logged work on KNOX-3304:
----------------------------------------
Author: ASF GitHub Bot
Created on: 23/Apr/26 07:03
Start Date: 23/Apr/26 07:03
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #1209:
URL: https://github.com/apache/knox/pull/1209#discussion_r3128777940
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -183,14 +195,18 @@ fi
if [[ -n $CA_FILE ]] && [[ -f ${CA_FILE} ]]
then
echo "Creating truststore with provided CA certificate/s."
- importMultipleCerts "$CA_FILE"
+ if ! importMultipleCerts "$CA_FILE"; then
+ echo "WARN: Unable to import CA certs from [${CA_FILE}]. Continuing
startup..."
+ fi
fi
# Import custom certs one by one
if [[ -n $CUSTOM_CERT ]] && [[ -f ${CUSTOM_CERT} ]]
then
echo "Importing Custom certs."
- importMultipleCerts "$CUSTOM_CERT"
+ if ! importMultipleCerts "$CUSTOM_CERT"; then
+ echo "WARN: Unable to import custom certs from [${CUSTOM_CERT}].
Continuing startup..."
Review Comment:
I think this is redundant:
- the log in line 197 already tells we are importing custom certs
- the log in importMultipleCerts will list the certs that were not imported
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -53,15 +54,26 @@ importMultipleCerts() {
# step 2), increment counter when last line of cert is found
for N in $(/usr/bin/seq 0 $((CERTS - 1))); do
ALIAS="${FILE%.*}-$N"
- /bin/cat "$FILE" |
+ # Make import idempotent across restarts when truststore is persisted.
+ keytool -delete \
Review Comment:
The `import` command below adds the `-trustcacerts` flag, but this new
`delete` doesn't. Why?
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -201,8 +217,9 @@ then
amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
- amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
- letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
Review Comment:
What happened to this cert? I see that you added two new certs:
- isrgrootx1:/home/knox/cacrts/isrgrootx1.pem
- isrgrootx2:/home/knox/cacrts/isrg-root-x2.pem
Based on the `curl` command in `Dockerfile`, this seems to be ok. Can you
please give a 1-2 sentence explanation on this?
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -201,8 +217,9 @@ then
amazon-ca-1:/home/knox/cacrts/AmazonRootCA1.cer
amazon-ca-2:/home/knox/cacrts/AmazonRootCA2.cer
amazon-ca-3:/home/knox/cacrts/AmazonRootCA3.cer
- amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
- letsencrypt-stg-root:/home/knox/cacrts/letsencrypt-stg-root-x1.pem"
+ amazon-ca-4:/home/knox/cacrts/AmazonRootCA4.cer
Review Comment:
nit: extra space at the beginning of this line
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -86,21 +98,21 @@ export GATEWAY_SERVER_RUN_IN_FOREGROUND=true
# Create Master secret
if [[ -n ${KNOX_MASTER_SECRET} ]]
then
- MASTER_SECRET=$(/bin/cat "${KNOX_MASTER_SECRET}" 2>/dev/null)
+ MASTER_SECRET=$(/bin/cat "${KNOX_MASTER_SECRET}" 2> /dev/null)
fi
if [[ -n ${MASTER_SECRET} ]]
then
echo "Using provided knox master secret [env:MASTER_SECRET]"
else
echo "Using default knox master secret"
- MASTER_SECRET="knox"
+ MASTER_SECRET="!apacheknox!"
Review Comment:
Why is this change? Neither this new value, nor the old one is something a
password cracker wouldn't break in 5 secs (assuming the attacker wouldn't check
this file and know already the default password).
##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -183,14 +195,18 @@ fi
if [[ -n $CA_FILE ]] && [[ -f ${CA_FILE} ]]
then
echo "Creating truststore with provided CA certificate/s."
- importMultipleCerts "$CA_FILE"
+ if ! importMultipleCerts "$CA_FILE"; then
+ echo "WARN: Unable to import CA certs from [${CA_FILE}]. Continuing
startup..."
Review Comment:
I think this is redundant:
- the log in line 197 already tells we are importing CA certs
- the log in importMultipleCerts will list the certs that were not imported
Issue Time Tracking
-------------------
Worklog Id: (was: 1016973)
Time Spent: 1h 20m (was: 1h 10m)
> Support for Openshift/SCC
> -------------------------
>
> Key: KNOX-3304
> URL: https://issues.apache.org/jira/browse/KNOX-3304
> Project: Apache Knox
> Issue Type: Task
> Components: docker
> Affects Versions: 2.1.0
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Attachments:
> 0001-KNOX-3304-added-installation-of-curl-in-the-Docker.patch,
> 0002-KNOX-3304-fixed-import-of-letsencrupt-root-cert.patch
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> The current docker image that is generated does not work with Openshift and
> ECS platform due to restrictions imposed by the platforms. Specifically,
> there are two requirements
> # The helm chart that installs Knox image should use an arbitrary runAsUser
> # The helm chart should not have any runAsGroup and fsUserĀ
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
