Copilot commented on code in PR #13641: URL: https://github.com/apache/skywalking/pull/13641#discussion_r2660199866
########## test/e2e-v2/cases/storage/opensearch/generate-certs.sh: ########## @@ -0,0 +1,88 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +CERTS_DIR="./certs" +mkdir -p "$CERTS_DIR" + +# Generate Root CA +openssl genrsa -out "$CERTS_DIR/root-ca-key.pem" 2048 +openssl req -new -x509 -sha256 -key "$CERTS_DIR/root-ca-key.pem" \ + -subj "/C=US/ST=CA/L=Test/O=SkyWalking/OU=Test/CN=SkyWalking Root CA" \ + -out "$CERTS_DIR/root-ca.pem" -days 730 + +# Generate Node Certificate +openssl genrsa -out "$CERTS_DIR/node-key.pem" 2048 +openssl req -new -key "$CERTS_DIR/node-key.pem" \ + -subj "/C=US/ST=CA/L=Test/O=SkyWalking/OU=Test/CN=opensearch" \ + -out "$CERTS_DIR/node.csr" + +# Create SAN config for node cert +cat >"$CERTS_DIR/node-san.cnf" <<EOFSAN +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] + +[v3_req] +subjectAltName = @alt_names + +[alt_names] +DNS.1 = opensearch +DNS.2 = localhost +IP.1 = 127.0.0.1 +EOFSAN + +openssl x509 -req -in "$CERTS_DIR/node.csr" \ + -CA "$CERTS_DIR/root-ca.pem" -CAkey "$CERTS_DIR/root-ca-key.pem" -CAcreateserial \ + -out "$CERTS_DIR/node.pem" -days 730 -sha256 \ + -extfile "$CERTS_DIR/node-san.cnf" -extensions v3_req + +# Generate Admin Certificate (for securityadmin tool) +openssl genrsa -out "$CERTS_DIR/admin-key.pem" 2048 +openssl req -new -key "$CERTS_DIR/admin-key.pem" \ + -subj "/C=US/ST=CA/L=Test/O=SkyWalking/OU=Test/CN=admin" \ + -out "$CERTS_DIR/admin.csr" +openssl x509 -req -in "$CERTS_DIR/admin.csr" \ + -CA "$CERTS_DIR/root-ca.pem" -CAkey "$CERTS_DIR/root-ca-key.pem" -CAcreateserial \ + -out "$CERTS_DIR/admin.pem" -days 730 -sha256 + +# Generate Client Certificate (for SkyWalking OAP) +# CN must match the username in roles_mapping (node-0.example.com) +openssl genrsa -out "$CERTS_DIR/client-key.pem" 2048 +openssl req -new -key "$CERTS_DIR/client-key.pem" \ + -subj "/C=US/ST=CA/L=Test/O=SkyWalking/OU=Test/CN=node-0.example.com" \ + -out "$CERTS_DIR/client.csr" +openssl x509 -req -in "$CERTS_DIR/client.csr" \ + -CA "$CERTS_DIR/root-ca.pem" -CAkey "$CERTS_DIR/root-ca-key.pem" -CAcreateserial \ + -out "$CERTS_DIR/client.pem" -days 730 -sha256 + +# Create PKCS12 keystore for client (for Java applications) +openssl pkcs12 -export -in "$CERTS_DIR/client.pem" -inkey "$CERTS_DIR/client-key.pem" \ + -out "$CERTS_DIR/client.p12" -name "node-0.example.com" -passout pass:changeit + +# Create JKS truststore with root CA (remove existing if present) Review Comment: The hardcoded password "changeit" is used for both the client keystore and truststore. While this is acceptable for test environments, consider adding a comment warning that this is a test-only value and should never be used in production environments. This helps prevent developers from accidentally copying this configuration to production systems. ```suggestion # Create PKCS12 keystore for client (for Java applications) # NOTE: The hardcoded password "changeit" below is for test/e2e use only and MUST NOT be used in production. openssl pkcs12 -export -in "$CERTS_DIR/client.pem" -inkey "$CERTS_DIR/client-key.pem" \ -out "$CERTS_DIR/client.p12" -name "node-0.example.com" -passout pass:changeit # Create JKS truststore with root CA (remove existing if present) # NOTE: The hardcoded password "changeit" below is for test/e2e use only and MUST NOT be used in production. ``` ########## test/e2e-v2/cases/storage/opensearch/docker-compose.yml: ########## @@ -42,15 +107,23 @@ services: SW_STORAGE: elasticsearch SW_STORAGE_ES_CLUSTER_NODES: opensearch:9200 SW_ES_USER: admin Review Comment: The hardcoded password "SecurePass@2024!" is visible in the docker-compose configuration. While this is acceptable for E2E test environments, consider adding a comment indicating this is for testing purposes only. This helps prevent security misconfigurations if this file is used as a template. ```suggestion SW_ES_USER: admin # Test-only password for E2E environment; do not use this value in production. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
