charts/pulsar/templates/keytool.yaml - pulsar-helm-chart - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #

 # script to process key/cert to keystore and truststore
 {{- if .Values.tls.zookeeper.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
   namespace: {{ template "pulsar.namespace" . }}
   labels:
     {{- include "pulsar.standardLabels" . | nindent 4 }}
     component: keytool
 data:
   keytool.sh: |
     #!/bin/bash
     component=$1
     name=$2
     isClient=$3
     crtFile=/pulsar/certs/${component}/tls.crt
     keyFile=/pulsar/certs/${component}/tls.key
     caFile=/pulsar/certs/ca/ca.crt
     p12File=/pulsar/${component}.p12
     keyStoreFile=/pulsar/${component}.keystore.jks
     trustStoreFile=/pulsar/${component}.truststore.jks

     function checkFile() {
         local file=$1
         local len=$(wc -c ${file} | awk '{print $1}')
         echo "processing ${file} : len = ${len}"
         if [ ! -f ${file} ]; then
             echo "${file} is not found"
             return -1
         fi
         if [ $len -le 0 ]; then
             echo "${file} is empty"
             return -1
         fi
     }

     function ensureFileNotEmpty() {
         local file=$1
         until checkFile ${file}; do
             echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3;
         done;
     }

     ensureFileNotEmpty ${crtFile}
     ensureFileNotEmpty ${keyFile}
     ensureFileNotEmpty ${caFile}

     PASSWORD=$(head /dev/urandom | base64 | head -c 24)

     openssl pkcs12 \
         -export \
         -in ${crtFile} \
         -inkey ${keyFile} \
         -out ${p12File} \
         -name ${name} \
         -passout "pass:${PASSWORD}"

     keytool -importkeystore \
         -srckeystore ${p12File} \
         -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \
         -alias ${name} \
         -destkeystore ${keyStoreFile} \
         -deststorepass "${PASSWORD}"

     keytool -import \
         -file ${caFile} \
         -storetype JKS \
         -alias ${name} \
         -keystore ${trustStoreFile} \
         -storepass "${PASSWORD}" \
         -trustcacerts -noprompt

     ensureFileNotEmpty ${keyStoreFile}
     ensureFileNotEmpty ${trustStoreFile}

     if [[ "x${isClient}" == "xtrue" ]]; then
         echo $'\n' >> conf/pulsar_env.sh
         echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
         echo $'\n' >> conf/bkenv.sh
         echo "BOOKIE_EXTRA_OPTS=\"${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh
     else
         echo $'\n' >> conf/pulsar_env.sh
         echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
     fi
 {{- end }}
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#

	# script to process key/cert to keystore and truststore
	{{- if .Values.tls.zookeeper.enabled }}
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
	namespace: {{ template "pulsar.namespace" . }}
	labels:
	{{- include "pulsar.standardLabels" . \| nindent 4 }}
	component: keytool
	data:
	keytool.sh: \|
	#!/bin/bash
	component=$1
	name=$2
	isClient=$3
	crtFile=/pulsar/certs/${component}/tls.crt
	keyFile=/pulsar/certs/${component}/tls.key
	caFile=/pulsar/certs/ca/ca.crt
	p12File=/pulsar/${component}.p12
	keyStoreFile=/pulsar/${component}.keystore.jks
	trustStoreFile=/pulsar/${component}.truststore.jks

	function checkFile() {
	local file=$1
	local len=$(wc -c ${file} \| awk '{print $1}')
	echo "processing ${file} : len = ${len}"
	if [ ! -f ${file} ]; then
	echo "${file} is not found"
	return -1
	fi
	if [ $len -le 0 ]; then
	echo "${file} is empty"
	return -1
	fi
	}

	function ensureFileNotEmpty() {
	local file=$1
	until checkFile ${file}; do
	echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3;
	done;
	}

	ensureFileNotEmpty ${crtFile}
	ensureFileNotEmpty ${keyFile}
	ensureFileNotEmpty ${caFile}

	PASSWORD=$(head /dev/urandom \| base64 \| head -c 24)

	openssl pkcs12 \
	-export \
	-in ${crtFile} \
	-inkey ${keyFile} \
	-out ${p12File} \
	-name ${name} \
	-passout "pass:${PASSWORD}"

	keytool -importkeystore \
	-srckeystore ${p12File} \
	-srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \
	-alias ${name} \
	-destkeystore ${keyStoreFile} \
	-deststorepass "${PASSWORD}"

	keytool -import \
	-file ${caFile} \
	-storetype JKS \
	-alias ${name} \
	-keystore ${trustStoreFile} \
	-storepass "${PASSWORD}" \
	-trustcacerts -noprompt

	ensureFileNotEmpty ${keyStoreFile}
	ensureFileNotEmpty ${trustStoreFile}

	if [[ "x${isClient}" == "xtrue" ]]; then
	echo $'\n' >> conf/pulsar_env.sh
	echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
	echo $'\n' >> conf/bkenv.sh
	echo "BOOKIE_EXTRA_OPTS=\"${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh
	else
	echo $'\n' >> conf/pulsar_env.sh
	echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
	fi
	{{- end }}