| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| # script to process key/cert to keystore and truststore |
| {{- if .Values.tls.zookeeper.enabled }} |
| apiVersion: v1 |
| kind: ConfigMap |
| metadata: |
| name: "{{ template "pulsar.fullname" . }}-keytool-configmap" |
| namespace: {{ template "pulsar.namespace" . }} |
| labels: |
| {{- include "pulsar.standardLabels" . | nindent 4 }} |
| component: keytool |
| data: |
| keytool.sh: | |
| #!/bin/bash |
| component=$1 |
| name=$2 |
| isClient=$3 |
| crtFile=/pulsar/certs/${component}/tls.crt |
| keyFile=/pulsar/certs/${component}/tls.key |
| caFile=/pulsar/certs/ca/ca.crt |
| p12File=/pulsar/${component}.p12 |
| keyStoreFile=/pulsar/${component}.keystore.jks |
| trustStoreFile=/pulsar/${component}.truststore.jks |
| |
| function checkFile() { |
| local file=$1 |
| local len=$(wc -c ${file} | awk '{print $1}') |
| echo "processing ${file} : len = ${len}" |
| if [ ! -f ${file} ]; then |
| echo "${file} is not found" |
| return -1 |
| fi |
| if [ $len -le 0 ]; then |
| echo "${file} is empty" |
| return -1 |
| fi |
| } |
| |
| function ensureFileNotEmpty() { |
| local file=$1 |
| until checkFile ${file}; do |
| echo "file isn't initialized yet ... check in 3 seconds ..." && sleep 3; |
| done; |
| } |
| |
| ensureFileNotEmpty ${crtFile} |
| ensureFileNotEmpty ${keyFile} |
| ensureFileNotEmpty ${caFile} |
| |
| PASSWORD=$(head /dev/urandom | base64 | head -c 24) |
| |
| openssl pkcs12 \ |
| -export \ |
| -in ${crtFile} \ |
| -inkey ${keyFile} \ |
| -out ${p12File} \ |
| -name ${name} \ |
| -passout "pass:${PASSWORD}" |
| |
| keytool -importkeystore \ |
| -srckeystore ${p12File} \ |
| -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \ |
| -alias ${name} \ |
| -destkeystore ${keyStoreFile} \ |
| -deststorepass "${PASSWORD}" |
| |
| keytool -import \ |
| -file ${caFile} \ |
| -storetype JKS \ |
| -alias ${name} \ |
| -keystore ${trustStoreFile} \ |
| -storepass "${PASSWORD}" \ |
| -trustcacerts -noprompt |
| |
| ensureFileNotEmpty ${keyStoreFile} |
| ensureFileNotEmpty ${trustStoreFile} |
| |
| if [[ "x${isClient}" == "xtrue" ]]; then |
| echo $'\n' >> conf/pulsar_env.sh |
| echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh |
| echo $'\n' >> conf/bkenv.sh |
| echo "BOOKIE_EXTRA_OPTS=\"${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh |
| else |
| echo $'\n' >> conf/pulsar_env.sh |
| echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh |
| fi |
| {{- end }} |