summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2021-04-02 08:56:15 +0200
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-04-14 13:12:34 +0000
commit495ff8966cee0e8094b3142217985ac39f8b300a (patch)
tree6dc321cb6ff7e0fcf9787c777554121b4a7e5751
parent213f6d8d86fceba0cde8c9e805ac31c11ca6eddf (diff)
[AAI] Fix truststore password to avoid exceptions
Deployment of aai-resources sometimes fails with exception: org.springframework.expression.ParseException: Expression [BH#{XS@*#xoUULIO)eQkxaBA] @2: No ending suffix '}' for expression starting at character 2: #{XS@*#xoUULIO)eQkxaBA which basically means that aai-resources (and probably aai-traversal) are unable to handle special characters that AAF is putting into cert passwords. To avoid random AAI failures let's use a know method proposed by Sylvain Desbureaux and just set passwords that contains only alphanumeric characters. Issue-ID: OOM-1 Change-Id: I248c2de6e59e4fc073b5a06f6409802634b254cf Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
-rw-r--r--kubernetes/aai/components/aai-resources/values.yaml21
-rw-r--r--kubernetes/aai/components/aai-traversal/values.yaml21
2 files changed, 36 insertions, 6 deletions
diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml
index b1d8a0ad7b..7509cb3bd6 100644
--- a/kubernetes/aai/components/aai-resources/values.yaml
+++ b/kubernetes/aai/components/aai-resources/values.yaml
@@ -137,9 +137,24 @@ certInitializer:
credsPath: /opt/app/osaaf/local
fqi_namespace: org.onap.aai-resources
aaf_add_config: |
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PASSWORD=${cadi_keystore_password_p12}" > {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** set key password as same password as keystore password"
+ keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \
+ -keystore {{ .Values.fqi_namespace }}.p12 \
+ -keypass "${cadi_keystore_password_p12}" \
+ -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }}
+ echo "*** save the generated passwords"
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
echo "*** change ownership of certificates to targeted user"
chown -R 1000 {{ .Values.credsPath }}
diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml
index 8a063c2ba4..253f9b9e93 100644
--- a/kubernetes/aai/components/aai-traversal/values.yaml
+++ b/kubernetes/aai/components/aai-traversal/values.yaml
@@ -123,9 +123,24 @@ certInitializer:
credsPath: /opt/app/osaaf/local
fqi_namespace: org.onap.aai-traversal
aaf_add_config: |
- echo "*** writing passwords into prop file"
- echo "KEYSTORE_PASSWORD=${cadi_keystore_password_p12}" > {{ .Values.credsPath }}/mycreds.prop
- echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** set key password as same password as keystore password"
+ keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \
+ -keystore {{ .Values.fqi_namespace }}.p12 \
+ -keypass "${cadi_keystore_password_p12}" \
+ -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }}
+ echo "*** save the generated passwords"
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
echo "*** change ownership of certificates to targeted user"
chown -R 1000 {{ .Values.credsPath }}