summaryrefslogtreecommitdiffstats
path: root/kubernetes
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2021-03-18 11:08:36 +0100
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-03-23 19:03:46 +0000
commitf4c617541779b756f85e641ae9d9e3a1c617e55e (patch)
tree4fe87850a80b93989516270d0c9c80da6efdfa2c /kubernetes
parent5ac7099caeabb158f29f6c1bf7fb56043c38bc90 (diff)
[VID] Obfuscate truststore password at the entrypoint
VID unfortunately expects truststore password to be obfuscated instead of getting it in plain text. Current solution that we had in the master branch was only a temporary fix which hardcoded obfuscated password in our charts. This patch introduces a proper solution that uses jetty-util to obfuscate the password before starting VID application. Issue-ID: OOM-1 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I391c29b6552121fd0b574a1046b4c1551c1a927a
Diffstat (limited to 'kubernetes')
-rw-r--r--kubernetes/vid/templates/deployment.yaml2
-rw-r--r--kubernetes/vid/values.yaml4
2 files changed, 4 insertions, 2 deletions
diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml
index 8872863e42..d1b4bcdbf2 100644
--- a/kubernetes/vid/templates/deployment.yaml
+++ b/kubernetes/vid/templates/deployment.yaml
@@ -63,6 +63,8 @@ spec:
- -c
- |
export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+ export VID_TRUSTSTORE_PLAIN_PASSWORD=${VID_TRUSTSTORE_PASSWORD}
+ export VID_TRUSTSTORE_PASSWORD=`java -cp /usr/local/tomcat/webapps/vid/WEB-INF/lib/jetty-util-9.4.20.v20190813.jar org.eclipse.jetty.util.security.Password ${VID_TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
/tmp/vid/localize.sh
{{- end }}
ports:
diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml
index 6b323a4a17..91132e276c 100644
--- a/kubernetes/vid/values.yaml
+++ b/kubernetes/vid/values.yaml
@@ -64,7 +64,7 @@ certInitializer:
else
echo "*** changing them into shell safe ones"
export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
- export TRUSTORE_PASSWD=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+ export TRUSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
cd {{ .Values.credsPath }}
keytool -storepasswd -new "${KEYSTORE_PASSWD}" \
-storepass "${cadi_keystore_password_jks}" \
@@ -79,7 +79,7 @@ certInitializer:
-storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }}
echo "*** save the generated passwords"
echo "VID_KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop
- echo "VID_TRUSTSTORE_PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp" >> mycreds.prop
+ echo "VID_TRUSTSTORE_PASSWORD=${TRUSTORE_PASSWD}" >> mycreds.prop
echo "*** change ownership of certificates to targeted user"
chown -R 1000 .
fi