-
-
Notifications
You must be signed in to change notification settings - Fork 96
/
Copy pathentrypoint.sh.j2
executable file
·116 lines (94 loc) · 4.97 KB
/
entrypoint.sh.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
{%- if os == "ubuntu" -%}
#!/usr/bin/env bash
{%- else -%}
#!/usr/bin/env sh
{%- endif %}
{% include 'partials/license.j2' %}
# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get
# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but
# are supported by `sh` in some Linux flavours.
set -e
TMPDIR=${TMPDIR:-/tmp}
# JDK truststore location
{%- if version|int == 8 and image_type == "jdk" %}
# JDK8 puts its JRE in a subdirectory
JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts
{%- else %}
JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts
{%- endif %}
# Opt-in is only activated if the environment variable is set
if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
if [ ! -w "$TMPDIR" ]; then
echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore."
exit 1
fi
# Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not,
# we'll use a temporary truststore.
if [ ! -w "$JRE_CACERTS_PATH" ]; then
# We cannot write to the JVM truststore, so we create a temporary one
JRE_CACERTS_PATH_NEW=$(mktemp)
echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW"
cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW"
JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW
# If we use a custom truststore, we need to make sure that the JVM uses it
export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit"
fi
tmp_store=$(mktemp)
# Copy full system CA store to a temporary location
trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" > /dev/null
# Add the system CA certificates to the JVM truststore.
keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt > /dev/null
# Clean up the temporary truststore
rm -f "$tmp_store"
# Import the additional certificate into JVM truststore
for i in /certificates/*crt; do
if [ ! -f "$i" ]; then
continue
fi
tmp_dir=$(mktemp -d)
BASENAME=$(basename "$i" .crt)
# We might have multiple certificates in the file. Split this file into single files. The reason is that
# `keytool` does not accept multi-certificate files
csplit -s -z -b %02d.crt -f "$tmp_dir/$BASENAME-" "$i" '/-----BEGIN CERTIFICATE-----/' '{*}'
for crt in "$tmp_dir/$BASENAME"-*; do
# Extract the Common Name (CN) and Serial Number from the certificate
CN=$(openssl x509 -in "$crt" -noout -subject -nameopt -space_eq | sed -n 's/^.*CN=\([^,]*\).*$/\1/p')
SERIAL=$(openssl x509 -in "$crt" -noout -serial | sed -n 's/^serial=\(.*\)$/\1/p')
# Check if an alias with the CN already exists in the keystore
ALIAS=$CN
if keytool -list -keystore "$JRE_CACERTS_PATH" -storepass changeit -alias "$ALIAS" >/dev/null 2>&1; then
# If the CN already exists, append the serial number to the alias
ALIAS="${CN}_${SERIAL}"
fi
echo "Adding certificate with alias $ALIAS to the JVM truststore"
# Add the certificate to the JVM truststore
keytool -import -noprompt -alias "$ALIAS" -file "$crt" -keystore "$JRE_CACERTS_PATH" -storepass changeit >/dev/null
done
done
# Add additional certificates to the system CA store. This requires write permissions to several system
# locations, which is not possible in a container with read-only filesystem and/or non-root container.
if [ "$(id -u)" -eq 0 ]; then
# Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
# The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
# system location, for whatever reason.
if [ -d /certificates ] && [ "$(ls -A /certificates 2>/dev/null)" ]; then
{%- if os == "ubuntu" or os == "alpine-linux" %}
cp -La /certificates/* /usr/local/share/ca-certificates/
{%- elif os == "ubi9-minimal" %}
cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
{%- endif %}
fi
{%- if os == "ubuntu" or os == "alpine-linux" %}
update-ca-certificates
{%- elif os == "ubi9-minimal" %}
update-ca-trust
{%- endif %}
else
# If we are not root, we cannot update the system truststore. That's bad news for tools like `curl` and `wget`,
# but since the JVM is the primary focus here, we can live with that.
true
fi
fi
# Let's provide a variable with the correct path for tools that want or need to use it
export JRE_CACERTS_PATH
exec "$@"