From 3e31aadd706d18065ee08d05ca85a5a58605d0cf Mon Sep 17 00:00:00 2001 From: Jan von Loewenstein Date: Fri, 20 Mar 2026 12:14:39 +0100 Subject: [PATCH] enable credhub certificate hot reload Co-authored-by: Pavel Busko --- certs/all-in-one.conf | 1 + docker-bake.hcl | 7 +++- helmfile.yaml.gotmpl | 2 +- releases/credhub/credhub.Dockerfile | 18 ++++++++++ releases/credhub/files/entrypoint.sh | 23 +++++++++++++ releases/credhub/helm/files/credhub.yaml | 35 +++++++++++++++----- releases/credhub/helm/templates/credhub.yaml | 31 +++++++---------- releases/credhub/helm/values.schema.json | 2 +- releases/credhub/helm/values.yaml | 2 +- 9 files changed, 89 insertions(+), 32 deletions(-) create mode 100644 releases/credhub/credhub.Dockerfile create mode 100644 releases/credhub/files/entrypoint.sh diff --git a/certs/all-in-one.conf b/certs/all-in-one.conf index f8d46117..a887739e 100644 --- a/certs/all-in-one.conf +++ b/certs/all-in-one.conf @@ -35,5 +35,6 @@ DNS.11 = log-api DNS.12 = log-cache DNS.13 = log_cache DNS.14 = reverse-log-proxy +DNS.15 = credhub IP.1 = 127.0.0.1 diff --git a/docker-bake.hcl b/docker-bake.hcl index 88ad218f..a391d9b8 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -210,9 +210,14 @@ variable "CREDHUB_RELEASE_VERSION" { } target "credhub" { + dockerfile = "releases/credhub/credhub.Dockerfile" + tags = [ "${REGISTRY_PREFIX}credhub:latest", "${REGISTRY_PREFIX}credhub:${CREDHUB_RELEASE_VERSION}" ] - context = "https://github.com/pivotal/credhub-release.git#${CREDHUB_RELEASE_VERSION}:src/credhub" + contexts = { + src = "https://github.com/pivotal/credhub-release.git#${CREDHUB_RELEASE_VERSION}:src/credhub" + "files" = "releases/credhub/files" + } } variable "CFLINUXFS4_VERSION" { diff --git a/helmfile.yaml.gotmpl b/helmfile.yaml.gotmpl index 44cde842..207eecce 100644 --- a/helmfile.yaml.gotmpl +++ b/helmfile.yaml.gotmpl @@ -253,7 +253,7 @@ releases: - postgresql values: - dbPassword: {{ .Values.secrets.dbPassword }} - - caCertificateSecret: instance-identity + - certificateSecret: all-in-one-tls - name: locket namespace: default diff --git a/releases/credhub/credhub.Dockerfile b/releases/credhub/credhub.Dockerfile new file mode 100644 index 00000000..e6c47b92 --- /dev/null +++ b/releases/credhub/credhub.Dockerfile @@ -0,0 +1,18 @@ +# Build image +FROM --platform=$BUILDPLATFORM bellsoft/liberica-openjdk-debian:21 AS builder + +WORKDIR /app +COPY --from=src . . + +RUN ./gradlew bootJar -x test -x check + +# Runtime image +FROM bellsoft/liberica-openjre-debian:21 + +WORKDIR /app + +COPY --from=files --chmod=0755 /entrypoint.sh /entrypoint.sh +COPY --from=builder /app/applications/credhub-api/build/libs/credhub.jar . + +EXPOSE 9000 +ENTRYPOINT ["/entrypoint.sh"] diff --git a/releases/credhub/files/entrypoint.sh b/releases/credhub/files/entrypoint.sh new file mode 100644 index 00000000..11cbda5d --- /dev/null +++ b/releases/credhub/files/entrypoint.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +APPLICATION_YAML=${APPLICATION_YAML:-/application.yml} + +if [ ! -f "/ssl/trust_store.jks" ]; then + echo "Creating trust store from CA certificate" + keytool -import -noprompt -trustcacerts -alias uaa_ca -file /ssl/ca.crt -keystore /tmp/trust_store.jks -storepass ${TRUST_STORE_PASSWORD} + export TRUST_STORE_PATH=/tmp/trust_store.jks +fi + +JAVA_OPTS="-Djava.security.egd=file:/dev/urandom" +JAVA_OPTS="$JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=4096" +JAVA_OPTS="$JAVA_OPTS -Djdk.tls.namedGroups=\"secp384r1\"" +JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=${TRUST_STORE_PATH}" +JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${TRUST_STORE_PASSWORD}" +JAVA_OPTS="$JAVA_OPTS -Dspring.config.location=${APPLICATION_YAML}" + +trap 'kill -TERM "$java_pid"' TERM INT + +java $JAVA_OPTS -ea -jar /app/credhub.jar --management.server.port=9001 & +java_pid=$! + +wait "$java_pid" diff --git a/releases/credhub/helm/files/credhub.yaml b/releases/credhub/helm/files/credhub.yaml index 38b6ed5b..cee1e134 100644 --- a/releases/credhub/helm/files/credhub.yaml +++ b/releases/credhub/helm/files/credhub.yaml @@ -1,8 +1,8 @@ {{ $_ := required ".Values.dbPassword must be provided" .Values.dbPassword }} auth-server: url: {{ .Values.uaa.address }} - trust_store: /app/stores/trust_store.jks - trust_store_password: changeit + trust_store: ${TRUST_STORE_PATH} + trust_store_password: ${TRUST_STORE_PASSWORD} encryption: key_creation_enabled: true providers: @@ -46,17 +46,34 @@ server: port: 8844 ssl: enabled: true - key_store: /app/stores/key_store.jks - key_store_password: changeit - key_password: changeit - key_alias: cert + bundle: credhub ciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 client_auth: want - trust_store: /app/stores/trust_store.jks - trust_store_password: changeit - trust_store_type: JKS enabled_protocols: TLSv1.2,TLSv1.3 + tomcat: + accesslog: + enabled: true + pattern: '%h %l %u %t "%r" %s %b %D' + directory: /dev + prefix: stdout + suffix: + file-date-format: + buffered: false + rotate: false spring: + ssl: + bundle: + pem: + credhub: + reload-on-update: true + keystore: + certificate: file:/ssl/tls.crt + private-key: file:/ssl/tls.key + truststore: + certificate: file:/ssl/ca.crt + watch: + file: + quiet-period: 1s flyway: enabled: true locations: diff --git a/releases/credhub/helm/templates/credhub.yaml b/releases/credhub/helm/templates/credhub.yaml index 24ec906e..3ac46297 100644 --- a/releases/credhub/helm/templates/credhub.yaml +++ b/releases/credhub/helm/templates/credhub.yaml @@ -36,25 +36,16 @@ spec: env: - name: TRUST_STORE_PASSWORD value: changeit - - name: KEY_STORE_PASSWORD - value: changeit - - name: ENCRYPTION_PASSWORD - value: changeit - - name: SERVER_CA_PRIVATE_KEY_PATH - value: /etc/ssl/ca/tls.key - - name: SERVER_CA_CERT_PATH - value: /etc/ssl/ca/tls.crt - - name: UAA_CA_PATH - value: /etc/ssl/ca/tls.crt - - name: UAA_URL - value: https://uaa.{{ .Release.Namespace }}.svc.cluster.local - - name: SUBJECT_ALTERNATIVE_NAMES - value: "DNS:{{ .Values.hostname }},DNS:credhub.{{ .Release.Namespace }}.svc.cluster.local,DNS:credhub.{{ .Release.Namespace }}.svc,DNS:credhub.{{ .Release.Namespace }},DNS:credhub" + - name: TRUST_STORE_PATH + value: /ssl/trust_store.jks volumeMounts: - name: config - mountPath: /app/config - - name: ca - mountPath: /etc/ssl/ca + mountPath: /application.yml + subPath: application.yml + - name: ssl + mountPath: /ssl + - name: tmp + mountPath: /tmp {{- if .Values.nodeSelector }} nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} @@ -67,9 +58,11 @@ spec: - name: config configMap: name: credhub-config - - name: ca + - name: tmp + emptyDir: {} + - name: ssl secret: - secretName: {{ required "caCertificateSecret is required" .Values.caCertificateSecret }} + secretName: {{ required "certificateSecret is required" .Values.certificateSecret }} --- apiVersion: v1 kind: Service diff --git a/releases/credhub/helm/values.schema.json b/releases/credhub/helm/values.schema.json index 00e5b855..e165f4da 100644 --- a/releases/credhub/helm/values.schema.json +++ b/releases/credhub/helm/values.schema.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema#", "additionalProperties": false, "properties": { - "caCertificateSecret": { + "certificateSecret": { "type": "string" }, "dbPassword": { diff --git a/releases/credhub/helm/values.yaml b/releases/credhub/helm/values.yaml index 2d1b6dcf..a1dda510 100644 --- a/releases/credhub/helm/values.yaml +++ b/releases/credhub/helm/values.yaml @@ -12,4 +12,4 @@ tolerations: ~ dbPassword: ~ -caCertificateSecret: "" +certificateSecret: ""