feat(jmx): custom entrypoint to support copying TLS certs into trusts…

…tore for JMX

compose/cryostat.yml

@@ -14,6 +14,7 @@ services:
  image: ${CRYOSTAT_IMAGE:-quay.io/cryostat/cryostat:3.0.0-snapshot}
  volumes:
  - ${XDG_RUNTIME_DIR}/podman/podman.sock:/run/user/1000/podman/podman.sock:Z
+ - jmxtls_cfg:/truststore:U
  security_opt:
  - label:disable
  hostname: cryostat3
@@ -39,3 +40,7 @@ services:
  retries: 3
  start_period: 30s
  timeout: 5s
+
+volumes:
+ jmxtls_cfg:
+ external: true

smoketest.bash

@@ -177,6 +177,8 @@ cleanup() {
  ${container_engine} rm localstack_cfg_helper || true
  ${container_engine} volume rm localstack_cfg || true
  fi
+ ${container_engine} rm jmxtls_cfg_helper || true
+ ${container_engine} volume rm jmxtls_cfg || true
  truncate -s 0 "${HOSTSFILE}"
  for i in "${PIDS[@]}"; do
  kill -0 "${i}" && kill "${i}"
@@ -209,6 +211,13 @@ if [ "${s3}" = "localstack" ]; then
  createLocalstackCfgVolume
 fi
 
+createJmxTlsCertVolume() {
+ "${container_engine}" volume create jmxtls_cfg
+ "${container_engine}" container create --name jmxtls_cfg_helper -v jmxtls_cfg:/truststore busybox
+ "${container_engine}" cp "${DIR}/truststore" jmxtls_cfg_helper:/truststore
+}
+createJmxTlsCertVolume
+
 setupUserHosts() {
  # This requires https://github.com/figiel/hosts to work. See README.
  truncate -s 0 "${HOSTSFILE}"

src/main/docker/Dockerfile.jvm

@@ -88,11 +88,26 @@ LABEL io.cryostat.component=cryostat3
 ENV JAVA_OPTS_APPEND="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
 ENV JAVA_APP_JAR="/deployments/quarkus-run.jar"
 
-ENTRYPOINT [ "/opt/jboss/container/java/run/run-java.sh" ]
+ENTRYPOINT [ "/deployments/app/entrypoint.bash", "/opt/jboss/container/java/run/run-java.sh" ]
 
 # We make distinct layers so if there are application changes the library layers can be re-used
 COPY --chown=185 src/main/docker/include/cryostat.jfc /usr/lib/jvm/jre/lib/jfr/
+COPY --chown=185 src/main/docker/include/genpass.bash /deployments/app/
+COPY --chown=185 src/main/docker/include/entrypoint.bash /deployments/app/
+COPY --chown=185 src/main/docker/include/truststore-setup.bash /deployments/app/
 COPY --chown=185 target/quarkus-app/lib/ /deployments/lib/
 COPY --chown=185 target/quarkus-app/*.jar /deployments/
 COPY --chown=185 target/quarkus-app/app/ /deployments/app/
 COPY --chown=185 target/quarkus-app/quarkus/ /deployments/quarkus/
+
+ENV CONF_DIR=/opt/cryostat.d
+ENV SSL_TRUSTSTORE=$CONF_DIR/truststore.p12 \
+ SSL_TRUSTSTORE_PASS_FILE=$CONF_DIR/truststore.pass
+
+USER root
+RUN mkdir -p $CONF_DIR \
+ && chmod -R g=u $CONF_DIR \
+ && chown jboss:root $CONF_DIR
+USER 185
+
+RUN /deployments/app/truststore-setup.bash

src/main/docker/include/entrypoint.bash

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+set -e
+
+DIR="$(dirname "$(realpath "$0")")"
+source "${DIR}/genpass.bash"
+
+function banner() {
+ echo "+------------------------------------------+"
+ printf "| %-40s |\n" "$(date)"
+ echo "| |"
+ printf "| %-40s |\n" "$@"
+ echo "+------------------------------------------+"
+}
+
+USRFILE="/tmp/jmxremote.access"
+PWFILE="/tmp/jmxremote.password"
+function createJmxCredentials() {
+ if [ -z "$CRYOSTAT_RJMX_USER" ]; then
+ CRYOSTAT_RJMX_USER="cryostat"
+ fi
+ if [ -z "$CRYOSTAT_RJMX_PASS" ]; then
+ CRYOSTAT_RJMX_PASS="$(genpass)"
+ fi
+
+ echo -n "$CRYOSTAT_RJMX_USER $CRYOSTAT_RJMX_PASS" > "$PWFILE"
+ chmod 400 "$PWFILE"
+ echo -n "$CRYOSTAT_RJMX_USER readwrite" > "$USRFILE"
+ chmod 400 "$USRFILE"
+}
+
+function importTrustStores() {
+ echo "Running as id:$(id -u) group:$(id -g)"
+ if [ -z "$CONF_DIR" ]; then
+ CONF_DIR="/opt/cryostat.d"
+ fi
+ if [ -z "$SSL_TRUSTSTORE_DIR" ]; then
+ SSL_TRUSTSTORE_DIR="/truststore"
+ fi
+
+ if [ ! -d "$SSL_TRUSTSTORE_DIR" ]; then
+ banner "$SSL_TRUSTSTORE_DIR does not exist; no certificates to import"
+ return 0
+ elif [ ! "$(ls -A "$SSL_TRUSTSTORE_DIR")" ]; then
+ banner "$SSL_TRUSTSTORE_DIR is empty; no certificates to import"
+ return 0
+ fi
+
+ SSL_TRUSTSTORE_PASS="$(cat "${SSL_TRUSTSTORE_PASS_FILE:-$CONF_DIR/truststore.pass}")"
+
+ find "$SSL_TRUSTSTORE_DIR" -type f | while IFS= read -r cert; do
+ echo "Importing certificate $cert ..."
+
+ keytool -importcert -v \
+ -noprompt \
+ -alias "imported-$(basename "$cert")" \
+ -trustcacerts \
+ -keystore "${SSL_TRUSTSTORE:-$CONF_DIR/truststore.p12}" \
+ -file "$cert"\
+ -storepass "$SSL_TRUSTSTORE_PASS"
+ done
+
+ FLAGS+=(
+ "-Djavax.net.ssl.trustStore=$SSL_TRUSTSTORE"
+ "-Djavax.net.ssl.trustStorePassword=$SSL_TRUSTSTORE_PASS"
+ )
+}
+
+FLAGS=()
+importTrustStores
+
+if [ "$CRYOSTAT_DISABLE_JMX_AUTH" = "true" ]; then
+ banner "JMX Auth Disabled"
+ FLAGS+=("-Dcom.sun.management.jmxremote.authenticate=false")
+else
+ createJmxCredentials
+ FLAGS+=("-Dcom.sun.management.jmxremote.authenticate=true")
+ FLAGS+=("-Dcom.sun.management.jmxremote.password.file=$PWFILE")
+ FLAGS+=("-Dcom.sun.management.jmxremote.access.file=$USRFILE")
+fi
+
+export JAVA_OPTS_APPEND="${JAVA_OPTS_APPEND} ${FLAGS[*]}"
+exec $1

src/main/docker/include/genpass.bash

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+genpass() {
+ < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32
+}

src/main/docker/include/truststore-setup.bash

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -e
+
+DIR="$(dirname "$(realpath "$0")")"
+source "${DIR}/genpass.bash"
+
+SSL_TRUSTSTORE_PASS="$(genpass)"
+
+echo "$SSL_TRUSTSTORE_PASS" > "$SSL_TRUSTSTORE_PASS_FILE"
+
+trap "cd -" EXIT
+cd "$CONF_DIR"
+
+keytool -importkeystore \
+ -noprompt \
+ -storetype PKCS12 \
+ -srckeystore /usr/lib/jvm/jre-17-openjdk/lib/security/cacerts \
+ -srcstorepass changeit \
+ -destkeystore "$SSL_TRUSTSTORE" \
+ -deststorepass "$SSL_TRUSTSTORE_PASS"
+
+chmod 664 "${SSL_TRUSTSTORE}"
+chmod 640 "${SSL_TRUSTSTORE_PASS_FILE}"