pulsar-helm-chart/charts/pulsar/templates/keytool.yaml

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#

# script to process key/cert to keystore and truststore
{{- if .Values.tls.zookeeper.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: "{{ template "pulsar.fullname" . }}-keytool-configmap"
  namespace: {{ .Values.namespace }}
  labels:
    {{- include "pulsar.standardLabels" . | nindent 4 }}
    component: keytool 
data:
  keytool.sh: |
    #!/bin/bash
    component=$1
    name=$2
    isClient=$3
    crtFile=/pulsar/certs/${component}/tls.crt
    keyFile=/pulsar/certs/${component}/tls.key
    caFile=/pulsar/certs/ca/ca.crt
    p12File=/pulsar/${component}.p12
    keyStoreFile=/pulsar/${component}.keystore.jks
    trustStoreFile=/pulsar/${component}.truststore.jks
    
    function ensureFileNotEmpty() {
        local file=$1
        local len=$(wc -c ${file} | awk '{print $1}')
        echo "processing ${file} : len = ${len}"
        if [ ! -f ${file} ]; then
            echo "${file} is not found"
            exit -1
        fi
        if [ $len -le 0 ]; then
            echo "${file} is empty"
            exit -1
        fi
    }
    
    ensureFileNotEmpty ${crtFile}
    ensureFileNotEmpty ${keyFile}
    ensureFileNotEmpty ${caFile}
    
    PASSWORD=$(head /dev/urandom | base64 | head -c 24)
    
    openssl pkcs12 \
        -export \
        -in ${crtFile} \
        -inkey ${keyFile} \
        -out ${p12File} \
        -name ${name} \
        -passout "pass:${PASSWORD}"
    
    keytool -importkeystore \
        -srckeystore ${p12File} \
        -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" \
        -alias ${name} \
        -destkeystore ${keyStoreFile} \
        -deststorepass "${PASSWORD}"
    
    keytool -import \
        -file ${caFile} \
        -storetype JKS \
        -alias ${name} \
        -keystore ${trustStoreFile} \
        -storepass "${PASSWORD}" \
        -trustcacerts -noprompt
    
    ensureFileNotEmpty ${keyStoreFile}
    ensureFileNotEmpty ${trustStoreFile}
    
    if [[ "x${isClient}" == "xtrue" ]]; then
        echo $'\n' >> conf/pulsar_env.sh
        echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
        echo $'\n' >> conf/bkenv.sh
        echo "BOOKIE_EXTRA_OPTS=\"${BOOKIE_EXTRA_OPTS} -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/bkenv.sh
    else
        echo $'\n' >> conf/pulsar_env.sh
        echo "PULSAR_EXTRA_OPTS=\"${PULSAR_EXTRA_OPTS} -Dzookeeper.ssl.keyStore.location=${keyStoreFile} -Dzookeeper.ssl.keyStore.password=${PASSWORD} -Dzookeeper.ssl.trustStore.location=${trustStoreFile} -Dzookeeper.ssl.trustStore.password=${PASSWORD}\"" >> conf/pulsar_env.sh
    fi
{{- end }}