releases/23.0.0.6/full/helpers/runtime/docker-server.sh

#!/bin/bash
function setPasswords() {
  local -n pass=$1
  local -n trustpass=$2
  if [ -z "$pass" ]; then
    pass=$(openssl rand -base64 32 2>/dev/null)
    trustpass=$(openssl rand -base64 32 2>/dev/null)
  fi
}

function importKeyCert() {
  local CERT_FOLDER="${TLS_DIR:-/etc/x509/certs}"
  local CRT_FILE="tls.crt"
  local KEY_FILE="tls.key"
  local CA_FILE="ca.crt"
  local PASSWORD=
  local TRUSTSTORE_PASSWORD=
  local TMP_CERT=ca-bundle-temp.crt
  local -r CRT_DELIMITER="/-----BEGIN CERTIFICATE-----/"
  local KUBE_SA_FOLDER="/var/run/secrets/kubernetes.io/serviceaccount"
  local KEYSTORE_FILE="/output/resources/security/key.p12"
  local TRUSTSTORE_FILE="/output/resources/security/trust.p12"

  
  # Import the private key and certificate into new keystore
  if [ "$EXCLUDE_CONFIG_KEYSTORE" != "false" ] && [ -f "${CERT_FOLDER}/${KEY_FILE}" ] && [ -f "${CERT_FOLDER}/${CRT_FILE}" ]; then
    echo "Found mounted TLS certificates, generating keystore"
    setPasswords PASSWORD TRUSTSTORE_PASSWORD
    mkdir -p /output/resources/security
    if [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
      openssl pkcs12 -export \
        -name "defaultKeyStore" \
        -inkey "${CERT_FOLDER}/${KEY_FILE}" \
        -in "${CERT_FOLDER}/${CRT_FILE}" \
        -certfile "${CERT_FOLDER}/${CA_FILE}" \
        -out "${KEYSTORE_FILE}" \
        -password pass:"${PASSWORD}" >&/dev/null
    else
      openssl pkcs12 -export \
        -name "defaultKeyStore" \
        -inkey "${CERT_FOLDER}/${KEY_FILE}" \
        -in "${CERT_FOLDER}/${CRT_FILE}" \
        -out "${KEYSTORE_FILE}" \
        -password pass:"${PASSWORD}" >&/dev/null
    fi

    # Since we are creating new keystore, always write new password to a file
    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
    
    # Add mounted CA to the truststore
    if [ "$EXCLUDE_CONFIG_TRUSTSTORE" != "false" ] && [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
        echo "Found mounted TLS CA certificate, adding to truststore"
        keytool -import -storetype pkcs12 -noprompt -keystore "${TRUSTSTORE_FILE}" -file "${CERT_FOLDER}/${CA_FILE}" \
          -storepass "${TRUSTSTORE_PASSWORD}" -alias "service-ca" >&/dev/null    
    fi
  fi

  # Add kubernetes CA certificates to the truststore
  # CA bundles need to be split and added as individual certificates
  if [ "$EXCLUDE_CONFIG_TRUSTSTORE" != "false" ] && [ "$SEC_IMPORT_K8S_CERTS" = "true" ] && [ -d "${KUBE_SA_FOLDER}" ]; then
    mkdir /tmp/certs
    pushd /tmp/certs >&/dev/null
    cat ${KUBE_SA_FOLDER}/*.crt >${TMP_CERT}
    csplit -s -z -f crt- "${TMP_CERT}" "${CRT_DELIMITER}" '{*}'
    setPasswords PASSWORD TRUSTSTORE_PASSWORD
    for CERT_FILE in crt-*; do
      keytool -import -storetype pkcs12 -noprompt -keystore "${TRUSTSTORE_FILE}" -file "${CERT_FILE}" \
        -storepass "${TRUSTSTORE_PASSWORD}" -alias "service-sa-${CERT_FILE}" >&/dev/null
    done
    popd >&/dev/null
    rm -rf /tmp/certs
  fi

  # Add the keystore password to server configuration
  if [ "$EXCLUDE_CONFIG_KEYSTORE" != "false" ] && [ ! -e $keystorePath ]; then
    setPasswords PASSWORD TRUSTSTORE_PASSWORD
    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
  fi
  if [ "$EXCLUDE_CONFIG_TRUSTSTORE" != "false" ]; then
    if [ -e $TRUSTSTORE_FILE ]; then
      setPasswords PASSWORD TRUSTSTORE_PASSWORD
      sed "s|PWD_TRUST|$TRUSTSTORE_PASSWORD|g" $SNIPPETS_SOURCE/truststore.xml > $SNIPPETS_TARGET_OVERRIDES/truststore.xml
    elif [ ! -z $SEC_TLS_TRUSTDEFAULTCERTS ]; then
      cp $SNIPPETS_SOURCE/trustDefault.xml $SNIPPETS_TARGET_OVERRIDES/trustDefault.xml  
    fi
  fi
}

set -e

SNIPPETS_SOURCE=/opt/ol/helpers/build/configuration_snippets
SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
SNIPPETS_TARGET_OVERRIDES=/config/configDropins/overrides

keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"

if [ "$SSL" = "true" ] || [ "$TLS" = "true" ]; then
  cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET_OVERRIDES/tls.xml
fi

importKeyCert

# Infinispan Session Caching
if [[ -n "$INFINISPAN_SERVICE_NAME" ]]; then
 echo "INFINISPAN_SERVICE_NAME(original): ${INFINISPAN_SERVICE_NAME}"
 INFINISPAN_SERVICE_NAME=$(echo ${INFINISPAN_SERVICE_NAME} | sed 's/-/_/g' | sed 's/./\U&/g')
 echo "INFINISPAN_SERVICE_NAME(normalized): ${INFINISPAN_SERVICE_NAME}"

 if [[ -z "$INFINISPAN_HOST" ]]; then
  eval INFINISPAN_HOST=\$${INFINISPAN_SERVICE_NAME}_SERVICE_HOST
  export INFINISPAN_HOST
 fi
 echo "INFINISPAN_HOST: ${INFINISPAN_HOST}"

 if [[ -z "$INFINISPAN_PORT" ]]; then
  eval INFINISPAN_PORT=\$${INFINISPAN_SERVICE_NAME}_SERVICE_PORT
  export INFINISPAN_PORT
 fi
 echo "INFINISPAN_PORT: ${INFINISPAN_PORT:=11222}"

 if [[ -z "$INFINISPAN_USER" ]]; then
  export INFINISPAN_USER=$(cat ${LIBERTY_INFINISPAN_SECRET_DIR:=/platform/bindings/infinispan/secret}/identities.yaml | grep -m 1 username | sed 's/username://' | sed 's/[[:space:]]*//g' | sed 's/^-//')
 fi
 echo "INFINISPAN_USER: ${INFINISPAN_USER:=developer}"

 if [[ -z "$INFINISPAN_PASS" ]]; then
  export INFINISPAN_PASS=$(cat ${LIBERTY_INFINISPAN_SECRET_DIR:=/platform/bindings/infinispan/secret}/identities.yaml | grep -m 1 password | sed 's/password://' | sed 's/[[:space:]]*//g')
 fi
 echo "INFINISPAN_PASS: ${INFINISPAN_PASS}"
fi


# Pass on to the real server run
if [ -d "/output/workarea/checkpoint/image" ]; then
  # A checkpoint image found; exec dumb-init for signal handling.
  # Use of dumb-init for PID 1 is required for signal handling because
  # the restored server process cannot be PID 1.
  exec dumb-init --rewrite 15:2 -- /opt/ol/helpers/runtime/restore-server.sh "$@"
elif [[ ! -z "$WLP_CHECKPOINT" ]]; then
  # Unset WLP_CHECKPOINT so it is not set in the final image after checkpoint.
  TMP_CHECKPOINT=$WLP_CHECKPOINT
  unset WLP_CHECKPOINT
  # A checkpoint action has been requested; run the checkpoint.sh script.
  checkpoint.sh "$TMP_CHECKPOINT"
else
  # The default is to just exec the supplied CMD
  exec "$@"
fi