resolve #207 support for import SSL certificates into Java truststore

idealista · Jun 5, 2023 · 3d92903 · 3d92903
1 parent d655dee
commit 3d92903
Show file tree

Hide file tree

Showing 27 changed files with 253 additions and 0 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -54,6 +54,9 @@ env:
   - DOCKER_IMAGE_BASE=quay.io/centos/centos:stream8 JDK_MAJOR=11 JDK_VERSION=11.0.13.0.8
     DOCKER_TAG_TO_PUBLISH=11.0.13.0.8-centos8-openjdk-headless
 
+  # SSL certificates scenario  
+  - DOCKER_IMAGE_BASE=debian:buster-slim JDK_VENDOR=openjdk-certs
+
   # Java 17
   - DOCKER_IMAGE_BASE=debian:bullseye-slim DOCKER_TAG_TO_PUBLISH=17-bullseye-openjdk-headless
   - DOCKER_IMAGE_BASE=debian:bullseye-slim JDK_MAJOR=17 JDK_VERSION=17.0.6+10-1~deb11u1

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a changelog](https://github.com/olivierlacan/keep-a-changelog).
 
 ## [Unreleased](https://github.com/idealista/java_role/tree/develop)
+### Added
+- *[#207](https://github.com/idealista/java_role/issues/207) Add support for import SSL certificates into Java's truststore* @emepege
 
 ## [8.0.0](https://github.com/idealista/java_role/tree/8.0.0) (2022-08-10)
 [Full Changelog](https://github.com/idealista/java_role/compare/7.1.0...8.0.0)

diff --git a/README.md b/README.md
@@ -124,6 +124,16 @@ CentOS 8 | `1.8.0`
 CentOS 8 | `11` (default)
 
 Other OpenJDK implementations out of GNU/Linux distributions streams are not officially supported, but it's easy use this role too adding extra repositories (see vars/ in AdoptOpenJDK and Corretto directories).
+
+### Adding certificates into Java's truststore
+
+This role supports adding certificates into Java's truststore. Truststore location may change depending on Java version:
+
+- Truststore location for Java 9 onwards: $JAVA_HOME/lib/security/cacerts
+- Truststore location for Java prior to 9: $JAVA_HOME/jre/lib/security/cacerts
+
+A specific truststore location should be selected overriding `java_keystore_dir` variable using group vars/host vars. In addition, you must to set which certificates you want to add setting `java_certs` variable and the truststore password setting `java_cert_keystore_pass`
+
 ## Testing
 
 ```sh

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -3,3 +3,9 @@ java_jdk_vendor: openjdk
 
 java_open_jdk_apt_extra_packages: []
 java_open_jdk_home: /usr/lib/jvm/{{ java_open_jdk_home_dir }}
+
+# java_certs:
+#   - java_cert_path: /path/to/cert/ssl.crt
+#     java_cert_alias: ssl
+#
+# java_cert_keystore_pass: changeit
diff --git a/molecule/openjdk-certs/Dockerfile.j2 b/molecule/openjdk-certs/Dockerfile.j2
@@ -0,0 +1,16 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN mkdir -p /usr/share/man/man1
+RUN if [ $(command -v apt-get) ]; then sed -i -e 's/^APT/# APT/' -e 's/^DPkg/# DPkg/' /etc/apt/apt.conf.d/docker-clean; fi
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python3 sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python36 sudo python3-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi
diff --git a/molecule/openjdk-certs/converge.yml b/molecule/openjdk-certs/converge.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Converge
+  hosts: openjdk
+  roles:
+    - java_role
diff --git a/molecule/openjdk-certs/files/ssl.crt b/molecule/openjdk-certs/files/ssl.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfkCFCDQip+sJfpHN2tcLCd8SgKRWlcEMA0GCSqGSIb3DQEBCwUAMEUx
+CzAJBgNVBAYTAkVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjMwNjA1MTEwNTE3WhcNMjMwNzA1MTEw
+NTE3WjBFMQswCQYDVQQGEwJFUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAsZotx9CdrUH2SwzmKlRQJVeD40tvnP/tX66i2gNgkFy4hpac
+kl9fcdTKNkLdLpl5hola+FJNQpDnUGToQRY2x2XtmnqKA/vGpXZVLizH6rxy5YAj
+5cjR2tYt89P2URXGVU5+8AJWANh1bONln4Qu8UOP6/AVlTrWl79nlOBqj+6rsVOW
+HgzdqE0hJnoKcVlTGb0OPnYNjDcsfLz9FJYgbPognhDk4EBD3GqJt5+J9ijXaiWh
+Q4rJ8/vInJt6Boqdz7KtCfD/VeWwLJDmtihJ6lseyo9WU2umPdOPz20Thk1k+VkN
+zpUvDS+bmQqQxlOiZi+1Z7OZaTNRfxVytEy3IwIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQA85o3erbRCnqJg70E7z19+F/o8Tg0cnl3oHU1GbAOrkzcxzcHLH05dN+BT
+bUGr//E+hgICeh14bDBCwtO3K2oDBRC82pYnTsDIK1my90fEQmvDMi+K/o4xw0pM
+yQBYmpnggS5+NJExx+MNBUUnAdQ0eH/wTyABz9PJL8MT8VR5K5/XIQCZYLwxyWYb
+4ga5ZQN5Jg9J2Dc/BIfLUXJavkIT2TINYDB6uhu6XeT5Qa0l+n621bMTle8ygleP
+CjasBNJsjgYNJi/1rO2DChKCPAAiObqHL+Wu0fdcHk+H5bDxoHXqil7s9l9hhv74
+oZFRmw2LG75mEonyXB90R2e9ZPXi
+-----END CERTIFICATE-----
diff --git a/molecule/openjdk-certs/group_vars/all.yml b/molecule/openjdk-certs/group_vars/all.yml
@@ -0,0 +1,7 @@
+---
+
+java_certs:
+  - java_cert_path: /tmp/ssl.crt
+    java_cert_alias: ssl
+
+java_cert_keystore_pass: changeit
diff --git a/molecule/openjdk-certs/molecule.yml b/molecule/openjdk-certs/molecule.yml
@@ -0,0 +1,28 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+
+lint: |
+    yamllint .
+    ansible-lint .
+
+platforms:
+  - name: openjdktest
+    groups:
+      - openjdk
+    image: ${DOCKER_IMAGE_BASE:-debian:buster-slim}
+
+provisioner:
+  name: ansible
+  inventory:
+    group_vars:
+      openjdk:
+        java_jdk_vendor: openjdk
+        java_open_jdk_version: ${JDK_VERSION}
+        java_open_jdk_version_major: ${JDK_MAJOR}
+scenario:
+  name: certs
+verifier:
+  name: ansible
diff --git a/molecule/openjdk-certs/prepare.yml b/molecule/openjdk-certs/prepare.yml
@@ -0,0 +1,9 @@
+---
+- name: Prepare
+  hosts: openjdktest
+  gather_facts: false
+  tasks:
+    - name: Copy SSL certificate
+      copy:
+        src: "{{ playbook_dir }}/files/ssl.crt"
+        dest: /tmp/ssl.crt
diff --git a/molecule/openjdk-certs/tests/test_openjdk.yml b/molecule/openjdk-certs/tests/test_openjdk.yml
@@ -0,0 +1,16 @@
+---
+
+file:
+  {{ java_open_jdk_home }}/lib:
+    exists: true
+    filetype: directory
+package:
+{% if java_open_jdk_version is defined and java_open_jdk_version is not sameas None and java_open_jdk_version != "" %}
+  {{ java_open_jdk_package }}:
+      installed: true
+      versions:
+        - {{ java_open_jdk_version }}
+{% else %}
+  {{ java_open_jdk_package }}:
+      installed: true
+{% endif %}
diff --git a/molecule/openjdk-certs/verify.yml b/molecule/openjdk-certs/verify.yml
@@ -0,0 +1,86 @@
+---
+# This is an example playbook to execute goss tests.
+# Tests need distributed to the appropriate ansible host/groups
+# prior to execution by `goss validate`.
+#
+# The goss ansible module is installed with molecule.  The ANSIBLE_LIBRARY
+# path is updated appropriately on `molecule verify`.
+
+# Details about ansible module:
+#  - https://github.com/indusbox/goss-ansible
+
+- name: Verify
+  hosts: all
+  vars:
+    goss_version: v0.3.16
+    goss_sha256sum: 827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb
+    goss_arch: amd64
+    goss_dst: /usr/local/bin/goss
+    goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}"
+    goss_test_directory: /tmp
+    goss_format: documentation
+    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"
+
+  vars_files:
+    - ../../defaults/main.yml
+
+  tasks:
+    - name: Java | Gather OS specific variables
+      include_vars: "../../vars/{{  java_jdk_vendor  }}/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+
+    - name: Gather architecture specific variables
+      include_vars: "../../vars/architecture.yml"
+
+    # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406)
+    # Allowing to 'override' variables that are defined using include_vars
+
+    - name: Java | Setting OS specific variables
+      set_fact:
+        java_open_jdk_version: "{{ java_open_jdk_version if java_open_jdk_version is defined and java_open_jdk_version is not sameas None }}"
+        java_open_jdk_version_major: "{{ java_open_jdk_version_major if java_open_jdk_version_major is defined and java_open_jdk_version_major is not sameas None and java_open_jdk_version_major else __java_open_jdk_version_major }}"  # noqa 204
+
+    - name: Java | Setting OS specific variables (II)
+      set_fact:
+        java_open_jdk_home_dir: "{{ java_open_jdk_home_dir if java_open_jdk_home_dir is defined and java_open_jdk_home_dir is not sameas None and java_open_jdk_home_dir else __java_open_jdk_home_dir }}"  # noqa 204
+        java_open_jdk_package: "{{ java_open_jdk_package if java_open_jdk_package is defined and java_open_jdk_package is not sameas None and java_open_jdk_package else __java_open_jdk_package }}"  # noqa 204
+
+    - name: Java | Setting specific variables
+      set_fact:
+        java_home: "{{ java_open_jdk_home }}"
+
+    - name: Download and install goss
+      get_url:
+        url: "{{ goss_url }}"
+        dest: "{{ goss_dst }}"
+        mode: 0755
+
+    - name: Copy tests to remote
+      template:
+        src: "{{ item }}"
+        dest: "{{ goss_test_directory }}/{{ item | basename }}"
+      with_fileglob:
+        - "{{ playbook_dir }}/tests/test_*.yml"
+
+    - name: Register test files
+      shell: "ls {{ goss_test_directory }}/test_*.yml"
+      register: test_files
+      changed_when: false
+
+    - name: Execute Goss tests
+      command: "goss -g {{ item }} validate --format {{ goss_format }}"
+      register: test_results
+      with_items: "{{ test_files.stdout_lines }}"
+      ignore_errors: true
+      changed_when: false
+
+    - name: Display details about the goss results
+      debug:
+        msg: "{{ item.stdout_lines }}"
+      with_items: "{{ test_results.results }}"
+
+    - name: Fail when tests fail
+      fail:
+        msg: "Goss failed to validate"
+      when: item.rc != 0
+      with_items: "{{ test_results.results }}"
diff --git a/tasks/import_certs.yml b/tasks/import_certs.yml
@@ -0,0 +1,26 @@
+---
+
+- name: Java | Check if certificates exists
+  stat:
+    path: "{{ item.java_cert_path }}"
+  with_items: "{{ java_certs }}"
+  register: check_java_certs
+
+- name: Java | Fail if some cert doesn't exist
+  fail:
+    msg: "Certificate {{ item.item.java_cert_path }} doesn't exist"
+  with_items: "{{ check_java_certs.results }}"
+  when: not item.stat.exists
+
+- name: Java | Setting keystore variables
+  set_fact:
+    java_keystore_dir: "{{ java_keystore_dir if java_keystore_dir is defined and java_keystore_dir is not sameas None and java_keystore_dir else __java_keystore_dir }}"
+
+- name: Java | Import SSL certificates
+  java_cert:
+    cert_path: "{{ item.java_cert_path }}"
+    keystore_path: "{{ java_open_jdk_home }}/{{ java_keystore_dir }}/cacerts"
+    keystore_pass: "{{ java_cert_keystore_pass }}"
+    state: present
+    cert_alias: "{{ item.java_cert_alias }}"
+  with_items: "{{ java_certs }}"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -4,3 +4,9 @@
   include_tasks: install_openjdk.yml
   tags:
     - install
+
+- name: Java | Import certificates into Java Keystore
+  include_tasks: import_certs.yml
+  when: java_certs is defined
+  tags:
+    - certs
diff --git a/vars/adoptopenjdk/CentOS-8.yml b/vars/adoptopenjdk/CentOS-8.yml
@@ -1,6 +1,7 @@
 ---
 java_open_jdk_apt_extra_packages: []
 __java_open_jdk_version_major: 8
+__java_keystore_dir: jre/lib/security
 # Supported major releases: 8 and from 11 to 14; hotspot and openj9 implementations
 
 __java_required_repositories_openjdk:

diff --git a/vars/adoptopenjdk/Debian-10.yml b/vars/adoptopenjdk/Debian-10.yml
@@ -3,6 +3,7 @@ java_open_jdk_apt_extra_packages:
   - python-apt
   - apt-transport-https
 __java_open_jdk_version_major: 8
+__java_keystore_dir: jre/lib/security
 # Supported major releases: 8 and from 11 to 14; hotspot and openj9 implementations
 
 # For Debian family

diff --git a/vars/adoptopenjdk/Debian-11.yml b/vars/adoptopenjdk/Debian-11.yml
@@ -4,6 +4,7 @@ java_open_jdk_apt_extra_packages:
   - apt-transport-https
   - gnupg2
 __java_open_jdk_version_major: 8
+__java_keystore_dir: jre/lib/security
 # Supported major releases: 8 and from 11 to 14; hotspot and openj9 implementations
 
 # For Debian family

diff --git a/vars/corretto/CentOS-8.yml b/vars/corretto/CentOS-8.yml
@@ -1,5 +1,6 @@
 ---
 __java_open_jdk_version_major: 1.8.0
+__java_keystore_dir: jre/lib/security
 # Supported versions: 8 (1.8.0 in RHEL), 11
 
 __java_required_repositories_openjdk:

diff --git a/vars/corretto/Debian-10.yml b/vars/corretto/Debian-10.yml
@@ -4,6 +4,7 @@ java_open_jdk_apt_extra_packages:
   - apt-transport-https
 
 __java_open_jdk_version_major: 1.8.0
+__java_keystore_dir: jre/lib/security
 # Supported versions: 8 (1.8.0L), 11
 
 __java_required_repositories_openjdk:

diff --git a/vars/corretto/Debian-11.yml b/vars/corretto/Debian-11.yml
@@ -5,6 +5,7 @@ java_open_jdk_apt_extra_packages:
   - gnupg2
 
 __java_open_jdk_version_major: 1.8.0
+__java_keystore_dir: jre/lib/security
 # Supported versions: 8 (1.8.0L), 11
 
 __java_required_repositories_openjdk:

diff --git a/vars/openjdk/CentOS-7.yml b/vars/openjdk/CentOS-7.yml
@@ -2,6 +2,7 @@
 
 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406)
 __java_open_jdk_version_major: 11
+__java_keystore_dir: lib/security
 # Supported openjdk major releases: 1.6.0, 1.7.0, 1.8.0, 11
 #
 __java_required_repositories_openjdk: []

diff --git a/vars/openjdk/CentOS-8.yml b/vars/openjdk/CentOS-8.yml
@@ -2,6 +2,7 @@
 
 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406)
 __java_open_jdk_version_major: 11
+__java_keystore_dir: lib/security
 # Supported openjdk major releases: 1.8.0, 11
 
 __java_required_repositories_openjdk: []

diff --git a/vars/openjdk/Debian-10.yml b/vars/openjdk/Debian-10.yml
@@ -2,6 +2,7 @@
 
 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406)
 __java_open_jdk_version_major: 11
+__java_keystore_dir: lib/security
 # Supported openjdk major releases: 11
 
 __java_required_repositories_openjdk: []

diff --git a/vars/openjdk/Debian-11.yml b/vars/openjdk/Debian-11.yml
@@ -2,6 +2,7 @@
 
 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406)
 __java_open_jdk_version_major: 11
+__java_keystore_dir: lib/security
 # Supported openjdk major releases: 11, 17
 
 __java_required_repositories_openjdk: []

diff --git a/vars/openjdk/Ubuntu-18.yml b/vars/openjdk/Ubuntu-18.yml
@@ -6,6 +6,7 @@ java_open_jdk_apt_extra_packages:
 
 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406)
 __java_open_jdk_version_major: 11
+__java_keystore_dir: lib/security
 # Supported openjdk major releases: 8, 11
 
 __java_required_repositories_openjdk: []

diff --git a/vars/openjdk/Ubuntu-20.yml b/vars/openjdk/Ubuntu-20.yml
@@ -5,6 +5,7 @@ java_open_jdk_apt_extra_packages:
   - gnupg2
 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406)
 __java_open_jdk_version_major: 17
+__java_keystore_dir: lib/security
 # Supported openjdk major releases: 8, 11, 13, 14, 17
 
 __java_required_repositories_openjdk: []

diff --git a/vars/openjdk/Ubuntu-22.yml b/vars/openjdk/Ubuntu-22.yml
@@ -5,6 +5,7 @@ java_open_jdk_apt_extra_packages:
   - gnupg2
 # Using pattern described in Ansible Best Practices and Conventions (Appendix B), Ansible for Devops (p. 406)
 __java_open_jdk_version_major: 17
+__java_keystore_dir: lib/security
 # Supported openjdk major releases: 8, 11, 17, 18
 
 __java_required_repositories_openjdk: []