fix(certextract): changing certificate extraction to use init contain…

…er (#398)
bcgov · Oct 11, 2024 · f1f9c4b · f1f9c4b
1 parent 22bf82f
commit f1f9c4b
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 7 deletions.
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -9,8 +9,7 @@ COPY .mvn/ ./.mvn
 COPY InstallCert.java .
 
 # Build
-RUN ./mvnw package -Pnative -DskipTests -Dskip.unit.tests=true -Dspring-boot.run.profiles=prod && \
-  javac InstallCert.java
+RUN ./mvnw package -Pnative -DskipTests -Dskip.unit.tests=true -Dspring-boot.run.profiles=prod
 
 ### Deployer
 FROM eclipse-temurin:17.0.12_7-jdk-jammy AS deploy

diff --git a/backend/dockerfile-entrypoint.sh b/backend/dockerfile-entrypoint.sh
@@ -1,9 +1,5 @@
 #!/bin/sh
 
-java -cp /app/artifacts/ InstallCert --quiet "${DATABASE_HOST}:${DATABASE_PORT}"
-keytool -exportcert -alias "${DATABASE_HOST}-1" -keystore jssecacerts -storepass changeit -file oracle.cer
-keytool -importcert -alias orakey -noprompt -cacerts -storepass changeit -file oracle.cer
-
 java \
     -Djava.security.egd=file:/dev/./urandom \
     ${JAVA_OPTS} \

diff --git a/backend/openshift.deploy.yml b/backend/openshift.deploy.yml
@@ -85,7 +85,23 @@ parameters:
     description: Random expression to make sure deployments update
     from: "[a-zA-Z0-9]{32}"
     generate: expression
+  - name: CERT_PVC_SIZE
+    description: The amount of storage the cert PVC should have
+    value: 25Mi
 objects:
+  - kind: PersistentVolumeClaim
+    apiVersion: v1
+    metadata:
+      labels:
+        app: ${NAME}-${ZONE}
+      name: ${NAME}-${ZONE}-${COMPONENT}
+    spec:
+      accessModes:
+        - ReadWriteMany
+      resources:
+        requests:
+          storage: ${CERT_PVC_SIZE}
+      storageClassName: netapp-file-standard
   - apiVersion: apps/v1
     kind: Deployment
     metadata:
@@ -105,13 +121,39 @@ objects:
             app: "${NAME}-${ZONE}"
             deployment: "${NAME}-${ZONE}-${COMPONENT}"
         spec:
+          initContainers:
+            - name: ${NAME}-${ZONE}-init
+              image: ${REGISTRY}/bcgov/nr-forest-client-commons/certextractor:0.2.12
+              imagePullPolicy: Always
+              env:
+                - name: ORACLEDB_HOST
+                  value: ${DATABASE_HOST}
+                - name: ORACLEDB_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: ${NAME}-${ZONE}-${COMPONENT}
+                      key: oracle-secret
+                - name: ORACLEDB_PORT
+                  value: ${DATABASE_PORT}
+              volumeMounts:
+                - name: ${NAME}-${ZONE}-certs
+                  mountPath: /cert
+              resources:
+                limits:
+                  cpu: ${CPU_LIMIT}
+                  memory: ${MEMORY_LIMIT}
+                requests:
+                  cpu: ${CPU_REQUEST}
+                  memory: ${MEMORY_REQUEST}
           containers:
             - name: ${NAME}-${ZONE}
               image: ${REGISTRY}/${ORG}/${NAME}/${COMPONENT}:${TAG}
               imagePullPolicy: Always
               volumeMounts:
                 - name: ${NAME}-${ZONE}-fluentbit-logs
                   mountPath: /logs
+                - name: ${NAME}-${ZONE}-certs
+                  mountPath: /cert
               env:
                 - name: JAVA_OPTS
                   value: "-Xms256m"
@@ -156,8 +198,13 @@ objects:
                     secretKeyRef:
                       name: ${NAME}-${ZONE}-${COMPONENT}
                       key: oracle-password
+                - name: ORACLEDB_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: ${NAME}-${ZONE}-${COMPONENT}
+                      key: oracle-secret
                 - name: ORACLEDB_KEYSTORE
-                  value: ${ORACLEDB_KEYSTORE}
+                  value: /cert/jssecacerts
                 - name: POSTGRES_HOST
                   value: ${NAME}-${ZONE}-database
                 - name: POSTGRES_DB
@@ -208,6 +255,9 @@ objects:
             - name: ${NAME}-${ZONE}-fluentbit-logs
               persistentVolumeClaim:
                 claimName: ${NAME}-${ZONE}-fluentbit-logs
+            - name: ${NAME}-${ZONE}-certs
+              persistentVolumeClaim:
+                claimName: ${NAME}-${ZONE}-${COMPONENT}
   - apiVersion: v1
     kind: Service
     metadata:

diff --git a/common/openshift.init.yml b/common/openshift.init.yml
@@ -25,6 +25,9 @@ parameters:
   - name: ORACLE_DB_PASSWORD
     description: Oracle database password for API
     required: true
+  - name: ORACLEDB_SECRET
+    description: Oracle database keystore secret/password
+    value: changeit
   - name: PG_DATABASE
     description: Postgres database name
     value: database
@@ -56,7 +59,9 @@ objects:
     stringData:
       oracle-user: ${ORACLE_DB_USER}
       oracle-password: ${ORACLE_DB_PASSWORD}
+      oracle-secret: ${ORACLEDB_SECRET}
       forest-client-api-key: ${FORESTCLIENTAPI_KEY}
+
   - apiVersion: v1
     kind: Secret
     metadata: