Merge pull request #4949 from PatrickGoRaft/hmda-auth-cert-bug

resolving cert resolution issue
cfpb · Dec 13, 2024 · 6f3629d · 6f3629d
2 parents b83f620 + 6588dd5
commit 6f3629d
Show file tree

Hide file tree

Showing 5 changed files with 163 additions and 95 deletions.
diff --git a/kubernetes/hmda-auth/templates/deployment.yaml b/kubernetes/hmda-auth/templates/deployment.yaml
@@ -21,17 +21,68 @@ spec:
         app: {{ template "hmda-auth.name" . }}
         release: {{ .Release.Name }}
     spec:
+      initContainers:
+        - args:
+            - cp /opt/java/openjdk/lib/security/* /opt/docker/temporary/
+          command:
+            - /bin/sh
+            - -c
+            - --
+          image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0
+          name: hmda-init
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /opt/docker/temporary
+              name: jksfolder
+            - mountPath: /opt/docker/certs/ca-cert
+              name: ca-cert
+              readOnly: false
+            - mountPath: /opt/docker/certs/keycloak-cert
+              name: keycloak-cert
+              readOnly: false
+            - mountPath: /opt/docker/certs/keycloak-key
+              name: keycloak-key
+              readOnly: false
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
       volumes:
         - name: tz-config
           hostPath:
             path: /usr/share/zoneinfo/America/New_York
+        - emptyDir: {}
+          name: jksfolder
+        - name: ca-cert
+          secret:
+            defaultMode: 420
+            items:
+              - key: ca.crt
+                path: ca-crt
+            secretName:  keycloak-tls-secrets
+        - name: keycloak-cert
+          secret:
+            defaultMode: 420
+            items:
+              - key: tls.crt
+                path: keycloak-crt
+            secretName:  keycloak-tls-secrets
+        - name: keycloak-key
+          secret:
+            defaultMode: 420
+            items:
+              - key: tls.key
+                path: keycloak-key
+            secretName:  keycloak-tls-secrets
       # serviceAccountName: {{ .Values.service.serviceAccount }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           volumeMounts:
             - name: tz-config
               mountPath: /etc/localtime
+            - mountPath: /opt/java/openjdk/lib/security/
+              name: jksfolder
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
@@ -40,79 +91,69 @@ spec:
                 - ALL
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-          - name: HMDA_RUNTIME_MODE
-            value: {{ .Values.hmda.runtimeMode }}
-          - name: BANK_FILTER_LIST
-            valueFrom:
-              configMapKeyRef:
-                name: bank-filter-configmap
-                key: bank-filter-list
-          - name: KEYCLOAK_REALM_URL
-            valueFrom:
-              configMapKeyRef:
-                name: http-configmap
-                key: auth.realmUrl
-          - name: KEYCLOAK_AUTH_URL
-            valueFrom:
-              configMapKeyRef:
-                name: http-configmap
-                key: auth.url
-          - name: KEYCLOAK_PUBLIC_MODULUS
-            valueFrom:
-              configMapKeyRef:
-                name: keycloak-public-key-configmap
-                key: keycloak.publicKey.modulus
-          - name: KEYCLOAK_PUBLIC_EXPONENT
-            valueFrom:
-              configMapKeyRef:
-                name: keycloak-public-key-configmap
-                key: keycloak.publicKey.exponent
-          - name: KEYCLOAK_ADMIN_USERNAME
-            valueFrom:
-              secretKeyRef:
-                name: hmda-auth-credentials
-                key: admin-username
-          - name: KEYCLOAK_ADMIN_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: hmda-auth-credentials
-                key: admin-password
-          - name: PG_HOST
-            valueFrom:
-              secretKeyRef:
-                name: inst-postgres-credentials
-                key: host
-          - name: PG_DATABASE
-            valueFrom:
-              configMapKeyRef:
-                name: postgresql-configmap
-                key: postgres.database
-          - name: PG_USER
-            valueFrom:
-              secretKeyRef:
-                name: inst-postgres-credentials
-                key: username
-          - name: PG_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: inst-postgres-credentials
-                key: password
-          - name: PG_SSL
-            valueFrom:
-              configMapKeyRef:
-                name: postgresql-configmap
-                key: postgres.ssl
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}
+            - name: _JAVA_OPTIONS
+              value: >
+                -Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2
+                -Dcom.sun.security.enableAIAcaIssuers=true
+            - name: HMDA_RUNTIME_MODE
+              value: {{ .Values.hmda.runtimeMode }}
+            - name: BANK_FILTER_LIST
+              valueFrom:
+                configMapKeyRef:
+                  name: bank-filter-configmap
+                  key: bank-filter-list
+            - name: KEYCLOAK_REALM_URL
+              valueFrom:
+                configMapKeyRef:
+                  name: http-configmap
+                  key: auth.realmUrl
+            - name: KEYCLOAK_AUTH_URL
+              valueFrom:
+                configMapKeyRef:
+                  name: http-configmap
+                  key: auth.url
+            - name: KEYCLOAK_PUBLIC_MODULUS
+              valueFrom:
+                configMapKeyRef:
+                  name: keycloak-public-key-configmap
+                  key: keycloak.publicKey.modulus
+            - name: KEYCLOAK_PUBLIC_EXPONENT
+              valueFrom:
+                configMapKeyRef:
+                  name: keycloak-public-key-configmap
+                  key: keycloak.publicKey.exponent
+            - name: KEYCLOAK_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: hmda-auth-credentials
+                  key: admin-username
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: hmda-auth-credentials
+                  key: admin-password
+            - name: PG_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: inst-postgres-credentials
+                  key: host
+            - name: PG_DATABASE
+              valueFrom:
+                configMapKeyRef:
+                  name: postgresql-configmap
+                  key: postgres.database
+            - name: PG_USER
+              valueFrom:
+                secretKeyRef:
+                  name: inst-postgres-credentials
+                  key: username
+            - name: PG_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: inst-postgres-credentials
+                  key: password
+            - name: PG_SSL
+              valueFrom:
+                configMapKeyRef:
+                  name: postgresql-configmap
+                  key: postgres.ssl
diff --git a/kubernetes/hmda-data-browser-api/templates/deployment.yaml b/kubernetes/hmda-data-browser-api/templates/deployment.yaml
@@ -21,8 +21,7 @@ spec:
     spec:
       initContainers:
       - args:
-        - apk upgrade --update-cache --available && apk add openssl &&
-          openssl pkcs12 -export -in /opt/docker/certs/redis-cert/redis-crt -inkey /opt/docker/certs/redis-key/redis-key
+        - openssl pkcs12 -export -in /opt/docker/certs/redis-cert/redis-crt -inkey /opt/docker/certs/redis-key/redis-key
           -out /opt/docker/server.p12 -name redis-tls -CAfile /opt/docker/certs/ca-cert/ca-crt -caname root
           -passin pass:changeit -passout pass:changeit &&
           keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /opt/java/openjdk/lib/security/cacerts
@@ -33,8 +32,8 @@ spec:
           - /bin/sh
           - -c
           - --
-        image: eclipse-temurin:20-jdk-alpine
-        name: eclipse-temurin-init
+        image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0
+        name: hmda-init
         resources: {}
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File

diff --git a/kubernetes/hmda-init/Dockerfile b/kubernetes/hmda-init/Dockerfile
@@ -0,0 +1,9 @@
+FROM eclipse-temurin:23.0.1_11-jdk-alpine
+
+RUN apk upgrade --update-cache --available && apk add openssl
+RUN adduser -H -S -G root -h /opt hmda
+RUN mkdir /opt/docker
+RUN chmod -R 777 /opt
+RUN chown -R hmda /opt
+
+USER hmda
diff --git a/kubernetes/hmda-init/Readme.md b/kubernetes/hmda-init/Readme.md
@@ -0,0 +1,8 @@
+## Purpose 
+
+In order to resolve issues with certs required for TLS/SSL connections within our clusters, these missing certs need to be copied over during pod initialization. 
+
+
+## How to build/push the Dockerfile  
+docker build -t 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 --platform=linux/amd64 .
+docker push 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0  
diff --git a/kubernetes/modified-lar/templates/deployment.yaml b/kubernetes/modified-lar/templates/deployment.yaml
@@ -22,16 +22,37 @@ spec:
         app: {{ include "modified-lar.name" . }}
         release: {{ .Release.Name }}
     spec:
+      initContainers:
+        - args:
+            - cp /opt/java/openjdk/lib/security/* /opt/docker/temporary/
+          command:
+            - /bin/sh
+            - -c
+            - --
+          image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-auth:init-universal-12092025
+          name: hmda-init-universal
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /opt/docker/temporary
+              name: jksfolder
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
       volumes:
         - name: tz-config
           hostPath:
             path: /usr/share/zoneinfo/America/New_York
+        - emptyDir: {}
+          name: jksfolder
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           volumeMounts:
             - name: tz-config
               mountPath: /etc/localtime
+            - mountPath: /opt/java/openjdk/lib/security/
+              name: jksfolder
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
@@ -44,6 +65,10 @@ spec:
               cpu: "4"
               memory: "2200Mi"
           env:
+            - name: _JAVA_OPTIONS
+              value: >
+                -Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2
+                -Dcom.sun.security.enableAIAcaIssuers=true
             - name: PG_HOST
               valueFrom:
                 secretKeyRef:
@@ -161,18 +186,4 @@ spec:
               valueFrom:
                 configMapKeyRef:
                   name: mlar-options-configmap
-                  key: createDispositionKafkaRecord
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}
+                  key: createDispositionKafkaRecord