diff --git a/kubernetes/hmda-auth/templates/deployment.yaml b/kubernetes/hmda-auth/templates/deployment.yaml index e320288388..4e480a2e9c 100644 --- a/kubernetes/hmda-auth/templates/deployment.yaml +++ b/kubernetes/hmda-auth/templates/deployment.yaml @@ -21,10 +21,59 @@ spec: app: {{ template "hmda-auth.name" . }} release: {{ .Release.Name }} spec: + initContainers: + - args: + - cp /opt/java/openjdk/lib/security/* /opt/docker/temporary/ + command: + - /bin/sh + - -c + - -- + image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 + name: hmda-init + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/docker/temporary + name: jksfolder + - mountPath: /opt/docker/certs/ca-cert + name: ca-cert + readOnly: false + - mountPath: /opt/docker/certs/keycloak-cert + name: keycloak-cert + readOnly: false + - mountPath: /opt/docker/certs/keycloak-key + name: keycloak-key + readOnly: false + restartPolicy: Always + terminationGracePeriodSeconds: 30 volumes: - name: tz-config hostPath: path: /usr/share/zoneinfo/America/New_York + - emptyDir: {} + name: jksfolder + - name: ca-cert + secret: + defaultMode: 420 + items: + - key: ca.crt + path: ca-crt + secretName: keycloak-tls-secrets + - name: keycloak-cert + secret: + defaultMode: 420 + items: + - key: tls.crt + path: keycloak-crt + secretName: keycloak-tls-secrets + - name: keycloak-key + secret: + defaultMode: 420 + items: + - key: tls.key + path: keycloak-key + secretName: keycloak-tls-secrets # serviceAccountName: {{ .Values.service.serviceAccount }} containers: - name: {{ .Chart.Name }} @@ -32,6 +81,8 @@ spec: volumeMounts: - name: tz-config mountPath: /etc/localtime + - mountPath: /opt/java/openjdk/lib/security/ + name: jksfolder securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -40,79 +91,69 @@ spec: - ALL imagePullPolicy: {{ .Values.image.pullPolicy }} env: - - name: HMDA_RUNTIME_MODE - value: {{ .Values.hmda.runtimeMode }} - - name: BANK_FILTER_LIST - valueFrom: - configMapKeyRef: - name: bank-filter-configmap - key: bank-filter-list - - name: KEYCLOAK_REALM_URL - valueFrom: - configMapKeyRef: - name: http-configmap - key: auth.realmUrl - - name: KEYCLOAK_AUTH_URL - valueFrom: - configMapKeyRef: - name: http-configmap - key: auth.url - - name: KEYCLOAK_PUBLIC_MODULUS - valueFrom: - configMapKeyRef: - name: keycloak-public-key-configmap - key: keycloak.publicKey.modulus - - name: KEYCLOAK_PUBLIC_EXPONENT - valueFrom: - configMapKeyRef: - name: keycloak-public-key-configmap - key: keycloak.publicKey.exponent - - name: KEYCLOAK_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: hmda-auth-credentials - key: admin-username - - name: KEYCLOAK_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: hmda-auth-credentials - key: admin-password - - name: PG_HOST - valueFrom: - secretKeyRef: - name: inst-postgres-credentials - key: host - - name: PG_DATABASE - valueFrom: - configMapKeyRef: - name: postgresql-configmap - key: postgres.database - - name: PG_USER - valueFrom: - secretKeyRef: - name: inst-postgres-credentials - key: username - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - name: inst-postgres-credentials - key: password - - name: PG_SSL - valueFrom: - configMapKeyRef: - name: postgresql-configmap - key: postgres.ssl - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} + - name: _JAVA_OPTIONS + value: > + -Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2 + -Dcom.sun.security.enableAIAcaIssuers=true + - name: HMDA_RUNTIME_MODE + value: {{ .Values.hmda.runtimeMode }} + - name: BANK_FILTER_LIST + valueFrom: + configMapKeyRef: + name: bank-filter-configmap + key: bank-filter-list + - name: KEYCLOAK_REALM_URL + valueFrom: + configMapKeyRef: + name: http-configmap + key: auth.realmUrl + - name: KEYCLOAK_AUTH_URL + valueFrom: + configMapKeyRef: + name: http-configmap + key: auth.url + - name: KEYCLOAK_PUBLIC_MODULUS + valueFrom: + configMapKeyRef: + name: keycloak-public-key-configmap + key: keycloak.publicKey.modulus + - name: KEYCLOAK_PUBLIC_EXPONENT + valueFrom: + configMapKeyRef: + name: keycloak-public-key-configmap + key: keycloak.publicKey.exponent + - name: KEYCLOAK_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: hmda-auth-credentials + key: admin-username + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: hmda-auth-credentials + key: admin-password + - name: PG_HOST + valueFrom: + secretKeyRef: + name: inst-postgres-credentials + key: host + - name: PG_DATABASE + valueFrom: + configMapKeyRef: + name: postgresql-configmap + key: postgres.database + - name: PG_USER + valueFrom: + secretKeyRef: + name: inst-postgres-credentials + key: username + - name: PG_PASSWORD + valueFrom: + secretKeyRef: + name: inst-postgres-credentials + key: password + - name: PG_SSL + valueFrom: + configMapKeyRef: + name: postgresql-configmap + key: postgres.ssl diff --git a/kubernetes/hmda-data-browser-api/templates/deployment.yaml b/kubernetes/hmda-data-browser-api/templates/deployment.yaml index 9670077962..da751e741d 100644 --- a/kubernetes/hmda-data-browser-api/templates/deployment.yaml +++ b/kubernetes/hmda-data-browser-api/templates/deployment.yaml @@ -21,8 +21,7 @@ spec: spec: initContainers: - args: - - apk upgrade --update-cache --available && apk add openssl && - openssl pkcs12 -export -in /opt/docker/certs/redis-cert/redis-crt -inkey /opt/docker/certs/redis-key/redis-key + - openssl pkcs12 -export -in /opt/docker/certs/redis-cert/redis-crt -inkey /opt/docker/certs/redis-key/redis-key -out /opt/docker/server.p12 -name redis-tls -CAfile /opt/docker/certs/ca-cert/ca-crt -caname root -passin pass:changeit -passout pass:changeit && keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /opt/java/openjdk/lib/security/cacerts @@ -33,8 +32,8 @@ spec: - /bin/sh - -c - -- - image: eclipse-temurin:20-jdk-alpine - name: eclipse-temurin-init + image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 + name: hmda-init resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File diff --git a/kubernetes/hmda-init/Dockerfile b/kubernetes/hmda-init/Dockerfile new file mode 100644 index 0000000000..c020db6532 --- /dev/null +++ b/kubernetes/hmda-init/Dockerfile @@ -0,0 +1,9 @@ +FROM eclipse-temurin:23.0.1_11-jdk-alpine + +RUN apk upgrade --update-cache --available && apk add openssl +RUN adduser -H -S -G root -h /opt hmda +RUN mkdir /opt/docker +RUN chmod -R 777 /opt +RUN chown -R hmda /opt + +USER hmda \ No newline at end of file diff --git a/kubernetes/hmda-init/Readme.md b/kubernetes/hmda-init/Readme.md new file mode 100644 index 0000000000..2b3f411668 --- /dev/null +++ b/kubernetes/hmda-init/Readme.md @@ -0,0 +1,8 @@ +## Purpose + +In order to resolve issues with certs required for TLS/SSL connections within our clusters, these missing certs need to be copied over during pod initialization. + + +## How to build/push the Dockerfile +docker build -t 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 --platform=linux/amd64 . +docker push 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 diff --git a/kubernetes/modified-lar/templates/deployment.yaml b/kubernetes/modified-lar/templates/deployment.yaml index 426741282c..65a4e2f75d 100644 --- a/kubernetes/modified-lar/templates/deployment.yaml +++ b/kubernetes/modified-lar/templates/deployment.yaml @@ -22,16 +22,37 @@ spec: app: {{ include "modified-lar.name" . }} release: {{ .Release.Name }} spec: + initContainers: + - args: + - cp /opt/java/openjdk/lib/security/* /opt/docker/temporary/ + command: + - /bin/sh + - -c + - -- + image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-auth:init-universal-12092025 + name: hmda-init-universal + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/docker/temporary + name: jksfolder + restartPolicy: Always + terminationGracePeriodSeconds: 30 volumes: - name: tz-config hostPath: path: /usr/share/zoneinfo/America/New_York + - emptyDir: {} + name: jksfolder containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" volumeMounts: - name: tz-config mountPath: /etc/localtime + - mountPath: /opt/java/openjdk/lib/security/ + name: jksfolder securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -44,6 +65,10 @@ spec: cpu: "4" memory: "2200Mi" env: + - name: _JAVA_OPTIONS + value: > + -Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2 + -Dcom.sun.security.enableAIAcaIssuers=true - name: PG_HOST valueFrom: secretKeyRef: @@ -161,18 +186,4 @@ spec: valueFrom: configMapKeyRef: name: mlar-options-configmap - key: createDispositionKafkaRecord - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} + key: createDispositionKafkaRecord \ No newline at end of file