From bb213f71888bb982309e899ef5bc382ffd3a6cd1 Mon Sep 17 00:00:00 2001 From: PatrickGoRaft Date: Mon, 9 Dec 2024 18:11:43 -0500 Subject: [PATCH 1/5] resolving cert resolution issue --- kubernetes/hmda-auth/Dockerfile | 9 + .../hmda-auth/templates/deployment.yaml | 193 +++++++++++------- kubernetes/hmda-data-browser-api/Dockerfile | 9 + .../templates/deployment.yaml | 7 +- 4 files changed, 138 insertions(+), 80 deletions(-) create mode 100644 kubernetes/hmda-auth/Dockerfile create mode 100644 kubernetes/hmda-data-browser-api/Dockerfile diff --git a/kubernetes/hmda-auth/Dockerfile b/kubernetes/hmda-auth/Dockerfile new file mode 100644 index 0000000000..c020db6532 --- /dev/null +++ b/kubernetes/hmda-auth/Dockerfile @@ -0,0 +1,9 @@ +FROM eclipse-temurin:23.0.1_11-jdk-alpine + +RUN apk upgrade --update-cache --available && apk add openssl +RUN adduser -H -S -G root -h /opt hmda +RUN mkdir /opt/docker +RUN chmod -R 777 /opt +RUN chown -R hmda /opt + +USER hmda \ No newline at end of file diff --git a/kubernetes/hmda-auth/templates/deployment.yaml b/kubernetes/hmda-auth/templates/deployment.yaml index e320288388..557d32ee20 100644 --- a/kubernetes/hmda-auth/templates/deployment.yaml +++ b/kubernetes/hmda-auth/templates/deployment.yaml @@ -21,10 +21,59 @@ spec: app: {{ template "hmda-auth.name" . }} release: {{ .Release.Name }} spec: + initContainers: + - args: + - cp /opt/java/openjdk/lib/security/* /opt/docker/temporary/ + command: + - /bin/sh + - -c + - -- + image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-auth:init-universal-12092025 + name: hmda-init-universal + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/docker/temporary + name: jksfolder + - mountPath: /opt/docker/certs/ca-cert + name: ca-cert + readOnly: false + - mountPath: /opt/docker/certs/keycloak-cert + name: keycloak-cert + readOnly: false + - mountPath: /opt/docker/certs/keycloak-key + name: keycloak-key + readOnly: false + restartPolicy: Always + terminationGracePeriodSeconds: 30 volumes: - name: tz-config hostPath: path: /usr/share/zoneinfo/America/New_York + - emptyDir: {} + name: jksfolder + - name: ca-cert + secret: + defaultMode: 420 + items: + - key: ca.crt + path: ca-crt + secretName: keycloak-tls-secrets + - name: keycloak-cert + secret: + defaultMode: 420 + items: + - key: tls.crt + path: keycloak-crt + secretName: keycloak-tls-secrets + - name: keycloak-key + secret: + defaultMode: 420 + items: + - key: tls.key + path: keycloak-key + secretName: keycloak-tls-secrets # serviceAccountName: {{ .Values.service.serviceAccount }} containers: - name: {{ .Chart.Name }} @@ -32,6 +81,8 @@ spec: volumeMounts: - name: tz-config mountPath: /etc/localtime + - mountPath: /opt/java/openjdk/lib/security/ + name: jksfolder securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -40,79 +91,69 @@ spec: - ALL imagePullPolicy: {{ .Values.image.pullPolicy }} env: - - name: HMDA_RUNTIME_MODE - value: {{ .Values.hmda.runtimeMode }} - - name: BANK_FILTER_LIST - valueFrom: - configMapKeyRef: - name: bank-filter-configmap - key: bank-filter-list - - name: KEYCLOAK_REALM_URL - valueFrom: - configMapKeyRef: - name: http-configmap - key: auth.realmUrl - - name: KEYCLOAK_AUTH_URL - valueFrom: - configMapKeyRef: - name: http-configmap - key: auth.url - - name: KEYCLOAK_PUBLIC_MODULUS - valueFrom: - configMapKeyRef: - name: keycloak-public-key-configmap - key: keycloak.publicKey.modulus - - name: KEYCLOAK_PUBLIC_EXPONENT - valueFrom: - configMapKeyRef: - name: keycloak-public-key-configmap - key: keycloak.publicKey.exponent - - name: KEYCLOAK_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: hmda-auth-credentials - key: admin-username - - name: KEYCLOAK_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: hmda-auth-credentials - key: admin-password - - name: PG_HOST - valueFrom: - secretKeyRef: - name: inst-postgres-credentials - key: host - - name: PG_DATABASE - valueFrom: - configMapKeyRef: - name: postgresql-configmap - key: postgres.database - - name: PG_USER - valueFrom: - secretKeyRef: - name: inst-postgres-credentials - key: username - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - name: inst-postgres-credentials - key: password - - name: PG_SSL - valueFrom: - configMapKeyRef: - name: postgresql-configmap - key: postgres.ssl - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} + - name: _JAVA_OPTIONS + value: > + -Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2 + -Dcom.sun.security.enableAIAcaIssuers=true + - name: HMDA_RUNTIME_MODE + value: {{ .Values.hmda.runtimeMode }} + - name: BANK_FILTER_LIST + valueFrom: + configMapKeyRef: + name: bank-filter-configmap + key: bank-filter-list + - name: KEYCLOAK_REALM_URL + valueFrom: + configMapKeyRef: + name: http-configmap + key: auth.realmUrl + - name: KEYCLOAK_AUTH_URL + valueFrom: + configMapKeyRef: + name: http-configmap + key: auth.url + - name: KEYCLOAK_PUBLIC_MODULUS + valueFrom: + configMapKeyRef: + name: keycloak-public-key-configmap + key: keycloak.publicKey.modulus + - name: KEYCLOAK_PUBLIC_EXPONENT + valueFrom: + configMapKeyRef: + name: keycloak-public-key-configmap + key: keycloak.publicKey.exponent + - name: KEYCLOAK_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: hmda-auth-credentials + key: admin-username + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: hmda-auth-credentials + key: admin-password + - name: PG_HOST + valueFrom: + secretKeyRef: + name: inst-postgres-credentials + key: host + - name: PG_DATABASE + valueFrom: + configMapKeyRef: + name: postgresql-configmap + key: postgres.database + - name: PG_USER + valueFrom: + secretKeyRef: + name: inst-postgres-credentials + key: username + - name: PG_PASSWORD + valueFrom: + secretKeyRef: + name: inst-postgres-credentials + key: password + - name: PG_SSL + valueFrom: + configMapKeyRef: + name: postgresql-configmap + key: postgres.ssl diff --git a/kubernetes/hmda-data-browser-api/Dockerfile b/kubernetes/hmda-data-browser-api/Dockerfile new file mode 100644 index 0000000000..c020db6532 --- /dev/null +++ b/kubernetes/hmda-data-browser-api/Dockerfile @@ -0,0 +1,9 @@ +FROM eclipse-temurin:23.0.1_11-jdk-alpine + +RUN apk upgrade --update-cache --available && apk add openssl +RUN adduser -H -S -G root -h /opt hmda +RUN mkdir /opt/docker +RUN chmod -R 777 /opt +RUN chown -R hmda /opt + +USER hmda \ No newline at end of file diff --git a/kubernetes/hmda-data-browser-api/templates/deployment.yaml b/kubernetes/hmda-data-browser-api/templates/deployment.yaml index 9670077962..f98f049f21 100644 --- a/kubernetes/hmda-data-browser-api/templates/deployment.yaml +++ b/kubernetes/hmda-data-browser-api/templates/deployment.yaml @@ -21,8 +21,7 @@ spec: spec: initContainers: - args: - - apk upgrade --update-cache --available && apk add openssl && - openssl pkcs12 -export -in /opt/docker/certs/redis-cert/redis-crt -inkey /opt/docker/certs/redis-key/redis-key + - openssl pkcs12 -export -in /opt/docker/certs/redis-cert/redis-crt -inkey /opt/docker/certs/redis-key/redis-key -out /opt/docker/server.p12 -name redis-tls -CAfile /opt/docker/certs/ca-cert/ca-crt -caname root -passin pass:changeit -passout pass:changeit && keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /opt/java/openjdk/lib/security/cacerts @@ -33,8 +32,8 @@ spec: - /bin/sh - -c - -- - image: eclipse-temurin:20-jdk-alpine - name: eclipse-temurin-init + image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-auth:init-universal-12092025 + name: hmda-init-universal resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File From b8fdd25551c88e92cf69cce5a96f67671a6ccd8c Mon Sep 17 00:00:00 2001 From: PatrickGoRaft Date: Tue, 10 Dec 2024 07:55:59 -0500 Subject: [PATCH 2/5] resolving s3 tls connection issue --- .../modified-lar/templates/deployment.yaml | 41 ++++++++++++------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/kubernetes/modified-lar/templates/deployment.yaml b/kubernetes/modified-lar/templates/deployment.yaml index 426741282c..65a4e2f75d 100644 --- a/kubernetes/modified-lar/templates/deployment.yaml +++ b/kubernetes/modified-lar/templates/deployment.yaml @@ -22,16 +22,37 @@ spec: app: {{ include "modified-lar.name" . }} release: {{ .Release.Name }} spec: + initContainers: + - args: + - cp /opt/java/openjdk/lib/security/* /opt/docker/temporary/ + command: + - /bin/sh + - -c + - -- + image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-auth:init-universal-12092025 + name: hmda-init-universal + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/docker/temporary + name: jksfolder + restartPolicy: Always + terminationGracePeriodSeconds: 30 volumes: - name: tz-config hostPath: path: /usr/share/zoneinfo/America/New_York + - emptyDir: {} + name: jksfolder containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" volumeMounts: - name: tz-config mountPath: /etc/localtime + - mountPath: /opt/java/openjdk/lib/security/ + name: jksfolder securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -44,6 +65,10 @@ spec: cpu: "4" memory: "2200Mi" env: + - name: _JAVA_OPTIONS + value: > + -Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2 + -Dcom.sun.security.enableAIAcaIssuers=true - name: PG_HOST valueFrom: secretKeyRef: @@ -161,18 +186,4 @@ spec: valueFrom: configMapKeyRef: name: mlar-options-configmap - key: createDispositionKafkaRecord - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} + key: createDispositionKafkaRecord \ No newline at end of file From e5c8f9679bc6f77b83e5651898ecc691ffcb2307 Mon Sep 17 00:00:00 2001 From: PatrickGoRaft Date: Tue, 10 Dec 2024 10:51:48 -0500 Subject: [PATCH 3/5] updating documentation for universal init container --- kubernetes/hmda-data-browser-api/Dockerfile | 9 --------- kubernetes/{hmda-auth => hmda-universal-init}/Dockerfile | 0 kubernetes/hmda-universal-init/Readme.md | 0 3 files changed, 9 deletions(-) delete mode 100644 kubernetes/hmda-data-browser-api/Dockerfile rename kubernetes/{hmda-auth => hmda-universal-init}/Dockerfile (100%) create mode 100644 kubernetes/hmda-universal-init/Readme.md diff --git a/kubernetes/hmda-data-browser-api/Dockerfile b/kubernetes/hmda-data-browser-api/Dockerfile deleted file mode 100644 index c020db6532..0000000000 --- a/kubernetes/hmda-data-browser-api/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM eclipse-temurin:23.0.1_11-jdk-alpine - -RUN apk upgrade --update-cache --available && apk add openssl -RUN adduser -H -S -G root -h /opt hmda -RUN mkdir /opt/docker -RUN chmod -R 777 /opt -RUN chown -R hmda /opt - -USER hmda \ No newline at end of file diff --git a/kubernetes/hmda-auth/Dockerfile b/kubernetes/hmda-universal-init/Dockerfile similarity index 100% rename from kubernetes/hmda-auth/Dockerfile rename to kubernetes/hmda-universal-init/Dockerfile diff --git a/kubernetes/hmda-universal-init/Readme.md b/kubernetes/hmda-universal-init/Readme.md new file mode 100644 index 0000000000..e69de29bb2 From 0a484deafde5e02ff9d3531a02ebce7d4ae12923 Mon Sep 17 00:00:00 2001 From: PatrickGoRaft Date: Thu, 12 Dec 2024 13:49:19 -0500 Subject: [PATCH 4/5] updating documentation for universal init container --- kubernetes/{hmda-universal-init => hmda-init}/Dockerfile | 0 kubernetes/hmda-init/Readme.md | 8 ++++++++ kubernetes/hmda-universal-init/Readme.md | 0 3 files changed, 8 insertions(+) rename kubernetes/{hmda-universal-init => hmda-init}/Dockerfile (100%) create mode 100644 kubernetes/hmda-init/Readme.md delete mode 100644 kubernetes/hmda-universal-init/Readme.md diff --git a/kubernetes/hmda-universal-init/Dockerfile b/kubernetes/hmda-init/Dockerfile similarity index 100% rename from kubernetes/hmda-universal-init/Dockerfile rename to kubernetes/hmda-init/Dockerfile diff --git a/kubernetes/hmda-init/Readme.md b/kubernetes/hmda-init/Readme.md new file mode 100644 index 0000000000..2b3f411668 --- /dev/null +++ b/kubernetes/hmda-init/Readme.md @@ -0,0 +1,8 @@ +## Purpose + +In order to resolve issues with certs required for TLS/SSL connections within our clusters, these missing certs need to be copied over during pod initialization. + + +## How to build/push the Dockerfile +docker build -t 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 --platform=linux/amd64 . +docker push 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 diff --git a/kubernetes/hmda-universal-init/Readme.md b/kubernetes/hmda-universal-init/Readme.md deleted file mode 100644 index e69de29bb2..0000000000 From 6588dd5ee8925713a818b53859edc302e167766e Mon Sep 17 00:00:00 2001 From: PatrickGoRaft Date: Thu, 12 Dec 2024 14:17:39 -0500 Subject: [PATCH 5/5] updating documentation for universal init container --- kubernetes/hmda-auth/templates/deployment.yaml | 4 ++-- kubernetes/hmda-data-browser-api/templates/deployment.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/hmda-auth/templates/deployment.yaml b/kubernetes/hmda-auth/templates/deployment.yaml index 557d32ee20..4e480a2e9c 100644 --- a/kubernetes/hmda-auth/templates/deployment.yaml +++ b/kubernetes/hmda-auth/templates/deployment.yaml @@ -28,8 +28,8 @@ spec: - /bin/sh - -c - -- - image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-auth:init-universal-12092025 - name: hmda-init-universal + image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 + name: hmda-init resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File diff --git a/kubernetes/hmda-data-browser-api/templates/deployment.yaml b/kubernetes/hmda-data-browser-api/templates/deployment.yaml index f98f049f21..da751e741d 100644 --- a/kubernetes/hmda-data-browser-api/templates/deployment.yaml +++ b/kubernetes/hmda-data-browser-api/templates/deployment.yaml @@ -32,8 +32,8 @@ spec: - /bin/sh - -c - -- - image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-auth:init-universal-12092025 - name: hmda-init-universal + image: 626560329871.dkr.ecr.us-east-1.amazonaws.com/hmda/hmda-init:v1.0.0 + name: hmda-init resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File