CB-18277 introduce init container that initialize NSS DB for Java based services

Author: biharitomi

README.md

@@ -90,3 +90,22 @@ Once the PR is merged, CircleCI will build it:
 * Create a new release on [GitHub releases tab](https://github.com/hortonworks/cloudbreak-deployer/releases), with the
  help of [gh-release](https://github.com/progrium/gh-release).
 * Create the git tag with `v` prefix like: `v0.0.3`.
+
+### Configuring trusted certificates for the Java based services of Clodbreak Deployer Tool
+If an external database(RDS for example) for Cloudbreak's Java based services and enable `SSL` verification are needed, CBD started to support loading certificates from the `certs/into-nssdb/` directory of your deployment.
+
+This means that certificates from the `certs/into-nssdb/` will be loaded to an `NSS DB` instance by a new Java init container and Java based services will get this `NSS DB` on a shared volume and use it as the default trust/key-store.
+
+**The following `Profile` file snippet is an example of how `SSL` could be configured for the Environment and FreeIPA services**
+```
+export ENVIRONMENT_JAVA_OPTS='-Denvironment.db.env.ssl="true"'
+export ENVIRONMENT_DB_ENV_USER="postgres"
+export ENVIRONMENT_DB_ENV_DB="environmentdb"
+export ENVIRONMENT_DB_ENV_PASS="..."
+export ENVIRONMENT_DB_HOST="tb-.....cwuvxwrz4ivx.eu-central-1.rds.amazonaws.com"
+
+export FREEIPA_DB_ENV_USER="postgres"
+export FREEIPA_DB_ENV_DB="freeipadb"
+export FREEIPA_DB_ENV_PASS="..."
+export FREEIPA_DB_ADDR="tb-....cwuvxwrz4ivx.eu-central-1.rds.amazonaws.com"
+export FREEIPA_JAVA_OPTS='-Dfreeipa.db.env.ssl="true"'

compose.go

@@ -33,6 +33,7 @@ func GenerateComposeYaml(args []string) {
 	if dataMap["THUNDERHEAD_MOCK"] == "true" {
 		insertIntoTemplateIfNotLocal(t, localDevList, "thunderhead-mock")
 	}
+	insertIntoTemplate(t, "nssdb-init")
 	insertIntoTemplateIfNotLocal(t, localDevList, "core-gateway")
 	insertIntoTemplateIfNotLocal(t, localDevList, "cadence")
 	insertIntoTemplateIfNotLocal(t, localDevList, "cluster-proxy")

include/cloudbreak.bash

@@ -86,6 +86,7 @@ cloudbreak-conf-tags() {
     env-import DOCKER_TAG_CLUSTER_PROXY_HEALTH_CHECK_WORKER 3.0.0-b59
     env-import DOCKER_TAG_CADENCE 0.24.0-auto-setup
     env-import DOCKER_TAG_CADENCE_WEB 1.0.0-b24
+    env-import DOCKER_TAG_JAVA_NSSDB_INIT 1.0.0-b10108
 
     env-import DOCKER_IMAGE_THUNDERHEAD_MOCK docker-private.infra.cloudera.com/cloudera/cloudbreak-mock-thunderhead
     env-import DOCKER_IMAGE_MOCK_INFRASTRUCTURE docker-private.infra.cloudera.com/cloudera/cloudbreak-mock-infrastructure
@@ -112,6 +113,7 @@ cloudbreak-conf-tags() {
     env-import DOCKER_IMAGE_CLUSTER_PROXY_HEALTH_CHECK_WORKER docker-private.infra.cloudera.com/cloudera/cloud/cluster-proxy
     env-import DOCKER_IMAGE_CADENCE ubercadence/server
     env-import DOCKER_IMAGE_CADENCE_WEB docker-private.infra.cloudera.com/cloudera/cadence-web
+    env-import DOCKER_IMAGE_JAVA_NSSDB_INIT docker-private.infra.cloudera.com/cloudera/thunderhead-java-init-container-11
 
     env-import CB_DEFAULT_SUBSCRIPTION_ADDRESS http://uluwatu:3000/notifications
 }
@@ -146,42 +148,50 @@ cloudbreak-conf-db() {
     env-import CB_DB_ENV_PASS ""
     env-import CB_DB_ENV_SCHEMA "public"
     env-import CB_HBM2DDL_STRATEGY "validate"
+    env-import CB_DB_PORT_5432_TCP_ADDR "$COMMON_DB"
 
     env-import PERISCOPE_DB_ENV_USER "postgres"
     env-import PERISCOPE_DB_ENV_DB "periscopedb"
     env-import PERISCOPE_DB_ENV_PASS ""
     env-import PERISCOPE_DB_ENV_SCHEMA "public"
     env-import PERISCOPE_HBM2DDL_STRATEGY "validate"
+    env-import PERISCOPE_DB_PORT_5432_TCP_ADDR "$COMMON_DB"
 
     env-import CONSUMPTION_DB_ENV_USER "postgres"
     env-import CONSUMPTION_DB_ENV_DB "consumptiondb"
     env-import CONSUMPTION_DB_ENV_PASS ""
     env-import CONSUMPTION_DB_ENV_SCHEMA "public"
     env-import CONSUMPTION_HBM2DDL_STRATEGY "validate"
+    env-import CONSUMPTION_DB_HOST "$COMMON_DB"
 
     env-import DATALAKE_DB_ENV_USER "postgres"
     env-import DATALAKE_DB_ENV_DB "datalakedb"
     env-import DATALAKE_DB_ENV_PASS ""
     env-import DATALAKE_DB_ENV_SCHEMA "public"
     env-import DATALAKE_HBM2DDL_STRATEGY "validate"
+    env-import DATALAKE_DB_PORT_5432_TCP_ADDR "$COMMON_DB"
+
 
     env-import REDBEAMS_DB_ENV_USER "postgres"
     env-import REDBEAMS_DB_ENV_DB "redbeamsdb"
     env-import REDBEAMS_DB_ENV_PASS ""
     env-import REDBEAMS_DB_ENV_SCHEMA "public"
     env-import REDBEAMS_HBM2DDL_STRATEGY "validate"
+    env-import REDBEAMS_DB_PORT_5432_TCP_ADDR "$COMMON_DB"
 
     env-import ENVIRONMENT_DB_ENV_USER "postgres"
     env-import ENVIRONMENT_DB_ENV_DB "environmentdb"
     env-import ENVIRONMENT_DB_ENV_PASS ""
     env-import ENVIRONMENT_DB_ENV_SCHEMA "public"
     env-import ENVIRONMENT_HBM2DDL_STRATEGY "validate"
+    env-import ENVIRONMENT_DB_HOST "$COMMON_DB"
 
     env-import FREEIPA_DB_ENV_USER "postgres"
     env-import FREEIPA_DB_ENV_DB "freeipadb"
     env-import FREEIPA_DB_ENV_PASS ""
     env-import FREEIPA_DB_ENV_SCHEMA "public"
     env-import FREEIPA_HBM2DDL_STRATEGY "validate"
+    env-import FREEIPA_DB_ADDR "$COMMON_DB"
 
     env-import IDBMMS_DB_ENV_USER "postgres"
     env-import IDBMMS_DB_ENV_DB "idbmmsdb"

include/compose.bash

@@ -1,5 +1,5 @@
 compose-init() {
-    local required_compose=1.27.2
+    local required_compose=1.29.1
     local compose_version=$(docker-compose --version 2>&1 | grep -E -o "([0-9]+\.)+[0-9]+")
 
     local compare_result=$(compare-versions ${compose_version} ${required_compose})

include/env.bash

@@ -177,6 +177,7 @@ DOCKER_IMAGE_CLOUDBREAK_WEB - Web UI Docker image name
 DOCKER_IMAGE_ENVIRONMENTS2_API - Environments2 API Docker image name
 DOCKER_IMAGE_IDBMMS - IDBMMS Docker image name
 DOCKER_IMAGE_WORKLOADIAM - WorkloadIam Docker image name
+DOCKER_IMAGE_JAVA_NSSDB_INIT - Java init container image name that initializes the NSS DB for java based services
 DOCKER_TAG_AUDIT - Audit Service container version
 DOCKER_TAG_ALPINE - Alpine container version
 DOCKER_TAG_CBD_SMARTSENSE - SmartSense container version
@@ -197,6 +198,7 @@ DOCKER_TAG_FREEIPA - FreeIpa container version
 DOCKER_TAG_POSTGRES - Postgresql container version
 DOCKER_TAG_TRAEFIK - Traefik container version
 DOCKER_TAG_ULUWATU - Web UI container version
+DOCKER_TAG_JAVA_NSSDB_INIT - Java init container image version that initializes the NSS DB for java based services
 DOCKER_STOP_TIMEOUT - Specify a shutdown timeout in seconds for containers
 HTTP_PROXY_HOST - HTTP proxy address
 HTTPS_PROXY_HOST - HTTPS proxy address

templates/compose-cloudbreak.tmpl

@@ -33,7 +33,7 @@
             - "ENDPOINTS_BEANS_ENABLED=false"
             - "ENDPOINTS_ENV_ENABLED=false"
             - "CB_ADDRESS_RESOLVING_TIMEOUT"
-            - "CB_DB_PORT_5432_TCP_ADDR={{{get . "COMMON_DB"}}}"
+            - "CB_DB_PORT_5432_TCP_ADDR={{{get . "CB_DB_PORT_5432_TCP_ADDR"}}}"
             - "CB_DB_PORT_5432_TCP_PORT=5432"
             - CB_DB_ENV_USER
             - CB_DB_ENV_PASS
@@ -127,6 +127,10 @@
             - /dev/urandom:/dev/random
             - ./logs/cloudbreak:/cloudbreak-log
             - ./etc/:/etc/cloudbreak
+            - nssdb-init:/etc/pki/nssdb
+        depends_on:
+            nssdb-init-svc:
+                condition: service_completed_successfully
         networks:
         - {{{get . "DOCKER_NETWORK_NAME"}}}
         logging:

templates/compose-consumption.tmpl

@@ -7,7 +7,7 @@
             - REST_DEBUG
             - 'CONSUMPTION_JAVA_OPTS={{{getEscaped . "CONSUMPTION_JAVA_OPTS"}}}'
             - CONSUMPTION_HBM2DDL_STRATEGY
-            - "CONSUMPTION_DB_HOST={{{get . "COMMON_DB"}}}"
+            - "CONSUMPTION_DB_HOST={{{get . "CONSUMPTION_DB_HOST"}}}"
             - "CONSUMPTION_DB_PORT=5432"
             - CONSUMPTION_DB_ENV_USER
             - CONSUMPTION_DB_ENV_PASS
@@ -47,6 +47,10 @@
             - /dev/urandom:/dev/random
             - ./logs/consumption:/consumption-log
             - ./etc/:/etc/consumption
+            - nssdb-init:/etc/pki/nssdb
+        depends_on:
+            nssdb-init-svc:
+                condition: service_completed_successfully
         networks:
             - {{{get . "DOCKER_NETWORK_NAME"}}}
         logging:

templates/compose-datalake.tmpl

@@ -7,7 +7,7 @@
             - REST_DEBUG
             - 'DATALAKE_JAVA_OPTS={{{getEscaped . "DATALAKE_JAVA_OPTS"}}}'
             - DATALAKE_HBM2DDL_STRATEGY
-            - "DATALAKE_DB_PORT_5432_TCP_ADDR={{{get . "COMMON_DB"}}}"
+            - "DATALAKE_DB_PORT_5432_TCP_ADDR={{{get . "DATALAKE_DB_PORT_5432_TCP_ADDR"}}}"
             - "DATALAKE_DB_PORT_5432_TCP_PORT=5432"
             - DATALAKE_DB_ENV_USER
             - DATALAKE_DB_ENV_PASS
@@ -57,6 +57,10 @@
             - /dev/urandom:/dev/random
             - ./logs/datalake:/datalake-log
             - ./etc/:/etc/datalake
+            - nssdb-init:/etc/pki/nssdb
+        depends_on:
+            nssdb-init-svc:
+                condition: service_completed_successfully
         networks:
             - {{{get . "DOCKER_NETWORK_NAME"}}}
         logging:

templates/compose-environment.tmpl

@@ -13,7 +13,7 @@
             - REST_DEBUG
             - 'ENVIRONMENT_JAVA_OPTS={{{getEscaped . "ENVIRONMENT_JAVA_OPTS"}}}'
             - ENVIRONMENT_HBM2DDL_STRATEGY
-            - "ENVIRONMENT_DB_HOST={{{get . "COMMON_DB"}}}"
+            - "ENVIRONMENT_DB_HOST={{{get . "ENVIRONMENT_DB_HOST"}}}"
             - "ENVIRONMENT_DB_PORT=5432"
             - ENVIRONMENT_DB_ENV_USER
             - ENVIRONMENT_DB_ENV_PASS
@@ -69,6 +69,10 @@
             - /dev/urandom:/dev/random
             - ./logs/environment:/environment-log
             - ./etc/:/etc/environment-service
+            - nssdb-init:/etc/pki/nssdb
+        depends_on:
+            nssdb-init-svc:
+                condition: service_completed_successfully
         networks:
         - {{{get . "DOCKER_NETWORK_NAME"}}}
         logging:

templates/compose-freeipa.tmpl

@@ -17,7 +17,7 @@
             - REST_DEBUG
             - 'FREEIPA_JAVA_OPTS={{{getEscaped . "FREEIPA_JAVA_OPTS"}}}'
             - FREEIPA_HBM2DDL_STRATEGY
-            - "FREEIPA_DB_ADDR={{{get . "COMMON_DB"}}}"
+            - "FREEIPA_DB_ADDR={{{get . "FREEIPA_DB_ADDR"}}}"
             - "FREEIPA_DB_PORT=5432"
             - FREEIPA_DB_ENV_USER
             - FREEIPA_DB_ENV_PASS
@@ -70,6 +70,10 @@
             - /dev/urandom:/dev/random
             - ./logs/freeipa:/freeipa-log
             - ./etc/:/etc/freeipa
+            - nssdb-init:/etc/pki/nssdb
+        depends_on:
+            nssdb-init-svc:
+                condition: service_completed_successfully
         networks:
         - {{{get . "DOCKER_NETWORK_NAME"}}}
         logging:

templates/compose-main.tmpl

@@ -1,6 +1,7 @@
 version: '3'
 volumes:
     {{{get . "COMMON_DB_VOL"}}}:
+    nssdb-init:
 networks:
   {{{get . "DOCKER_NETWORK_NAME"}}}:
     driver: bridge
@@ -118,6 +119,7 @@ services:
               memory: 1024M
               cpus: 1.0
 {{{- block "cb-traefik" .}}}{{{end}}}
+{{{- block "nssdb-init" .}}}{{{end}}}
 {{{- block "thunderhead-mock" .}}}{{{end}}}
 {{{- block "mock-infrastructure" .}}}{{{end}}}
 {{{- block "core-gateway" .}}}{{{end}}}

templates/compose-nssdb-init.tmpl

@@ -0,0 +1,15 @@
+{{{define "nssdb-init"}}}
+    nssdb-init-svc:
+      image: {{{get . "DOCKER_IMAGE_JAVA_NSSDB_INIT"}}}:{{{get . "DOCKER_TAG_JAVA_NSSDB_INIT"}}}
+      volumes:
+        - nssdb-init:/mounted/nssdb
+        - ./certs/into-nssdb/:/usr/local/share/ca-certificates/into-nssdb/
+      networks:
+        - default
+      command: /usr/local/share/ca-certificates/into-nssdb/
+      deploy:
+        resources:
+          limits:
+            memory: 256M
+            cpus: 1.0 
+{{{end}}}

templates/compose-periscope.tmpl

@@ -4,7 +4,7 @@
             - http_proxy={{{get . "HTTP_PROXY"}}}
             - https_proxy={{{get . "HTTPS_PROXY"}}}
             - PERISCOPE_HBM2DDL_STRATEGY
-            - "PERISCOPE_DB_PORT_5432_TCP_ADDR={{{get . "COMMON_DB"}}}"
+            - "PERISCOPE_DB_PORT_5432_TCP_ADDR={{{get . "PERISCOPE_DB_PORT_5432_TCP_ADDR"}}}"
             - "PERISCOPE_DB_PORT_5432_TCP_PORT=5432"
             - PERISCOPE_DB_ENV_USER
             - PERISCOPE_DB_ENV_PASS
@@ -54,6 +54,10 @@
             - "{{{get . "CBD_CERT_ROOT_PATH"}}}:/certs"
             - ./logs/autoscale:/autoscale-log
             - /dev/urandom:/dev/random
+            - nssdb-init:/etc/pki/nssdb
+        depends_on:
+            nssdb-init-svc:
+                condition: service_completed_successfully
         networks:
         - {{{get . "DOCKER_NETWORK_NAME"}}}
         logging:

templates/compose-redbeams.tmpl

@@ -13,7 +13,7 @@
             - REST_DEBUG
             - 'REDBEAMS_JAVA_OPTS={{{getEscaped . "REDBEAMS_JAVA_OPTS"}}}'
             - REDBEAMS_HBM2DDL_STRATEGY
-            - "REDBEAMS_DB_PORT_5432_TCP_ADDR={{{get . "COMMON_DB"}}}"
+            - "REDBEAMS_DB_PORT_5432_TCP_ADDR={{{get . "REDBEAMS_DB_PORT_5432_TCP_ADDR"}}}"
             - "REDBEAMS_DB_PORT_5432_TCP_PORT=5432"
             - REDBEAMS_DB_ENV_USER
             - REDBEAMS_DB_ENV_PASS
@@ -54,6 +54,10 @@
             - /dev/urandom:/dev/random
             - ./logs/redbeams:/redbeams-log
             - ./etc/:/etc/redbeams
+            - nssdb-init:/etc/pki/nssdb
+        depends_on:
+            nssdb-init-svc:
+                condition: service_completed_successfully
         networks:
         - {{{get . "DOCKER_NETWORK_NAME"}}}
         logging: