[VID] Obfuscate truststore password at the entrypoint

VID unfortunately expects truststore password to be obfuscated instead
of getting it in plain text.

Current solution that we had in the master branch was only a temporary
fix which hardcoded obfuscated password in our charts.

This patch introduces a proper solution that uses jetty-util to
obfuscate the password before starting VID application.

Issue-ID: OOM-1
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I391c29b6552121fd0b574a1046b4c1551c1a927a

diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml
index 8872863..d1b4bcd 100644 (file)
--- a/kubernetes/vid/templates/deployment.yaml
+++ b/kubernetes/vid/templates/deployment.yaml
@@ -63,6 +63,8 @@ spec:
           - -c
           - |
             export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+            export VID_TRUSTSTORE_PLAIN_PASSWORD=${VID_TRUSTSTORE_PASSWORD}
+            export VID_TRUSTSTORE_PASSWORD=`java -cp /usr/local/tomcat/webapps/vid/WEB-INF/lib/jetty-util-9.4.20.v20190813.jar org.eclipse.jetty.util.security.Password ${VID_TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
             /tmp/vid/localize.sh
           {{- end }}
           ports:

diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml
index 6b323a4..91132e2 100644 (file)
--- a/kubernetes/vid/values.yaml
+++ b/kubernetes/vid/values.yaml
@@ -64,7 +64,7 @@ certInitializer:
     else
       echo "*** changing them into shell safe ones"
       export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
-      export TRUSTORE_PASSWD=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+      export TRUSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
       cd {{ .Values.credsPath }}
       keytool -storepasswd -new "${KEYSTORE_PASSWD}" \
         -storepass "${cadi_keystore_password_jks}" \
@@ -79,7 +79,7 @@ certInitializer:
         -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }}
       echo "*** save the generated passwords"
       echo "VID_KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop
-      echo "VID_TRUSTSTORE_PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp" >> mycreds.prop
+      echo "VID_TRUSTSTORE_PASSWORD=${TRUSTORE_PASSWD}" >> mycreds.prop
       echo "*** change ownership of certificates to targeted user"
       chown -R 1000 .
     fi