Skip to content
Snippets Groups Projects
Commit 800d10e7 authored by Abhay Joshi's avatar Abhay Joshi Committed by Abhay Joshi
Browse files

Squashed commit of the following

commit 6470e878
Author: Abhay <bios@amazon.com>
Date: Tue Mar 21 2023 08:42:05 GMT-0700 (Pacific Daylight Time)

    removing old ssl stuff

commit 517a623d
Author: Abhay <bios@amazon.com>
Date: Tue Mar 21 2023 07:30:56 GMT-0700 (Pacific Daylight Time)

    Renaming variable

commit 78f9a3af
Author: Abhay <bios@amazon.com>
Date: Mon Mar 20 2023 10:53:10 GMT-0700 (Pacific Daylight Time)

    adding changes for rootFilesystem

(cherry picked from commit feb70d18)
parent 39338e6a
No related branches found
No related tags found
4 merge requests!760Vulnerability fixes,!745Draft: M18 Upgraded packages to mitigate vulns in netty, guava, snakeyaml,!744Upgraded packages to mitigated vulns in netty, guava, snakeyaml,!672ReadOnlyRootFileSystem changes for AWS
Pipeline #177794 failed
......@@ -60,6 +60,8 @@ environmentVariables:
value: "/mnt/params"
- name: STORAGE_SERVICE_REPOSITORY_IMPLEMENTATION
value: "{{ default `dynamodb` .Values.global.coreDbProvider }}"
- name: TMP_VOLUME_PATH
value: "/tmp"
# Resource Config
maxConnections: 200
......@@ -97,7 +99,7 @@ cors:
securityContext:
runAsUser: 10001
runAsNonRoot: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
......
......@@ -17,12 +17,10 @@ FROM amazoncorretto:8
ARG JAR_FILE=provider/storage-aws/target/*spring-boot.jar
#Default to using self signed generated TLS cert
ENV USE_SELF_SIGNED_SSL_CERT true
WORKDIR /
COPY ${JAR_FILE} app.jar
COPY /provider/storage-aws/build-aws/ssl.sh /ssl.sh
COPY /provider/storage-aws/build-aws/entrypoint.sh /entrypoint.sh
EXPOSE 8080
......
if [ -n $USE_SELF_SIGNED_SSL_CERT ];
then
export SSL_KEY_PASSWORD=$RANDOM$RANDOM$RANDOM;
export SSL_KEY_STORE_PASSWORD=$SSL_KEY_PASSWORD;
export SSL_KEY_STORE_DIR=/tmp/certs;
export SSL_KEY_STORE_NAME=osduonaws.p12;
export SSL_KEY_STORE_PATH=$SSL_KEY_STORE_DIR/$SSL_KEY_STORE_NAME;
export SSL_KEY_ALIAS=osduonaws;
./ssl.sh;
fi
java $JAVA_OPTS -jar /app.jar
\ No newline at end of file
# Copyright © 2021 Amazon Web Services
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#!/usr/bin/env bash
#Future: Support for using Amazon Cert Manager
# if [ "$1" == "webserver" ] && [ -n $ACM_CERTIFICATE_ARN ];
# then
# aws acm export-certificate --certificate-arn $ACM_CERTIFICATE_ARN --passphrase $(echo -n 'aws123' | openssl base64 -e) | jq -r '"\(.PrivateKey)"' > ${SSL_KEY_PATH}.enc
# openssl rsa -in ${SSL_KEY_PATH}.enc -out $SSL_KEY_PATH -passin pass:aws123
# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.CertificateChain)"' > $SSL_CERT_PATH
# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.Certificate)"' >> $SSL_CERT_PATH
# fi
if [ -n $USE_SELF_SIGNED_SSL_CERT ];
then
mkdir -p $SSL_KEY_STORE_DIR
pushd $SSL_KEY_STORE_DIR
keytool -genkeypair -alias $SSL_KEY_ALIAS -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore $SSL_KEY_STORE_NAME -validity 3650 -keypass $SSL_KEY_PASSWORD -storepass $SSL_KEY_PASSWORD -dname "CN=localhost, OU=AWS, O=Energy, L=Houston, ST=TX, C=US"
popd
fi
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment