Open smoldenhauer-ish opened 4 months ago
I will provide a pull request to include the -in ca.crt only if there is a ca.crt file present:
Tested:
Command:
sh
-c
OPTIONAL_CACRT=$(test -e /var/solr/tls/ca.crt && echo ' -in /var/solr/tls/ca.crt'); openssl pkcs12 -export -in /var/solr/tls/tls.crt $OPTIONAL_CACRT -inkey /var/solr/tls/tls.key -out /var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}
Configure the solrTLS with a TLS secret that contains only a tls.crt and a tls.key It seems to be dependent on the issuer if there is a separate ca.crt or not e.g. see https://github.com/cert-manager/cert-manager/issues/1571
The generated init container command
openssl pkcs12 -export -in /var/solr/tls/tls.crt -in /var/solr/tls/ca.crt -inkey /var/solr/tls/tls.key -out /var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}
fails withCan't open /var/solr/tls/ca.crt for reading, No such file or directory 139805662672192:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/var/solr/tls/ca.crt','r') 139805662672192:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
However if the keystore is generated with the tls.crt and tls.key as input it works. (The tls.crt contains the full chain of certificates)