Merge branch 'main' into graphql

cryostatio · Apr 18, 2024 · 3b0732c · 3b0732c
2 parents 36922a2 + 2c22fac
commit 3b0732c
Show file tree

Hide file tree

Showing 22 changed files with 504 additions and 121 deletions.
diff --git a/compose/cryostat.yml b/compose/cryostat.yml
@@ -14,6 +14,7 @@ services:
     image: ${CRYOSTAT_IMAGE:-quay.io/cryostat/cryostat:3.0.0-snapshot}
     volumes:
       - ${XDG_RUNTIME_DIR}/podman/podman.sock:/run/user/1000/podman/podman.sock:Z
+      - jmxtls_cfg:/truststore:U
     security_opt:
       - label:disable
     hostname: cryostat3
@@ -39,3 +40,7 @@ services:
       retries: 3
       start_period: 30s
       timeout: 5s
+
+volumes:
+  jmxtls_cfg:
+    external: true
diff --git a/pom.xml b/pom.xml
@@ -16,21 +16,26 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
-    <io.cryostat.core.version>2.30.1</io.cryostat.core.version>
+    <build.arch>amd64</build.arch>
+
+    <io.cryostat.core.version>2.30.2</io.cryostat.core.version>
 
     <org.apache.commons.codec.version>1.16.1</org.apache.commons.codec.version>
     <org.apache.commons.io.version>2.13.0</org.apache.commons.io.version>
     <org.apache.httpcomponents.version>5.2.1</org.apache.httpcomponents.version>
     <org.apache.commons.lang3.version>3.13.0</org.apache.commons.lang3.version>
     <org.apache.commons.validator.version>1.7</org.apache.commons.validator.version>
-    <org.projectnessie.cel.bom.version>0.3.21</org.projectnessie.cel.bom.version>
+    <org.projectnessie.cel.bom.version>0.4.4</org.projectnessie.cel.bom.version>
+    <com.google.protobuf-java.version>3.25.2</com.google.protobuf-java.version>
     <com.nimbusds.jose.jwt.version>9.37.3</com.nimbusds.jose.jwt.version>
     <org.testcontainers.bom.version>1.19.7</org.testcontainers.bom.version>
     <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
     <quarkus.platform.group-id>io.quarkus.platform</quarkus.platform.group-id>
     <quarkus.platform.version>3.2.9.Final</quarkus.platform.version>
     <quarkus-quinoa.version>2.3.6</quarkus-quinoa.version>
+    <io.netty.version>4.1.101.Final</io.netty.version>
     <org.codehaus.mojo.build.helper.plugin.version>3.5.0</org.codehaus.mojo.build.helper.plugin.version>
+    <assembly-plugin.version>3.7.1</assembly-plugin.version>
 
     <com.github.spotbugs.version>4.8.4</com.github.spotbugs.version>
     <com.github.spotbugs.plugin.version>4.8.4.0</com.github.spotbugs.plugin.version>
@@ -44,6 +49,13 @@
   </properties>
   <dependencyManagement>
     <dependencies>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>${io.netty.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>${quarkus.platform.group-id}</groupId>
         <artifactId>${quarkus.platform.artifact-id}</artifactId>
@@ -165,6 +177,12 @@
       <groupId>org.projectnessie.cel</groupId>
       <artifactId>cel-jackson</artifactId>
     </dependency>
+    <!-- FIXME this is a forced version override of the protobuf required by projectnessie -->
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+      <version>${com.google.protobuf-java.version}</version>
+    </dependency>
     <dependency>
       <groupId>commons-validator</groupId>
       <artifactId>commons-validator</artifactId>
@@ -187,16 +205,6 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-quartz</artifactId>
     </dependency>
-    <dependency>
-      <groupId>io.netty</groupId>
-      <artifactId>netty-transport-native-epoll</artifactId>
-      <classifier>linux-x86_64</classifier>
-    </dependency>
-    <dependency>
-      <groupId>io.netty</groupId>
-      <artifactId>netty-transport-native-kqueue</artifactId>
-      <classifier>osx-x86_64</classifier>
-    </dependency>
     <dependency>
       <groupId>com.google.googlejavaformat</groupId>
       <artifactId>google-java-format</artifactId>
@@ -418,5 +426,111 @@
         <quarkus.package.type>native</quarkus.package.type>
       </properties>
     </profile>
+
+    <profile>
+      <id>default-arch</id>
+      <activation>
+        <property>
+          <name>!build.arch</name>
+        </property>
+      </activation>
+      <properties>
+        <io.netty.netty-transport-native-epoll.classifier>linux-x86_64</io.netty.netty-transport-native-epoll.classifier>
+        <io.netty.netty-transport-native-epoll.scope>compile</io.netty.netty-transport-native-epoll.scope>
+      </properties>
+    </profile>
+    <profile>
+      <id>amd64</id>
+      <activation>
+        <property>
+          <name>build.arch</name>
+          <value>amd64</value>
+        </property>
+      </activation>
+      <properties>
+        <io.netty.netty-transport-native-epoll.classifier>linux-x86_64</io.netty.netty-transport-native-epoll.classifier>
+        <io.netty.netty-transport-native-epoll.scope>compile</io.netty.netty-transport-native-epoll.scope>
+      </properties>
+    </profile>
+    <profile>
+      <id>arm64</id>
+      <activation>
+        <property>
+          <name>build.arch</name>
+          <value>arm64</value>
+        </property>
+      </activation>
+      <properties>
+        <io.netty.netty-transport-native-epoll.classifier>linux-aarch_64</io.netty.netty-transport-native-epoll.classifier>
+        <io.netty.netty-transport-native-epoll.scope>compile</io.netty.netty-transport-native-epoll.scope>
+      </properties>
+    </profile>
+    <profile>
+      <id>with-epoll</id>
+      <activation>
+        <property>
+          <name>!build.exclude-epoll</name>
+        </property>
+      </activation>
+      <properties>
+        <io.netty.netty-transport-native-epoll.scope>compile</io.netty.netty-transport-native-epoll.scope>
+      </properties>
+      <dependencies>
+        <dependency>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-transport-native-epoll</artifactId>
+          <version>${io.netty.version}</version>
+          <classifier>${io.netty.netty-transport-native-epoll.classifier}</classifier>
+          <scope>${io.netty.netty-transport-native-epoll.scope}</scope>
+        </dependency>
+      </dependencies>
+    </profile>
+    <profile>
+      <id>no-epoll</id>
+      <activation>
+        <property>
+          <name>build.exclude-epoll</name>
+        </property>
+      </activation>
+      <properties>
+        <io.netty.netty-transport-native-epoll.classifier>linux-x86_64</io.netty.netty-transport-native-epoll.classifier>
+        <io.netty.netty-transport-native-epoll.scope>provided</io.netty.netty-transport-native-epoll.scope>
+      </properties>
+      <dependencies>
+        <dependency>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-transport-native-epoll</artifactId>
+          <classifier>${io.netty.netty-transport-native-epoll.classifier}</classifier>
+          <scope>${io.netty.netty-transport-native-epoll.scope}</scope>
+        </dependency>
+      </dependencies>
+    </profile>
+
+    <profile>
+      <id>dist</id>
+      <build>
+        <plugins>
+          <plugin>
+            <artifactId>maven-assembly-plugin</artifactId>
+            <version>${assembly-plugin.version}</version>
+            <configuration>
+              <descriptors>
+                <descriptor>src/assembly/quarkus-app.xml</descriptor>
+              </descriptors>
+              <tarLongFileMode>posix</tarLongFileMode>
+            </configuration>
+            <executions>
+              <execution>
+                <id>assemble-quarkus-app</id>
+                <phase>package</phase>
+                <goals>
+                  <goal>single</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 </project>
diff --git a/schema/openapi.yaml b/schema/openapi.yaml
@@ -2236,6 +2236,19 @@ paths:
         - SecurityScheme: []
       tags:
         - Reports
+  /api/v3/tls/certs:
+    get:
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                items:
+                  type: string
+                type: array
+          description: OK
+      tags:
+        - Trust Store
   /health:
     get:
       responses:

diff --git a/smoketest.bash b/smoketest.bash
@@ -180,6 +180,8 @@ cleanup() {
         ${container_engine} rm localstack_cfg_helper || true
         ${container_engine} volume rm localstack_cfg || true
     fi
+    ${container_engine} rm jmxtls_cfg_helper || true
+    ${container_engine} volume rm jmxtls_cfg || true
     truncate -s 0 "${HOSTSFILE}"
     for i in "${PIDS[@]}"; do
         kill -0 "${i}" && kill "${i}"
@@ -212,6 +214,13 @@ if [ "${s3}" = "localstack" ]; then
     createLocalstackCfgVolume
 fi
 
+createJmxTlsCertVolume() {
+    "${container_engine}" volume create jmxtls_cfg
+    "${container_engine}" container create --name jmxtls_cfg_helper -v jmxtls_cfg:/truststore busybox
+    "${container_engine}" cp "${DIR}/truststore" jmxtls_cfg_helper:/truststore
+}
+createJmxTlsCertVolume
+
 setupUserHosts() {
     # This requires https://github.com/figiel/hosts to work. See README.
     truncate -s 0 "${HOSTSFILE}"

diff --git a/src/assembly/quarkus-app.xml b/src/assembly/quarkus-app.xml
@@ -0,0 +1,14 @@
+<assembly xmlns="http://maven.apache.org/ASSEMBLY/2.1.1"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.1.1 http://maven.apache.org/xsd/assembly-2.1.1.xsd">
+  <id>quarkus-app</id>
+  <formats>
+    <format>tar.gz</format>
+  </formats>
+  <includeBaseDirectory>false</includeBaseDirectory>
+  <fileSets>
+    <fileSet>
+      <directory>${project.build.directory}/quarkus-app</directory>
+    </fileSet>
+  </fileSets>
+</assembly>
diff --git a/src/main/docker/Dockerfile.jvm b/src/main/docker/Dockerfile.jvm
@@ -88,11 +88,26 @@ LABEL io.cryostat.component=cryostat3
 ENV JAVA_OPTS_APPEND="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
 ENV JAVA_APP_JAR="/deployments/quarkus-run.jar"
 
-ENTRYPOINT [ "/opt/jboss/container/java/run/run-java.sh" ]
+ENTRYPOINT [ "/deployments/app/entrypoint.bash", "/opt/jboss/container/java/run/run-java.sh" ]
 
 # We make distinct layers so if there are application changes the library layers can be re-used
 COPY --chown=185 src/main/docker/include/cryostat.jfc /usr/lib/jvm/jre/lib/jfr/
+COPY --chown=185 src/main/docker/include/genpass.bash /deployments/app/
+COPY --chown=185 src/main/docker/include/entrypoint.bash /deployments/app/
+COPY --chown=185 src/main/docker/include/truststore-setup.bash /deployments/app/
 COPY --chown=185 target/quarkus-app/lib/ /deployments/lib/
 COPY --chown=185 target/quarkus-app/*.jar /deployments/
 COPY --chown=185 target/quarkus-app/app/ /deployments/app/
 COPY --chown=185 target/quarkus-app/quarkus/ /deployments/quarkus/
+
+ENV CONF_DIR=/opt/cryostat.d
+ENV SSL_TRUSTSTORE=$CONF_DIR/truststore.p12 \
+    SSL_TRUSTSTORE_PASS_FILE=$CONF_DIR/truststore.pass
+
+USER root
+RUN mkdir -p $CONF_DIR \
+    && chmod -R g=u $CONF_DIR \
+    && chown jboss:root $CONF_DIR
+USER 185
+
+RUN /deployments/app/truststore-setup.bash
diff --git a/src/main/docker/include/entrypoint.bash b/src/main/docker/include/entrypoint.bash
@@ -0,0 +1,82 @@
+#!/bin/bash
+
+set -e
+
+DIR="$(dirname "$(realpath "$0")")"
+source "${DIR}/genpass.bash"
+
+function banner() {
+    echo   "+------------------------------------------+"
+    printf "| %-40s |\n" "$(date)"
+    echo   "|                                          |"
+    printf "| %-40s |\n" "$@"
+    echo   "+------------------------------------------+"
+}
+
+PWFILE="/tmp/jmxremote.password"
+USRFILE="/tmp/jmxremote.access"
+function createJmxCredentials() {
+    if [ -z "$CRYOSTAT_RJMX_USER" ]; then
+        CRYOSTAT_RJMX_USER="cryostat"
+    fi
+    if [ -z "$CRYOSTAT_RJMX_PASS" ]; then
+        CRYOSTAT_RJMX_PASS="$(genpass)"
+    fi
+
+    echo -n "$CRYOSTAT_RJMX_USER $CRYOSTAT_RJMX_PASS" > "$PWFILE"
+    chmod 400 "$PWFILE"
+    echo -n "$CRYOSTAT_RJMX_USER readwrite" > "$USRFILE"
+    chmod 400 "$USRFILE"
+}
+
+function importTrustStores() {
+    if [ -z "$CONF_DIR" ]; then
+        CONF_DIR="/opt/cryostat.d"
+    fi
+    if [ -z "$SSL_TRUSTSTORE_DIR" ]; then
+        SSL_TRUSTSTORE_DIR="/truststore"
+    fi
+
+    if [ ! -d "$SSL_TRUSTSTORE_DIR" ]; then
+        banner "$SSL_TRUSTSTORE_DIR does not exist; no certificates to import"
+        return 0
+    elif [ ! "$(ls -A "$SSL_TRUSTSTORE_DIR")" ]; then
+        banner "$SSL_TRUSTSTORE_DIR is empty; no certificates to import"
+        return 0
+    fi
+
+    SSL_TRUSTSTORE_PASS="$(cat "${SSL_TRUSTSTORE_PASS_FILE:-$CONF_DIR/truststore.pass}")"
+
+    find "$SSL_TRUSTSTORE_DIR" -type f | while IFS= read -r cert; do
+        echo "Importing certificate $cert ..."
+
+        keytool -importcert -v \
+            -noprompt \
+            -alias "imported-$(basename "$cert")" \
+            -trustcacerts \
+            -keystore "${SSL_TRUSTSTORE:-$CONF_DIR/truststore.p12}" \
+            -file "$cert"\
+            -storepass "$SSL_TRUSTSTORE_PASS"
+    done
+
+    FLAGS+=(
+        "-Djavax.net.ssl.trustStore=$SSL_TRUSTSTORE"
+        "-Djavax.net.ssl.trustStorePassword=$SSL_TRUSTSTORE_PASS"
+    )
+}
+
+FLAGS=()
+importTrustStores
+
+if [ "$CRYOSTAT_DISABLE_JMX_AUTH" = "true" ]; then
+    banner "JMX Auth Disabled"
+    FLAGS+=("-Dcom.sun.management.jmxremote.authenticate=false")
+else
+    createJmxCredentials
+    FLAGS+=("-Dcom.sun.management.jmxremote.authenticate=true")
+    FLAGS+=("-Dcom.sun.management.jmxremote.password.file=$PWFILE")
+    FLAGS+=("-Dcom.sun.management.jmxremote.access.file=$USRFILE")
+fi
+
+export JAVA_OPTS_APPEND="${JAVA_OPTS_APPEND} ${FLAGS[*]}"
+exec $1
diff --git a/src/main/docker/include/genpass.bash b/src/main/docker/include/genpass.bash
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+genpass() {
+    < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32
+}