Add launcher SSL/TLS support

> This is a combination of 5 commits. > This is the 1st commit message: Enable errexit > This is the commit message thelastpickle#2: Refactor JAR search logic This adds to code reuse. > This is the commit message thelastpickle#3: A bit more concise CONFIG_PATH selection Not really useful, but avoids the unnecessary string literal duplication. > This is the commit message thelastpickle#4: Refine REAPER_JAR search Do not search from '/' to avoid log cluttering and save startup time. And anyway, searching from '/' kills the very idea of searching for a *user* JAR (as apposed to a system JAR) and also makes the search result less predictable (as *all* JARs will eventually be found). The main motivation was that systemd services start with '/' as the working directory, so the system log gets filled with errors on each service start. While b970844 fixes searching from '/' for systemd service, still an explicit check pursues additional goals. > This is the commit message thelastpickle#5: Add SSL/TLS support To support clusters that have their JMX protected with SSL/TLS encryption, let us allow to configure the respective Java parameters.
plastikat · Apr 3, 2020 · 507baa2 · 507baa2
1 parent 27d68ce
commit 507baa2
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 7 deletions.
diff --git a/src/packaging/Makefile b/src/packaging/Makefile
@@ -29,6 +29,7 @@ prepare:
 	mkdir -p build/lib/systemd/system/
 	cp resource/cassandra-reaper.yaml build/etc/cassandra-reaper/
 	cp resource/cassandra-reaper*.yaml build/etc/cassandra-reaper/configs
+	cp resource/cassandra-reaper-ssl.properties build/etc/cassandra-reaper/configs
 	cp ../server/target/cassandra-reaper-$(VERSION).jar build/usr/share/cassandra-reaper/
 	cp bin/* build/usr/local/bin/
 	cp etc/bash_completion.d/spreaper build/etc/bash_completion.d/

diff --git a/src/packaging/bin/cassandra-reaper b/src/packaging/bin/cassandra-reaper
@@ -14,28 +14,53 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 
-REAPER_JAR=$(find . -maxdepth 4 -regex '.*/cassandra-reaper-.*[0-9rT]\.jar')
+set -e
+
+find_reaper_jar() {
+    local target_path
+    target_path="$1"
+
+    find -L "$target_path" \
+        -maxdepth 4 \
+        -regex '.*/cassandra-reaper-.*[0-9rT]\.jar' || true
+}
+
+# Do not search from '/' as it prints many permission errors (even for
+# root user), notably for '/proc', '/run', etc.
+# Also it can potentially take a huge amount of time.
+if [ "$(pwd -P)" != "/" ]; then
+    REAPER_JAR=$(find_reaper_jar ".")
+fi
 
 if [ $REAPER_JAR ]; then
     echo "Using reaper in target"
     CLASS_PATH=$REAPER_JAR
 fi
 
 if [ -z "$CLASS_PATH" ]; then
-  echo "Looking for reaper in /usr/local/share/"
-  CLASS_PATH="$(find -L /usr/local/share -maxdepth 4 -regex '.*/cassandra-reaper-.*[0-9rT]\.jar'):$(find -L /usr/share -maxdepth 4 -regex '.*/cassandra-reaper-.*[0-9rT]\.jar')"
+    echo "Looking for reaper under /usr"
+    CLASS_PATH=""
+    CLASS_PATH+=:$(find_reaper_jar "/usr/local/share")
+    CLASS_PATH+=:$(find_reaper_jar "/usr/share")
 fi
 
 if [ $# -eq 0 ]; then
-    if [ -e /usr/local/etc/cassandra-reaper/cassandra-reaper.yaml ]; then
-        CONFIG_PATH="/usr/local/etc/cassandra-reaper/cassandra-reaper.yaml"
-    else
+    CONFIG_PATH="/usr/local/etc/cassandra-reaper/cassandra-reaper.yaml"
+    if [ ! -e "$CONFIG_PATH" ]; then
         CONFIG_PATH="/etc/cassandra-reaper/cassandra-reaper.yaml"
     fi
 else
     CONFIG_PATH="$@"
 fi
 
+SSL_CONFIG_PATH="/etc/cassandra-reaper/cassandra-reaper-ssl.properties"
+if [ -r "$SSL_CONFIG_PATH" ]; then
+    echo "Loading SSL configuration from $SSL_CONFIG_PATH"
+    # The `sed` expression below removes empty lines and comments
+    # (i.e. lines starting with '#' character).
+    mapfile -t JVM_OPTS <<< "$(cat "$SSL_CONFIG_PATH" | sed '/^\(#.*\)*$/d')"
+fi
+
 # Use JAVA_HOME if set, otherwise look for java in PATH
 if [ -n "$JAVA_HOME" ]; then
     # Why we can't have nice things: Solaris combines x86 and x86_64
@@ -59,10 +84,12 @@ fi
 
 
 JVM_OPTS=(
-    # it is safe and performant to disable assertions in production environments (ie replace `-ea` with `-da`)
+    # it is safe and performant to disable assertions in production
+    # environments (ie replace `-ea` with `-da`)
     -ea
     -Xms2G
     -Xmx2G
+    ${JVM_OPTS[@]}
     # Prefer binding to IPv4 network intefaces (when net.ipv6.bindv6only=1). See
     # http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6342561 (short version:
     # comment out this entry to enable IPv6 support).

diff --git a/src/packaging/resource/cassandra-reaper-ssl.properties b/src/packaging/resource/cassandra-reaper-ssl.properties
@@ -0,0 +1,20 @@
+# Cassandra Reaper SSL Configuration Example.
+#
+# * Replace keyStore/trustStore parameter values with the real paths to
+#   your credentials files.
+# * Replace keyStorePassword/trustStorePassword parameter values with the
+#   real passwords protecting your files.
+#
+# In case some parameters are not applicable to your SSL configuration,
+# just comment out the respective lines.
+#
+# After filling in the real values, always make sure the resulting file
+# has appropriate permissions set.
+
+-Djavax.net.ssl.keyStore=/path/to/keystore.jks
+-Djavax.net.ssl.keyStorePassword=keystore_password
+
+-Djavax.net.ssl.trustStore=/path/to/truststore.jks
+-Djavax.net.ssl.trustStorePassword=truststore_password
+
+-Dssl.enable=true