wip

docker-entrypoint.sh

@@ -49,75 +49,8 @@ echo -e "Environment variables:\n\
   MARATHON_APP_ID: $MARATHON_APP_ID\n\
   MESOS_TASK_ID: $MESOS_TASK_ID\n"
 
-KAFKA_GROUP=`echo ${MARATHON_APP_ID} | cut -d / -f 2`
-echo -e "Derived the group this application is running in from the marathon app ID: $KAFKA_GROUP\n"
-
-# DNS =
-# marathon app id,
-# split on /
-# reverse the list
-# remove empty lines
-# replace line endings by . 
-# append marathon.mesos
-# Which becomes something like container_name.tenant.marathon.mesos
-
-DNS=`echo ${MARATHON_APP_ID} | tr "/" "\n" | sed '1!G;h;$!d' |grep -v "^$" |tr "\n" "." | sed "s/$/marathon.mesos/g"`
-echo -e "Derived the DNS name from the marathon app ID: $DNS\n"
-
 # Get DSH CA certificate into a file
 echo "${DSH_CA_CERTIFICATE}" > ${PKI_CONFIG_DIR}/ca.crt
-
-echo "Using the CA certificate to request DN from Pikachu:"
-DN=`curl --cacert ${PKI_CONFIG_DIR}/ca.crt -s "https://${KAFKA_CONFIG_HOST}/dn/${KAFKA_GROUP}/${MESOS_TASK_ID}"`
-
-# Bail out if we get back an invalid DN 
-if echo "${DN}" | grep "^CN="
-then
-    echo
-else
-    echo "Error: Expected the DN received from Pikachu to start with 'CN=' but received '${DN}'"
-    exit 1
-fi
-
-# DN comes back as a comma delimited list, split it into separate lines:
-echo $DN > ${PKI_CONFIG_DIR}/dndata
-sed -i 's/,/\n/g' ${PKI_CONFIG_DIR}/dndata
-#echo "DN before sed/=/ = /g: $(cat ${PKI_CONFIG_DIR}/dndata)"
-
-# Format the DN in the temp file
-sed -i 's/=/ = /g' ${PKI_CONFIG_DIR}/dndata
-# Read into a variable so we can place it in the csr.conf
-DNDATA=$(cat ${PKI_CONFIG_DIR}/dndata)
-#echo "DN after sed/=/ = /g: ${DNDATA}"
-
-echo "DN data: ${DNDATA}"
-echo "DNS data: ${DNS}"
-
-echo "Prepare CSR data: ${PKI_CONFIG_DIR}/csr.conf"
-tee ${PKI_CONFIG_DIR}/csr.conf <<EOF
-[req]
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-[req_distinguished_name]
-${DNDATA}
-[v3_req]
-keyUsage = keyEncipherment, dataEncipherment
-extendedKeyUsage = serverAuth
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = ${DNS}
-EOF
-
-openssl genrsa -out ${PKI_CONFIG_DIR}/key.pem 4096
-openssl req -new -key ${PKI_CONFIG_DIR}/key.pem -out ${PKI_CONFIG_DIR}/client.csr -config ${PKI_CONFIG_DIR}/csr.conf
-
-echo -e "\nAsking PKI to sign the request"
-curl --cacert ${PKI_CONFIG_DIR}/ca.crt -s -X POST --data-binary @${PKI_CONFIG_DIR}/client.csr -H "X-Kafka-Config-Token: ${DSH_SECRET_TOKEN}" "https://${KAFKA_CONFIG_HOST}/sign/${KAFKA_GROUP}/${MESOS_TASK_ID}" > ${PKI_CONFIG_DIR}/client.pem
-
-# Remove intermediate files
-rm -f ${PKI_CONFIG_DIR}/client.csr ${PKI_CONFIG_DIR}/csr.conf
-
 set +u
 
 if [ -n "${KAFKA_PROXY_CA_CHAIN:-}" ]; then
@@ -173,24 +106,17 @@ done
 # this should be picked up by kafka-proxy
 subjects="$( printf "%s" "$subjects" | cut -c2- )"
 
-
-printf "%s\n" "$subjects"
-
 # ------------------------------------------------------------------
 # using an if to avoid passing a variable as parameters
 #  this can cause issues with string splitting
 #  which than makes the subjects fail in case of CN=[MY Space Company]
 #  Do not try to be clever with the shell skills and leave it as is!
 # ------------------------------------------------------------------
-    # --tls-client-cert-file /app/pki/client.pem \
-    # --tls-client-key-file /app/pki/key.pem \
 if [[ "x$subjects" = "x" ]]
 then
 ./kafka-proxy server \
     --tls-enable \
     --tls-ca-chain-cert-file /app/pki/ca.crt \
-    --tls-client-cert-file /app/pki/client.pem \
-    --tls-client-key-file /app/pki/key.pem \
     --proxy-listener-tls-enable \
     --proxy-listener-cipher-suites TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \
     --proxy-listener-cipher-suites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
@@ -215,8 +141,6 @@ else
 ./kafka-proxy server \
     --tls-enable \
     --tls-ca-chain-cert-file /app/pki/ca.crt \
-    --tls-client-cert-file /app/pki/client.pem \
-    --tls-client-key-file /app/pki/key.pem \
     --proxy-listener-tls-enable \
     --proxy-listener-cipher-suites TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \
     --proxy-listener-cipher-suites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \