Adding certificates to Allure

[johnny550]

Hello, thanks for taking a look at this post.
So deploying Allure via this helm chart. I have an existing postgresql deployment and wish to connect allure to it. Ssl is necessary, so I'd like to add the necessary certs and keys into allure, to allow report and uaa to talk to pgsql.

I see this option in the values file

certificates:
  configmapName: my-cm

The certs-init int container loads the certificate in the uaa and report pods, but once either of those containers within the pod starts, I get the following error:

Starting Allure UAA Service
Fetching certificates from: TLS Database Certificates 
If certificates....
Warning: use -cacerts option to access cacerts keystore
keytool error: java.lang.Execption: Input not an X.509 certificate

Now the certs and keys I added in the configmap my-cm are for both uaa and report. And both have been tested in a separate pod. using them to access the postgresql engine works just fine.
My guess is I am missing something regarding what to put in that config map.

My config map is

apiVersion: 1
kind: ConfigMap
...
data:
  trust-bundle.pem: |-
   #root CA cert
   #cert for uaa
   #key for uaa cert
   #cert for report
   #key for report cert

Would appreciate the help.
Cheers

[johnny550]

A few updates
As expected I was making mistakes regarding what to add in the my-cm configmap.

A few things I tried

What did not work

Combining the client cert and key into a p12 file then adding that file to the my-cm configmap and restart allure-uaa

openssl pkcs12 -export -in client_uaa.crt -inkey client_uaa.key \
               -out client_uaa.p12 -name uaa \
               -CAfile myCA.pem -caname #MYPGCA

k create cm pgsql-tls-config --from-file trust-bundle.pem=lient_uaa.p12  --as wcm-qa-nexus-dev-admin

That ends up giving the same error in the certs-init init container
keytool error: java.lang.Exception: Input not an X.509 certificate

What seems to work

As of now, I only have the root CA ad client certs in there. I omitted the report's cert for simplicity

apiVersion: 1
kind: ConfigMap
...
data:
  trust-bundle.pem: |-
   #root CA cert
   #cert for uaa

Also had to add to the JAVA_TOOL_OPTIONS env var in the uaa & report resources

-Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit

The cert is imported into the trustore but, it seems the server.crt is not found by allure, when trying to connect to the postgresql instance.

The error I get is

org.postgresql.util.PSQLException: FATAL: connection requires a valid client certificate

I could also mount the root cert, client cert & key via a volume from a secret, but then the question is how do I get allure to pick up on those certs & key when reaching out to postgres?

Adding the log dump as an attachement:
allure-testops-uaa-1.log

Question

How can I get allure to see and use the root cert, client cert & key?

[johnny550]

Still unable to find a way to make allure take into consideration the certs and key, even if mounted via an extra volume.

Just a found a fix about the first thing I tried earlier, importing the pkcs12 bundle.
Had to make a few changes to the chart for this to work. CERTS-INIT initcontainer
FROM

keytool -alias trust-bundle.pem -import -keystore /etc/pki/ca-trust/extracted/java/cacerts -file /etc/pki/ca-trust/source/anchors/trust-bundle.pem -storepass changeit -noprompt

TO

keytool -importkeystore -destkeystore /etc/pki/ca-trust/extracted/java/cacerts -srckeystore /etc/pki/ca-trust/source/anchors/trust-bundle.pem -srcstoretype pkcs12 -alias uaa -deststorepass changeit -srcstorepass #PASSWORD -noprompt

Doing this the new keystore is imported and certs-init completes witth exit code 0.
Although the imported bundle contains the private key, as well as the cert+pub key, it doesn't seem to work.
Still get the same err when uaa tries connecting to postgresql
org.postgresql.util.PSQLException: FATAL: connection requires a valid client certificate

[cheshi-mantu]

@johnny550 hi there
if you have a working solution you are more that welcome to create a PR, we'll review and accept.

cheers

[johnny550]

@cheshi-mantu hey.
Sure I'll gladly put in a PR but I'm stuck right now since it seems allure isn't using the certs (correctly or even at all, I don't know) when reaching out to postgres. I will take any help I can get at this point

[cheshi-mantu]

@johnny550 please use https://help.qameta.io for the assistance (please use your corporate email), not Chart's repo

[johnny550]

I figured out what the issue was.
Something I should've specified from the get go is that my issue is with Allure v4, not v5 (hopefully not when it's time to migrate lol).
Anyways I could open a PR in the relevant repository but don't know if you guys estimate it necessary. If so, let me know and I'll get it done.
Cheers