Continue to generate keystore with externally provided NativeHA ini (#730)

Author: mirskifa

CHANGELOG.md

@@ -7,7 +7,9 @@
 * Fix APAR IT46430
 * Changed build Dockerfile to reduce file duplication across image layers
 * Changed shutdown flow to continue reaping orphan processes during queue manager shutdown
-* Allow Native HA configuration to be externally provided rather than generated from template
+* Allow Native HA configuration to be externally provided rather than generated from template.
+  * Deprecate use of environment variable configuration of Native HA (except `MQ_NATIVE_HA=true` which is still required).
+  * Clarify behaviour of now deprecated environment variable configuration in IBM documentation
 * Clarified new minimum versions of Docker and Podman; new version required due to the move to UBI 9
 
 ## 9.4.0.0 (2024-06)

Dockerfile-server

@@ -120,15 +120,17 @@ RUN env \
   && /opt/mqm/bin/security/amqpamcf
 COPY --chown=1001:root --from=builder $GO_WORKDIR/runmqserver /usr/local/bin/
 COPY --chown=1001:root --from=builder $GO_WORKDIR/chkmq* /usr/local/bin/
-COPY ha/native-ha.ini.tpl /etc/mqm/native-ha.ini.tpl
+COPY --chown=1001:root ha/*.ini.tpl /etc/mqm/
 # Copy web XML files
 COPY --chown=1001:root web /etc/mqm/web
 COPY --chown=1001:root etc/mqm/*.tpl /etc/mqm/
 RUN ln -s /run/mqwebcontainer.xml /etc/mqm/web/installations/Installation1/servers/mqweb/mqwebcontainer.xml \
   && ln -s /run/tls.xml /etc/mqm/web/installations/Installation1/servers/mqweb/tls.xml \
   && ln -s /run/jvm.options /etc/mqm/web/installations/Installation1/servers/mqweb/configDropins/defaults/jvm.options \
   && ln -s /run/15-tls.mqsc /etc/mqm/15-tls.mqsc \
-  && ln -s /run/native-ha.ini /etc/mqm/native-ha.ini \
+  && ln -s /run/10-native-ha.ini /etc/mqm/10-native-ha.ini \
+  && ln -s /run/10-native-ha-instance.ini /etc/mqm/10-native-ha-instance.ini \
+  && ln -s /run/10-native-ha-keystore.ini /etc/mqm/10-native-ha-keystore.ini \
   && chown -R 1001:root /etc/mqm/*
 RUN touch /run/termination-log \
   && chown 1001:root /run/termination-log \

cmd/runmqserver/main.go

@@ -22,6 +22,7 @@ import (
 	"errors"
 	"flag"
 	"os"
+	"path"
 	"sync"
 
 	"github.com/ibm-messaging/mq-container/internal/copy"
@@ -164,12 +165,19 @@ func doMain() error {
 		return err
 	}
 
-	// Initialise native-ha.ini file on ephemeral volume
-	// #nosec G306 - its a read by owner/s group, and pose no harm.
-	err = os.WriteFile("/run/native-ha.ini", []byte(""), 0660)
-	if err != nil {
-		logTermination(err)
-		return err
+	// Initialise native-ha ini files file on ephemeral volume
+	nativeHAINIs := []string{
+		"10-native-ha.ini",
+		"10-native-ha-instance.ini",
+		"10-native-ha-keystore.ini",
+	}
+	for _, iniFile := range nativeHAINIs {
+		// #nosec G306 - its a read by owner/s group, and pose no harm.
+		err = os.WriteFile(path.Join("/run", iniFile), []byte(""), 0660)
+		if err != nil {
+			logTermination(err)
+			return err
+		}
 	}
 
 	// Copy default mqwebcontainer.xml file to ephemeral volume

ha/10-native-ha-instance.ini.tpl

@@ -0,0 +1,5 @@
+NativeHALocalInstance:
+  Name={{ .Name }}
+  {{ if .SSLFipsRequired }}
+  SSLFipsRequired={{ .SSLFipsRequired }}
+  {{- end}}

ha/10-native-ha-keystore.ini.tpl

@@ -0,0 +1,8 @@
+NativeHALocalInstance:
+  {{ if .CertificateLabel }}
+  CertificateLabel={{ .CertificateLabel }}
+  {{- end }}
+  {{ if .Group.CertificateLabel }}
+  GroupCertificateLabel={{ .Group.CertificateLabel}}
+  {{- end }}
+  KeyRepository={{ .KeyRepository }}

ha/native-ha.ini.tpl renamed to ha/10-native-ha.ini.tpl

@@ -1,18 +1,11 @@
 NativeHALocalInstance:
-  Name={{ .Name }}
   {{ if .ShouldConfigureTLS }}
-  {{ if .CertificateLabel }}
-  CertificateLabel={{ .CertificateLabel }}
-  {{- end }}
   {{ if .CipherSpec }}
   CipherSpec={{ .CipherSpec }}
   {{- end }}
   {{ if .Group.Local.Name }}
   GroupName={{ .Group.Local.Name }}
   {{- end}}
-  {{ if .Group.CertificateLabel }}
-  GroupCertificateLabel={{ .Group.CertificateLabel}}
-  {{- end }}
   {{ if .Group.CipherSpec }}
   GroupCipherSpec={{ .Group.CipherSpec }}
   {{- end }}
@@ -22,10 +15,6 @@ NativeHALocalInstance:
   {{ if .Group.Local.Address }}
   GroupLocalAddress={{ .Group.Local.Address }}
   {{- end}}
-  KeyRepository={{ .KeyRepository }}
-  {{ if .SSLFipsRequired }}
-  SSLFipsRequired={{ .SSLFipsRequired }}
-  {{- end}}
   {{- end }}{{/* end if .ShouldConfigureTLS */}}
 {{- range $idx, $instance := .Instances}}
 NativeHAInstance:

internal/ha/ha.go

@@ -18,6 +18,7 @@ limitations under the License.
 package ha
 
 import (
+	"fmt"
 	"os"
 
 	"github.com/ibm-messaging/mq-container/internal/fips"
@@ -28,27 +29,45 @@ import (
 
 // ConfigureNativeHA configures native high availability
 func ConfigureNativeHA(log *logger.Logger) error {
-	if !envConfigPresent() {
+	if os.Getenv("MQ_NATIVE_HA") != "true" {
 		return nil
 	}
-	log.Println("Configuring Native HA using values provided in environment variables")
-	fileLink := "/run/native-ha.ini"
-	templateFile := "/etc/mqm/native-ha.ini.tpl"
 	fipsAvailable := fips.IsFIPSEnabled()
-	return loadConfigAndGenerate(templateFile, fileLink, fipsAvailable, log)
+
+	haCertLabel, haGroupCertLabel, _, _, err := tls.ConfigureHATLSKeystore()
+	if err != nil {
+		return fmt.Errorf("error loading tls keys: %w", err)
+	}
+
+	configFiles := map[string]string{
+		"/run/10-native-ha-instance.ini": "/etc/mqm/10-native-ha-instance.ini.tpl",
+	}
+	if haCertLabel != "" || haGroupCertLabel != "" {
+		configFiles["/run/10-native-ha-keystore.ini"] = "/etc/mqm/10-native-ha-keystore.ini.tpl"
+	}
+	if envConfigPresent() {
+		log.Println("Configuring Native HA using values provided in environment variables")
+		configFiles["/run/10-native-ha.ini"] = "/etc/mqm/10-native-ha.ini.tpl"
+	}
+	return loadConfigAndGenerate(configFiles, fipsAvailable, haCertLabel, haGroupCertLabel, log)
 }
 
-func loadConfigAndGenerate(templatePath string, outputPath string, fipsAvailable bool, log *logger.Logger) error {
+func loadConfigAndGenerate(templateConfigs map[string]string, fipsAvailable bool, haCertLabel, haGroupCertLabel string, log *logger.Logger) error {
 	cfg, err := loadConfigFromEnv(log)
 	if err != nil {
 		return err
 	}
-	err = cfg.updateTLS()
+	err = cfg.updateTLS(fipsAvailable, haCertLabel, haGroupCertLabel)
 	if err != nil {
 		return err
 	}
-
-	return cfg.generate(templatePath, outputPath, log)
+	for outputPath, templateFile := range templateConfigs {
+		err := cfg.generate(templateFile, outputPath, log)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func envConfigPresent() bool {
@@ -61,7 +80,6 @@ func envConfigPresent() bool {
 		"MQ_NATIVE_HA_INSTANCE_2_REPLICATION_ADDRESS",
 		"MQ_NATIVE_HA_TLS",
 		"MQ_NATIVE_HA_CIPHERSPEC",
-		"MQ_NATIVE_HA_KEY_REPOSITORY",
 	}
 	for _, checkVar := range checkVars {
 		if os.Getenv(checkVar) != "" {
@@ -101,7 +119,6 @@ func loadConfigFromEnv(log *logger.Logger) (*haConfig, error) {
 			},
 			CipherSpec: os.Getenv("MQ_NATIVE_HA_GROUP_CIPHERSPEC"),
 		},
-		haTLSEnabled:  os.Getenv("MQ_NATIVE_HA_TLS") == "true",
 		CipherSpec:    os.Getenv("MQ_NATIVE_HA_CIPHERSPEC"),
 		keyRepository: os.Getenv("MQ_NATIVE_HA_KEY_REPOSITORY"),
 	}
@@ -136,43 +153,20 @@ func (h haConfig) ShouldConfigureTLS() bool {
 }
 
 func (h haConfig) SSLFipsRequired() string {
-	if !h.haTLSEnabled {
-		return ""
-	}
 	return yesNo(h.fipsAvailable).String()
 }
 
-func (h *haConfig) updateTLS() error {
-	if !h.ShouldConfigureTLS() {
-		return nil
-	}
-
-	var err error
-	var keyStore, trustStore tls.KeyStoreData
-
-	if h.haTLSEnabled {
-		var keyLabel string
-		keyLabel, keyStore, trustStore, err = tls.ConfigureHATLSKeystore()
-		if err != nil {
-			return err
-		}
-		h.CertificateLabel = keyLabel
+func (h *haConfig) updateTLS(fipsAvailable bool, haCertLabel, haGroupCertLabel string) error {
+	if haCertLabel != "" {
+		h.CertificateLabel = haCertLabel
+		h.haTLSEnabled = true
 	}
-
-	if h.Group.Local.Name != "" {
-		var groupKeyLabel string
-		if h.haTLSEnabled {
-			groupKeyLabel, err = tls.ConfigureHAReplicationGroupTLS(keyStore, trustStore)
-		} else {
-			groupKeyLabel, err = tls.CreateHAReplicationGroupTLS()
-		}
-		if err != nil {
-			return err
-		}
-		h.Group.CertificateLabel = groupKeyLabel
+	if haGroupCertLabel != "" {
+		h.Group.CertificateLabel = haGroupCertLabel
+		h.haTLSEnabled = true
 	}
 
-	h.fipsAvailable = fips.IsFIPSEnabled()
+	h.fipsAvailable = fipsAvailable
 
 	return nil
 }