From 2c18f8f4e3c2272b0cd23148901e4f945395cc03 Mon Sep 17 00:00:00 2001
From: Vincent de Saboulin <vincent.desaboulin@gmail.com>
Date: Mon, 9 Dec 2024 16:02:46 +0100
Subject: [PATCH] wip

---
 connect/connect-ftps-sink/ftps-sink.sh        |  8 +-
 .../connect-ftps-sink/security/certs-clean.sh |  9 ---
 .../security/certs-create.sh                  | 78 -------------------
 .../security/certs-verify.sh                  | 14 ----
 .../connect-ftps-sink/security/kafkajks.txt   |  1 -
 connect/connect-ftps-source/ftps-source.sh    |  9 +--
 .../security/certs-clean.sh                   |  9 ---
 .../security/certs-create.sh                  | 78 -------------------
 .../security/certs-verify.sh                  | 14 ----
 9 files changed, 8 insertions(+), 212 deletions(-)
 delete mode 100755 connect/connect-ftps-sink/security/certs-clean.sh
 delete mode 100755 connect/connect-ftps-sink/security/certs-create.sh
 delete mode 100755 connect/connect-ftps-sink/security/certs-verify.sh
 delete mode 100644 connect/connect-ftps-sink/security/kafkajks.txt
 delete mode 100755 connect/connect-ftps-source/security/certs-clean.sh
 delete mode 100755 connect/connect-ftps-source/security/certs-create.sh
 delete mode 100755 connect/connect-ftps-source/security/certs-verify.sh

diff --git a/connect/connect-ftps-sink/ftps-sink.sh b/connect/connect-ftps-sink/ftps-sink.sh
index df61775957..d80082214a 100755
--- a/connect/connect-ftps-sink/ftps-sink.sh
+++ b/connect/connect-ftps-sink/ftps-sink.sh
@@ -4,10 +4,10 @@ set -e
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 source ${DIR}/../../scripts/utils.sh
 
-cd ${DIR}/security
-log "🔐 Generate keys and certificates used for SSL"
-docker run -u0 --rm -v $PWD:/tmp ${CP_CONNECT_IMAGE}:${CONNECT_TAG} bash -c "/tmp/certs-create.sh > /dev/null 2>&1 && chown -R $(id -u $USER):$(id -g $USER) /tmp/"
-cd ${DIR}
+cd ../../connect/connect-ftps-sink/security
+playground tools certs-create --output-folder "$PWD" --container ftps-server
+docker run --quiet --rm -v $PWD:/tmp alpine/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /tmp/vsftpd.pem -out /tmp/vsftpd.pem  -config /tmp/cert_config -reqexts 'my server exts'
+cd -
 
 if [[ "$(uname)" != "Darwin" ]]
 then
diff --git a/connect/connect-ftps-sink/security/certs-clean.sh b/connect/connect-ftps-sink/security/certs-clean.sh
deleted file mode 100755
index 92dedb388f..0000000000
--- a/connect/connect-ftps-sink/security/certs-clean.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-set -o nounset \
-    -o errexit \
-    -o verbose
-#    -o xtrace
-
-# Cleanup files
-rm -f *.crt *.csr *_creds *.jks *.srl *.key *.pem *.der *.p12
diff --git a/connect/connect-ftps-sink/security/certs-create.sh b/connect/connect-ftps-sink/security/certs-create.sh
deleted file mode 100755
index 779d66b4fa..0000000000
--- a/connect/connect-ftps-sink/security/certs-create.sh
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/bash
-
-#set -o nounset \
-#    -o errexit \
-#    -o verbose \
-#    -o xtrace
-
-# Cleanup files
-rm -f /tmp/*.crt /tmp/*.csr /tmp/*_creds /tmp/*.jks /tmp/*.srl /tmp/*.key /tmp/*.pem /tmp/*.der /tmp/*.p12 /tmp/extfile
-
-openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /tmp/vsftpd.pem -out /tmp/vsftpd.pem  -config /tmp/cert_config -reqexts 'my server exts'
-
-# Generate CA key
-openssl req -new -x509 -keyout /tmp/snakeoil-ca-1.key -out /tmp/snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/ST=Ca/C=US' -passin pass:confluent -passout pass:confluent
-
-for i in ftps-server
-do
-    echo "------------------------------- $i -------------------------------"
-
-    # Create host keystore
-    keytool -genkey -noprompt \
-                 -alias $i \
-                 -dname "CN=$i,OU=TEST,O=CONFLUENT,L=PaloAlto,S=Ca,C=US" \
-                                 -ext "SAN=dns:$i,dns:localhost" \
-                 -keystore /tmp/kafka.$i.keystore.jks \
-                 -keyalg RSA \
-                 -storepass confluent \
-                 -keypass confluent \
-                 -storetype pkcs12
-
-    # Create the certificate signing request (CSR)
-    keytool -keystore /tmp/kafka.$i.keystore.jks -alias $i -certreq -file /tmp/$i.csr -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost"
-        #openssl req -in $i.csr -text -noout
-
-cat << EOF > /tmp/extfile
-[req]
-distinguished_name = req_distinguished_name
-x509_extensions = v3_req
-prompt = no
-[req_distinguished_name]
-CN = $i
-[v3_req]
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = $i
-DNS.2 = localhost
-EOF
-        # Sign the host certificate with the certificate authority (CA)
-        openssl x509 -req -CA /tmp/snakeoil-ca-1.crt -CAkey /tmp/snakeoil-ca-1.key -in /tmp/$i.csr -out /tmp/$i-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:confluent -extensions v3_req -extfile /tmp/extfile
-
-        #openssl x509 -noout -text -in $i-ca1-signed.crt
-
-        # Sign and import the CA cert into the keystore
-    keytool -noprompt -keystore /tmp/kafka.$i.keystore.jks -alias CARoot -import -file /tmp/snakeoil-ca-1.crt -storepass confluent -keypass confluent
-        #keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent
-
-        # Sign and import the host certificate into the keystore
-     keytool -noprompt -keystore /tmp/kafka.$i.keystore.jks -alias $i -import -file /tmp/$i-ca1-signed.crt -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost"
-        #keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent
-
-    # Create truststore and import the CA cert
-     keytool -noprompt -keystore /tmp/kafka.$i.truststore.jks -alias CARoot -import -file /tmp/snakeoil-ca-1.crt -storepass confluent -keypass confluent
-
-    # Save creds
-      echo  "confluent" > ${i}_sslkey_creds
-      echo  "confluent" > ${i}_keystore_creds
-      echo  "confluent" > ${i}_truststore_creds
-
-    # Create pem files and keys used for Schema Registry HTTPS testing
-    #   openssl x509 -noout -modulus -in client.certificate.pem | openssl md5
-    #   openssl rsa -noout -modulus -in client.key | openssl md5
-    #   log "GET /" | openssl s_client -connect localhost:8081/subjects -cert client.certificate.pem -key client.key -tls1
-    keytool -export -alias $i -file /tmp/$i.der -keystore /tmp/kafka.$i.keystore.jks -storepass confluent
-    openssl x509 -inform der -in /tmp/$i.der -out /tmp/$i.certificate.pem
-    keytool -importkeystore -srckeystore /tmp/kafka.$i.keystore.jks -destkeystore /tmp/$i.keystore.p12 -deststoretype PKCS12 -deststorepass confluent -srcstorepass confluent -noprompt
-    openssl pkcs12 -in /tmp/$i.keystore.p12 -nodes -nocerts -out /tmp/$i.key -passin pass:confluent
-
-done
diff --git a/connect/connect-ftps-sink/security/certs-verify.sh b/connect/connect-ftps-sink/security/certs-verify.sh
deleted file mode 100755
index 51dd6ae5bd..0000000000
--- a/connect/connect-ftps-sink/security/certs-verify.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-set -o nounset \
-    -o errexit \
-    -o verbose
-
-# See what is in each keystore and truststore
-for i in ftps-server connnect
-do
-        echo "------------------------------- $i keystore -------------------------------"
-	keytool -list -v -keystore /tmp/kafka.$i.keystore.jks -storepass confluent | grep -e Alias -e Entry
-        echo "------------------------------- $i truststore -------------------------------"
-	keytool -list -v -keystore /tmp/kafka.$i.truststore.jks -storepass confluent | grep -e Alias -e Entry
-done
diff --git a/connect/connect-ftps-sink/security/kafkajks.txt b/connect/connect-ftps-sink/security/kafkajks.txt
deleted file mode 100644
index 39dd410e61..0000000000
--- a/connect/connect-ftps-sink/security/kafkajks.txt
+++ /dev/null
@@ -1 +0,0 @@
-password=confluent
\ No newline at end of file
diff --git a/connect/connect-ftps-source/ftps-source.sh b/connect/connect-ftps-source/ftps-source.sh
index e4b4b58477..db7734e826 100755
--- a/connect/connect-ftps-source/ftps-source.sh
+++ b/connect/connect-ftps-source/ftps-source.sh
@@ -4,11 +4,10 @@ set -e
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 source ${DIR}/../../scripts/utils.sh
 
-cd ${DIR}/security
-log "🔐 Generate keys and certificates used for SSL"
-docker run -u0 --rm -v $PWD:/tmp ${CP_CONNECT_IMAGE}:${CONNECT_TAG} bash -c "/tmp/certs-create.sh > /dev/null 2>&1 && chown -R $(id -u $USER):$(id -g $USER) /tmp/"
-cd ${DIR}
-
+cd ../../connect/connect-ftps-source/security
+playground tools certs-create --output-folder "$PWD" --container ftps-server
+docker run --quiet --rm -v $PWD:/tmp alpine/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /tmp/vsftpd.pem -out /tmp/vsftpd.pem  -config /tmp/cert_config -reqexts 'my server exts'
+cd -
 
 if [[ "$(uname)" != "Darwin" ]]
 then
diff --git a/connect/connect-ftps-source/security/certs-clean.sh b/connect/connect-ftps-source/security/certs-clean.sh
deleted file mode 100755
index 92dedb388f..0000000000
--- a/connect/connect-ftps-source/security/certs-clean.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-set -o nounset \
-    -o errexit \
-    -o verbose
-#    -o xtrace
-
-# Cleanup files
-rm -f *.crt *.csr *_creds *.jks *.srl *.key *.pem *.der *.p12
diff --git a/connect/connect-ftps-source/security/certs-create.sh b/connect/connect-ftps-source/security/certs-create.sh
deleted file mode 100755
index 779d66b4fa..0000000000
--- a/connect/connect-ftps-source/security/certs-create.sh
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/bash
-
-#set -o nounset \
-#    -o errexit \
-#    -o verbose \
-#    -o xtrace
-
-# Cleanup files
-rm -f /tmp/*.crt /tmp/*.csr /tmp/*_creds /tmp/*.jks /tmp/*.srl /tmp/*.key /tmp/*.pem /tmp/*.der /tmp/*.p12 /tmp/extfile
-
-openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /tmp/vsftpd.pem -out /tmp/vsftpd.pem  -config /tmp/cert_config -reqexts 'my server exts'
-
-# Generate CA key
-openssl req -new -x509 -keyout /tmp/snakeoil-ca-1.key -out /tmp/snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/ST=Ca/C=US' -passin pass:confluent -passout pass:confluent
-
-for i in ftps-server
-do
-    echo "------------------------------- $i -------------------------------"
-
-    # Create host keystore
-    keytool -genkey -noprompt \
-                 -alias $i \
-                 -dname "CN=$i,OU=TEST,O=CONFLUENT,L=PaloAlto,S=Ca,C=US" \
-                                 -ext "SAN=dns:$i,dns:localhost" \
-                 -keystore /tmp/kafka.$i.keystore.jks \
-                 -keyalg RSA \
-                 -storepass confluent \
-                 -keypass confluent \
-                 -storetype pkcs12
-
-    # Create the certificate signing request (CSR)
-    keytool -keystore /tmp/kafka.$i.keystore.jks -alias $i -certreq -file /tmp/$i.csr -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost"
-        #openssl req -in $i.csr -text -noout
-
-cat << EOF > /tmp/extfile
-[req]
-distinguished_name = req_distinguished_name
-x509_extensions = v3_req
-prompt = no
-[req_distinguished_name]
-CN = $i
-[v3_req]
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = $i
-DNS.2 = localhost
-EOF
-        # Sign the host certificate with the certificate authority (CA)
-        openssl x509 -req -CA /tmp/snakeoil-ca-1.crt -CAkey /tmp/snakeoil-ca-1.key -in /tmp/$i.csr -out /tmp/$i-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:confluent -extensions v3_req -extfile /tmp/extfile
-
-        #openssl x509 -noout -text -in $i-ca1-signed.crt
-
-        # Sign and import the CA cert into the keystore
-    keytool -noprompt -keystore /tmp/kafka.$i.keystore.jks -alias CARoot -import -file /tmp/snakeoil-ca-1.crt -storepass confluent -keypass confluent
-        #keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent
-
-        # Sign and import the host certificate into the keystore
-     keytool -noprompt -keystore /tmp/kafka.$i.keystore.jks -alias $i -import -file /tmp/$i-ca1-signed.crt -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost"
-        #keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent
-
-    # Create truststore and import the CA cert
-     keytool -noprompt -keystore /tmp/kafka.$i.truststore.jks -alias CARoot -import -file /tmp/snakeoil-ca-1.crt -storepass confluent -keypass confluent
-
-    # Save creds
-      echo  "confluent" > ${i}_sslkey_creds
-      echo  "confluent" > ${i}_keystore_creds
-      echo  "confluent" > ${i}_truststore_creds
-
-    # Create pem files and keys used for Schema Registry HTTPS testing
-    #   openssl x509 -noout -modulus -in client.certificate.pem | openssl md5
-    #   openssl rsa -noout -modulus -in client.key | openssl md5
-    #   log "GET /" | openssl s_client -connect localhost:8081/subjects -cert client.certificate.pem -key client.key -tls1
-    keytool -export -alias $i -file /tmp/$i.der -keystore /tmp/kafka.$i.keystore.jks -storepass confluent
-    openssl x509 -inform der -in /tmp/$i.der -out /tmp/$i.certificate.pem
-    keytool -importkeystore -srckeystore /tmp/kafka.$i.keystore.jks -destkeystore /tmp/$i.keystore.p12 -deststoretype PKCS12 -deststorepass confluent -srcstorepass confluent -noprompt
-    openssl pkcs12 -in /tmp/$i.keystore.p12 -nodes -nocerts -out /tmp/$i.key -passin pass:confluent
-
-done
diff --git a/connect/connect-ftps-source/security/certs-verify.sh b/connect/connect-ftps-source/security/certs-verify.sh
deleted file mode 100755
index 61e9f48ba4..0000000000
--- a/connect/connect-ftps-source/security/certs-verify.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-set -o nounset \
-    -o errexit \
-    -o verbose
-
-# See what is in each keystore and truststore
-for i in ftps-server connnect
-do
-        echo "------------------------------- $i keystore -------------------------------"
-	keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent | grep -e Alias -e Entry
-        echo "------------------------------- $i truststore -------------------------------"
-	keytool -list -v -keystore kafka.$i.truststore.jks -storepass confluent | grep -e Alias -e Entry
-done