pkalsi97 commented on code in PR #6416:
URL: https://github.com/apache/camel-k/pull/6416#discussion_r2617185066
##########
pkg/trait/jvm.go:
##########
@@ -368,3 +382,127 @@ func getLegacyCamelQuarkusDependenciesPaths() *sets.Set {
return s
}
+
+// parseSecretRef parses a secret reference in the format "secret:name" or
"secret:name/key".
+func parseSecretRef(ref string) (string, string, error) {
+ if !strings.HasPrefix(ref, "secret:") {
+ return "", "", fmt.Errorf("invalid CA cert reference %q: must
start with 'secret:'", ref)
+ }
+
+ ref = strings.TrimPrefix(ref, "secret:")
+ parts := strings.SplitN(ref, "/", 2)
+ secretName, secretKey := parts[0], ""
+
+ if len(parts) > 1 {
+ secretKey = parts[1]
+ }
+ if secretName == "" {
+ return "", "", errors.New("invalid CA cert reference: secret
name is empty")
+ }
+
+ return secretName, secretKey, nil
+}
+
+// configureCACert sets up the truststore for CA certificates.
+func (t *jvmTrait) configureCaCert(e *Environment) ([]string, error) {
+ if t.CACert == "" {
+ return nil, nil
+ }
+
+ secretName, secretKey, err := parseSecretRef(t.CACert)
+ if err != nil {
+ return nil, err
+ }
+
+ if secretKey == "" {
+ secretKey = "ca.crt"
+ }
+
+ mountPath := defaultCACertMountPath
+ if t.CACertMountPath != "" {
+ mountPath = t.CACertMountPath
+ }
+
+ // Use a deterministic password based on integration name to avoid
+ // changing the deployment spec on every reconciliation cycle.
+ // For a truststore i.e public CA certs only, security of this password
is not critical.
+ trustStorePass := "camelk-" + e.Integration.Name
+ trustStorePath := filepath.Join(mountPath, trustStoreName)
+
+ // add secret volume.
+ secretVolume := corev1.Volume{
+ Name: caCertSecretVolumeName,
+ VolumeSource: corev1.VolumeSource{
+ Secret: &corev1.SecretVolumeSource{
+ SecretName: secretName,
+ },
+ },
+ }
+
+ // add an emptyDir volume.
+ trustStoreVolume := corev1.Volume{
+ Name: caCertVolumeName,
+ VolumeSource: corev1.VolumeSource{
+ EmptyDir: &corev1.EmptyDirVolumeSource{},
+ },
+ }
+
+ // add volumes to deployment.
+ e.Resources.VisitDeployment(func(deployment *appsv1.Deployment) {
+ deployment.Spec.Template.Spec.Volumes = append(
+ deployment.Spec.Template.Spec.Volumes,
+ secretVolume, trustStoreVolume,
+ )
+ })
+
+ // add mount to integration container
+ container := e.GetIntegrationContainer()
+ container.VolumeMounts = append(container.VolumeMounts,
corev1.VolumeMount{
+ Name: caCertVolumeName,
+ MountPath: mountPath,
+ ReadOnly: true,
+ })
+
+ initContainer := corev1.Container{
Review Comment:
Done. I did not study it properly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
