Re: [PR] feat(jvm): Add multi-certificate and system truststore support for CAcerts [camel-k]

Wed, 14 Jan 2026 07:19:41 -0800 


squakez commented on code in PR #6441:
URL: https://github.com/apache/camel-k/pull/6441#discussion_r2690820182


##########
pkg/apis/camel/v1/trait/jvm.go:
##########
@@ -42,13 +42,18 @@ type JVMTrait struct {
        Jar string `json:"jar,omitempty" property:"jar"`
        // A list of JVM agents to download and execute with format 
`<agent-name>;<agent-url>[;<jvm-agent-options>]`.
        Agents []string `json:"agents,omitempty" property:"agents"`
-       // Path to a PEM-encoded CA certificate file.
-       // Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
+       // A list of paths to PEM-encoded CA certificates to import into the 
truststore.
+       // Certificates must be mounted via the mount trait.
+       CACerts []string `json:"caCerts,omitempty" property:"ca-certs"`
+       // Path to a PEM-encoded CA certificate file. Use CACerts for multiple 
certificates.
        CACert string `json:"caCert,omitempty" property:"ca-cert"`
        // The path where the generated truststore will be mounted.
        // Default: "/etc/camel/conf.d/_truststore"
        CACertMountPath string `json:"caCertMountPath,omitempty" 
property:"ca-cert-mount-path"`
-       // Required when caCert is set. Path to a file containing the 
truststore password.
-       // Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
+       // Path to a custom truststore password file.
+       // Default: uses "changeit" if not specified.

Review Comment:
   No. We can't change the behavior as it potentially break backwards 
compatibility. We should also enforce more security avoiding default security 
credentials. If the user wants to enforce some weak accepted convention, then, 
he must provide that "changeit" password as a file himself.



##########
pkg/apis/camel/v1/trait/jvm.go:
##########
@@ -42,13 +42,18 @@ type JVMTrait struct {
        Jar string `json:"jar,omitempty" property:"jar"`
        // A list of JVM agents to download and execute with format 
`<agent-name>;<agent-url>[;<jvm-agent-options>]`.
        Agents []string `json:"agents,omitempty" property:"agents"`
-       // Path to a PEM-encoded CA certificate file.
-       // Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
+       // A list of paths to PEM-encoded CA certificates to import into the 
truststore.
+       // Certificates must be mounted via the mount trait.
+       CACerts []string `json:"caCerts,omitempty" property:"ca-certs"`
+       // Path to a PEM-encoded CA certificate file. Use CACerts for multiple 
certificates.
        CACert string `json:"caCert,omitempty" property:"ca-cert"`
        // The path where the generated truststore will be mounted.
        // Default: "/etc/camel/conf.d/_truststore"
        CACertMountPath string `json:"caCertMountPath,omitempty" 
property:"ca-cert-mount-path"`
-       // Required when caCert is set. Path to a file containing the 
truststore password.
-       // Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
+       // Path to a custom truststore password file.
+       // Default: uses "changeit" if not specified.
        CACertPassword string `json:"caCertPassword,omitempty" 
property:"ca-cert-password"`
+       // If true, the JDK's default cacerts is copied as the base truststore.
+       // Default: false (empty truststore).
+       CACertUseSystemTruststore *bool 
`json:"caCertUseSystemTruststore,omitempty" 
property:"ca-cert-use-system-truststore"`

Review Comment:
   We should probably expect the user to provide the path to the existing 
truststore.



##########
pkg/trait/jvm_cacert.go:
##########
@@ -17,17 +17,22 @@ limitations under the License.
 
 package trait
 
-import "errors"
+import (
+       "k8s.io/utils/ptr"
+)
 
 const (
-       defaultCACertMountPath   = "/etc/camel/conf.d/_truststore"
-       caCertVolumeName         = "jvm-truststore"
-       trustStoreName           = "truststore.jks"
-       truststorePasswordEnvVar = "TRUSTSTORE_PASSWORD"
+       defaultCACertMountPath    = "/etc/camel/conf.d/_truststore"
+       caCertVolumeName          = "jvm-truststore"
+       trustStoreName            = "truststore.jks"
+       truststorePasswordEnvVar  = "TRUSTSTORE_PASSWORD"
+       jdkCacertsPath            = "$JAVA_HOME/lib/security/cacerts"

Review Comment:
   We cannot guarantee this is always the path. The user has to provide this 
variable. We can provide a suggestion in the documentation, but the final 
configuration must be provided.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to