squakez commented on code in PR #6441:
URL: https://github.com/apache/camel-k/pull/6441#discussion_r2697381841
##########
pkg/trait/init_containers.go:
##########
@@ -92,19 +92,47 @@ func (t *initContainersTrait) Configure(e *Environment)
(bool, *TraitCondition,
t.tasks = append(t.tasks, agentDownloadTask)
}
// Set the CA cert truststore init container if configured
- if ok && jvm.hasCACert() {
- if err := jvm.validateCACertConfig(); err != nil {
- return false, nil, err
+ if ok && jvm.hasCACerts() {
+ var allCommands []string
+
+ if jvm.hasBaseTruststore() {
+ baseTruststore := jvm.getBaseTruststore()
+ copyCmd := fmt.Sprintf("cp %s %s",
baseTruststore.TruststorePath, jvm.getTrustStorePath())
+ allCommands = append(allCommands, copyCmd)
+
+ entries := jvm.getAllCACertEntries()
+ if len(entries) > 0 {
+ changePassCmd := fmt.Sprintf(
+ "keytool -storepasswd -keystore
%s -storepass:file %s -new $(cat %s)",
+ jvm.getTrustStorePath(),
baseTruststore.PasswordPath, entries[0].PasswordPath,
+ )
+ allCommands = append(allCommands,
changePassCmd)
+ }
+ }
+
+ certEntries := jvm.getAllCACertEntries()
+ // Use the first certificate's password for all imports
since they share the same truststore
+ truststorePassPath := ""
+ if len(certEntries) > 0 {
+ truststorePassPath = certEntries[0].PasswordPath
Review Comment:
Shouldn't we use the base trustore password here?
##########
pkg/trait/jvm_cacert.go:
##########
@@ -42,24 +54,77 @@ func (t *jvmTrait) getTrustStorePath() string {
return t.getCACertMountPath() + "/" + trustStoreName
}
-// validateCACertConfig validates that the required file paths are provided.
-func (t *jvmTrait) validateCACertConfig() error {
- if t.CACert == "" {
- return nil
+// hasBaseTruststore returns true if a base truststore is configured.
+func (t *jvmTrait) hasBaseTruststore() bool {
+ return t.BaseTruststore != nil && t.BaseTruststore.TruststorePath != ""
&& t.BaseTruststore.PasswordPath != ""
+}
+
+// getBaseTruststore returns the base truststore configuration if set.
+func (t *jvmTrait) getBaseTruststore() *traitv1.BaseTruststore {
+ return t.BaseTruststore
+}
+
+// getAllCACertEntries returns all configured CA certificate entries.
+func (t *jvmTrait) getAllCACertEntries() []CACertEntry {
+ var entries []CACertEntry
+
+ for _, cert := range t.CACertificates {
+ if cert.CertPath != "" && cert.PasswordPath != "" {
+ entries = append(entries, CACertEntry{
+ CertPath: cert.CertPath,
+ PasswordPath: cert.PasswordPath,
+ })
+ }
}
- if t.CACertPassword == "" {
- return errors.New("ca-cert-password is required when ca-cert is
set")
+
+ //nolint:staticcheck
+ if t.CACert != "" && t.CACertPassword != "" {
+ found := false
+ for _, e := range entries {
+ //nolint:staticcheck
+ if e.CertPath == t.CACert {
+ found = true
+
+ break
+ }
+ }
+ if !found {
+ entries = append(entries, CACertEntry{
+ //nolint:staticcheck
+ CertPath: t.CACert,
+ //nolint:staticcheck
+ PasswordPath: t.CACertPassword,
+ })
+ }
}
- return nil
+ return entries
}
-// getCACertPath returns the user-provided CA certificate file path.
-func (t *jvmTrait) getCACertPath() string {
- return t.CACert
-}
+// validateCACertConfig validates the CA certificate configuration.
+func (t *jvmTrait) validateCACertConfig() error {
+ for i, cert := range t.CACertificates {
+ if cert.CertPath != "" && cert.PasswordPath == "" {
Review Comment:
Let's make it simpler. Verify both path/pwd exists and report if any of
those params is missing.
##########
pkg/trait/jvm.go:
##########
@@ -376,12 +394,19 @@ func getLegacyCamelQuarkusDependenciesPaths() *sets.Set {
// configureCACert configures the CA certificate truststore and returns the
JVM arguments.
func (t *jvmTrait) configureCaCert() []string {
- if t.CACert == "" {
+ if !t.hasCACerts() {
+ return nil
+ }
+
+ // Get the password path from the first certificate entry
Review Comment:
Also here, I have the feeling we should use the base trustore pwd
##########
pkg/trait/jvm_cacert.go:
##########
@@ -42,24 +54,77 @@ func (t *jvmTrait) getTrustStorePath() string {
return t.getCACertMountPath() + "/" + trustStoreName
}
-// validateCACertConfig validates that the required file paths are provided.
-func (t *jvmTrait) validateCACertConfig() error {
- if t.CACert == "" {
- return nil
+// hasBaseTruststore returns true if a base truststore is configured.
+func (t *jvmTrait) hasBaseTruststore() bool {
+ return t.BaseTruststore != nil && t.BaseTruststore.TruststorePath != ""
&& t.BaseTruststore.PasswordPath != ""
+}
+
+// getBaseTruststore returns the base truststore configuration if set.
+func (t *jvmTrait) getBaseTruststore() *traitv1.BaseTruststore {
+ return t.BaseTruststore
+}
+
+// getAllCACertEntries returns all configured CA certificate entries.
+func (t *jvmTrait) getAllCACertEntries() []CACertEntry {
+ var entries []CACertEntry
+
+ for _, cert := range t.CACertificates {
+ if cert.CertPath != "" && cert.PasswordPath != "" {
+ entries = append(entries, CACertEntry{
+ CertPath: cert.CertPath,
+ PasswordPath: cert.PasswordPath,
+ })
+ }
}
- if t.CACertPassword == "" {
- return errors.New("ca-cert-password is required when ca-cert is
set")
+
+ //nolint:staticcheck
+ if t.CACert != "" && t.CACertPassword != "" {
+ found := false
+ for _, e := range entries {
+ //nolint:staticcheck
+ if e.CertPath == t.CACert {
+ found = true
+
+ break
+ }
+ }
+ if !found {
+ entries = append(entries, CACertEntry{
+ //nolint:staticcheck
+ CertPath: t.CACert,
+ //nolint:staticcheck
+ PasswordPath: t.CACertPassword,
+ })
+ }
}
- return nil
+ return entries
}
-// getCACertPath returns the user-provided CA certificate file path.
-func (t *jvmTrait) getCACertPath() string {
- return t.CACert
-}
+// validateCACertConfig validates the CA certificate configuration.
+func (t *jvmTrait) validateCACertConfig() error {
+ for i, cert := range t.CACertificates {
+ if cert.CertPath != "" && cert.PasswordPath == "" {
+ return fmt.Errorf("CACertificates[%d]: password path is
required when certificate path is specified", i)
+ }
+ if cert.CertPath == "" && cert.PasswordPath != "" {
+ return fmt.Errorf("CACertificates[%d]: certificate path
is required when password path is specified", i)
+ }
+ }
-// getCACertPasswordPath returns the user-provided password file path.
-func (t *jvmTrait) getCACertPasswordPath() string {
- return t.CACertPassword
+ //nolint:staticcheck
+ if t.CACert != "" && t.CACertPassword == "" {
+ return errors.New("ca-cert-password is required when ca-cert is
specified")
+ }
+
+ if t.BaseTruststore != nil {
+ if t.BaseTruststore.TruststorePath != "" &&
t.BaseTruststore.PasswordPath == "" {
Review Comment:
Same as above
##########
e2e/common/traits/jvm_test.go:
##########
@@ -91,8 +91,7 @@ func TestJVMTrait(t *testing.T) {
g.Eventually(IntegrationLogs(t, ctx, ns, name),
TestTimeoutShort).Should(ContainSubstring("Hello World!"))
})
- t.Run("JVM trait CA cert", func(t *testing.T) {
- // Generate a valid self-signed certificate
+ t.Run("JVM trait CA cert (deprecated fields)", func(t
*testing.T) {
Review Comment:
Nitpick: we could remove any deprecated code from e2e.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
