From 8be33c72710ddc6a7141857bb3d12ac20c759bd2 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 22 Oct 2025 11:17:54 +0200 Subject: [PATCH 1/3] chore: Import certificates on the start Signed-off-by: Anatolii Bazko --- base/ubi10/entrypoint.sh | 40 ++++++++++++++++++++++++++++++++++++++++ base/ubi9/entrypoint.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) diff --git a/base/ubi10/entrypoint.sh b/base/ubi10/entrypoint.sh index 7e7322a8..ac2e1b4f 100644 --- a/base/ubi10/entrypoint.sh +++ b/base/ubi10/entrypoint.sh @@ -6,6 +6,44 @@ replace_user_home() { echo "$1" | sed "s|^/home/tooling|$HOME|" } +java_import_ca_bundle() { + CA_BUNDLE="${JDK_CA_BUNDLE:-/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem}" + KEYSTORE_PASSWORD="${JDK_KEYSTORE_PASSWORD:-changeit}" + + if ! command -v keytool >/dev/null 2>&1; then + return + fi + + if [ ! -f "$CA_BUNDLE" ]; then + echo "[jdk] Failed to import CA certificates from ${CA_BUNDLE}. File doesn't exist" + return + fi + + bundle_name=$(basename "$CA_BUNDLE") + certs_imported=0 + cert_index=0 + tmp_file=/tmp/cert.pem + is_cert=false + echo "[jdk] Importing certificates..." + while IFS= read -r line; do + if [ "$line" = "-----BEGIN CERTIFICATE-----" ]; then + is_cert=true + cert_index=$((cert_index+1)) + echo "$line" > ${tmp_file} + elif [ "$line" = "-----END CERTIFICATE-----" ]; then + is_cert=false + echo "$line" >> ${tmp_file} + keytool -import -trustcacerts -cacerts -storepass "$KEYSTORE_PASSWORD" -noprompt -alias "${bundle_name}_${cert_index}" -file $tmp_file + certs_imported=$((certs_imported+1)) + elif [ "$is_cert" = true ]; then + echo "$line" >> ${tmp_file} + fi + done < "$CA_BUNDLE" + + echo "[jdk] Imported ${certs_imported} certificates from ${CA_BUNDLE}" + rm -f $tmp_file +} + # Ensure $HOME exists when starting if [ ! -d "${HOME}" ]; then mkdir -p "${HOME}" @@ -219,4 +257,6 @@ if [ -d /home/tooling/.config ]; then echo "Finished creating .config symlinks." fi +java_import_ca_bundle & + exec "$@" \ No newline at end of file diff --git a/base/ubi9/entrypoint.sh b/base/ubi9/entrypoint.sh index 3956e2b2..f4625f18 100644 --- a/base/ubi9/entrypoint.sh +++ b/base/ubi9/entrypoint.sh @@ -5,6 +5,44 @@ replace_user_home() { echo "$1" | sed "s|^/home/tooling|$HOME|" } +jdk_import_ca_bundle() { + CA_BUNDLE="${JDK_CA_BUNDLE:-/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem}" + KEYSTORE_PASSWORD="${JDK_KEYSTORE_PASSWORD:-changeit}" + + if ! command -v keytool >/dev/null 2>&1; then + return + fi + + if [ ! -f "$CA_BUNDLE" ]; then + echo "[jdk] Failed to import CA certificates from ${CA_BUNDLE}. File doesn't exist" + return + fi + + bundle_name=$(basename "$CA_BUNDLE") + certs_imported=0 + cert_index=0 + tmp_file=/tmp/cert.pem + is_cert=false + echo "[jdk] Importing certificates..." + while IFS= read -r line; do + if [ "$line" = "-----BEGIN CERTIFICATE-----" ]; then + is_cert=true + cert_index=$((cert_index+1)) + echo "$line" > ${tmp_file} + elif [ "$line" = "-----END CERTIFICATE-----" ]; then + is_cert=false + echo "$line" >> ${tmp_file} + keytool -import -trustcacerts -cacerts -storepass "$KEYSTORE_PASSWORD" -noprompt -alias "${bundle_name}_${cert_index}" -file $tmp_file + certs_imported=$((certs_imported+1)) + elif [ "$is_cert" = true ]; then + echo "$line" >> ${tmp_file} + fi + done < "$CA_BUNDLE" + + echo "[jdk] Imported ${certs_imported} certificates from ${CA_BUNDLE}" + rm -f $tmp_file +} + # Ensure $HOME exists when starting if [ ! -d "${HOME}" ]; then mkdir -p "${HOME}" @@ -218,4 +256,6 @@ if [ -d /home/tooling/.config ]; then echo "Finished creating .config symlinks." fi +jdk_import_ca_bundle & + exec "$@" From 95aafc83d0de885e3472fe38a06a1e2267e671cb Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 22 Oct 2025 11:19:04 +0200 Subject: [PATCH 2/3] fixup Signed-off-by: Anatolii Bazko --- base/ubi10/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/ubi10/entrypoint.sh b/base/ubi10/entrypoint.sh index ac2e1b4f..ba5ffe7c 100644 --- a/base/ubi10/entrypoint.sh +++ b/base/ubi10/entrypoint.sh @@ -6,7 +6,7 @@ replace_user_home() { echo "$1" | sed "s|^/home/tooling|$HOME|" } -java_import_ca_bundle() { +jdk_import_ca_bundle() { CA_BUNDLE="${JDK_CA_BUNDLE:-/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem}" KEYSTORE_PASSWORD="${JDK_KEYSTORE_PASSWORD:-changeit}" @@ -257,6 +257,6 @@ if [ -d /home/tooling/.config ]; then echo "Finished creating .config symlinks." fi -java_import_ca_bundle & +jdk_import_ca_bundle & exec "$@" \ No newline at end of file From d0c2394565d8b154db9403850db56e350b39908a Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 29 Oct 2025 09:43:53 +0100 Subject: [PATCH 3/3] fixup Signed-off-by: Anatolii Bazko --- base/ubi10/entrypoint.sh | 4 +++- base/ubi9/entrypoint.sh | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/base/ubi10/entrypoint.sh b/base/ubi10/entrypoint.sh index ba5ffe7c..c58f7226 100644 --- a/base/ubi10/entrypoint.sh +++ b/base/ubi10/entrypoint.sh @@ -33,7 +33,9 @@ jdk_import_ca_bundle() { elif [ "$line" = "-----END CERTIFICATE-----" ]; then is_cert=false echo "$line" >> ${tmp_file} - keytool -import -trustcacerts -cacerts -storepass "$KEYSTORE_PASSWORD" -noprompt -alias "${bundle_name}_${cert_index}" -file $tmp_file + if keytool -import -trustcacerts -cacerts -storepass "$KEYSTORE_PASSWORD" -noprompt -alias "${bundle_name}_${cert_index}" -file $tmp_file; then + certs_imported=$((certs_imported+1)) + fi certs_imported=$((certs_imported+1)) elif [ "$is_cert" = true ]; then echo "$line" >> ${tmp_file} diff --git a/base/ubi9/entrypoint.sh b/base/ubi9/entrypoint.sh index f4625f18..8dc55500 100644 --- a/base/ubi9/entrypoint.sh +++ b/base/ubi9/entrypoint.sh @@ -32,7 +32,9 @@ jdk_import_ca_bundle() { elif [ "$line" = "-----END CERTIFICATE-----" ]; then is_cert=false echo "$line" >> ${tmp_file} - keytool -import -trustcacerts -cacerts -storepass "$KEYSTORE_PASSWORD" -noprompt -alias "${bundle_name}_${cert_index}" -file $tmp_file + if keytool -import -trustcacerts -cacerts -storepass "$KEYSTORE_PASSWORD" -noprompt -alias "${bundle_name}_${cert_index}" -file $tmp_file; then + certs_imported=$((certs_imported+1)) + fi certs_imported=$((certs_imported+1)) elif [ "$is_cert" = true ]; then echo "$line" >> ${tmp_file}