jboss-openshift · jmtd · Sep 27, 2018 · Nov 5, 2018 · Nov 7, 2018 · Dec 3, 2018
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+if [ -z "$JAVA_DISABLE_TRUST_OPENSHIFT_CA" ]; then
+    ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+    if test -r "$ca" ; then
+        cp "$ca" /etc/pki/ca-trust/source/anchors/
+        /usr/bin/update-ca-trust
+    fi
+fi
@@ -0,0 +1,18 @@
+#!/bin/sh
+# Configure module
+set -e
+
+SCRIPT_DIR=$(dirname $0)
+ARTIFACTS_DIR=${SCRIPT_DIR}/artifacts
+
+# necessary for random UID user to run update-ca-certs
+chmod 777 \
+	/etc/pki/ca-trust/extracted/openssl \
+	/etc/pki/ca-trust/extracted/java \
+	/etc/pki/ca-trust/source/anchors \
+	/etc/pki/ca-trust/extracted/pem
+
+d=/opt/jboss/container/java/certs
+mkdir -p "$d"
+cp "${ARTIFACTS_DIR}/trust-ose-cert.sh" "$d"
+chmod +x "$d/trust-ose-cert.sh"
@@ -0,0 +1,13 @@
+schema_version: 1
+name: jboss.container.java.certs.bash
+version: '1.0'
+description: Trust runtime-supplied OpenShift/Kubernetes CA
+
+envs:
+- name: JAVA_DISABLE_TRUST_OPENSHIFT_CA
+  example: true
+  description: When defined, the container will not automatically trust a CA certificate provided by OpenShift at run-time.
+
+execute:
+- script: configure.sh
+  user: root
@@ -5,3 +5,6 @@ source "${JBOSS_CONTAINER_UTIL_LOGGING_MODULE}/logging.sh"
 function s2i_core_env_init_hook() {
   S2I_TARGET_DATA_DIR="${S2I_TARGET_DATA_DIR:-${JAVA_DATA_DIR:-/deployments/data}}"
 }
+
+# Trust OpenShift CA, if provided
+/opt/jboss/container/java/certs/trust-ose-cert.sh
@@ -19,3 +19,4 @@ modules:
   - name: jboss.container.hawkular.bash
   - name: jboss.container.jolokia.bash
   - name: jboss.container.util.logging.bash
+  - name: jboss.container.java.certs.bash