From 73c29a0f5d304c0329a5418e31bfc85272822562 Mon Sep 17 00:00:00 2001 From: Ritesh Khadgaray Date: Wed, 17 Sep 2025 09:58:09 -0400 Subject: [PATCH] support importing CA certificates into custom truststore --- .../latest/beta/helpers/runtime/docker-server.sh | 16 ++++++++++++++++ .../latest/full/helpers/runtime/docker-server.sh | 16 ++++++++++++++++ .../kernel-slim/helpers/runtime/docker-server.sh | 16 ++++++++++++++++ 3 files changed, 48 insertions(+) diff --git a/releases/latest/beta/helpers/runtime/docker-server.sh b/releases/latest/beta/helpers/runtime/docker-server.sh index 9ee5f0dad..87e90adb3 100755 --- a/releases/latest/beta/helpers/runtime/docker-server.sh +++ b/releases/latest/beta/helpers/runtime/docker-server.sh @@ -72,6 +72,22 @@ function importKeyCert() { rm -rf /tmp/certs fi + # Add additional CA certificates to the truststore + # CA bundles need to be split and added as individual certificates + if [ -n "${ADDITIONAL_CA_FOLDER}" ] && [ -d "${ADDITIONAL_CA_FOLDER}" ]; then + mkdir -p /tmp/certs + pushd /tmp/certs >&/dev/null + cat "${ADDITIONAL_CA_FOLDER}"/*.crt >${TMP_CERT} + csplit -s -z -f crt- "${TMP_CERT}" "${CRT_DELIMITER}" '{*}' + setPasswords PASSWORD TRUSTSTORE_PASSWORD + for CERT_FILE in crt-*; do + keytool -import -storetype pkcs12 -noprompt -keystore "${TRUSTSTORE_FILE}" -file "${CERT_FILE}" \ + -storepass "${TRUSTSTORE_PASSWORD}" -alias "service-sa-${CERT_FILE}" >&/dev/null + done + popd >&/dev/null + rm -rf /tmp/certs + fi + # If no keystore has been created, add a keystore password to server configuration if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then setPasswords PASSWORD TRUSTSTORE_PASSWORD diff --git a/releases/latest/full/helpers/runtime/docker-server.sh b/releases/latest/full/helpers/runtime/docker-server.sh index 9ee5f0dad..87e90adb3 100755 --- a/releases/latest/full/helpers/runtime/docker-server.sh +++ b/releases/latest/full/helpers/runtime/docker-server.sh @@ -72,6 +72,22 @@ function importKeyCert() { rm -rf /tmp/certs fi + # Add additional CA certificates to the truststore + # CA bundles need to be split and added as individual certificates + if [ -n "${ADDITIONAL_CA_FOLDER}" ] && [ -d "${ADDITIONAL_CA_FOLDER}" ]; then + mkdir -p /tmp/certs + pushd /tmp/certs >&/dev/null + cat "${ADDITIONAL_CA_FOLDER}"/*.crt >${TMP_CERT} + csplit -s -z -f crt- "${TMP_CERT}" "${CRT_DELIMITER}" '{*}' + setPasswords PASSWORD TRUSTSTORE_PASSWORD + for CERT_FILE in crt-*; do + keytool -import -storetype pkcs12 -noprompt -keystore "${TRUSTSTORE_FILE}" -file "${CERT_FILE}" \ + -storepass "${TRUSTSTORE_PASSWORD}" -alias "service-sa-${CERT_FILE}" >&/dev/null + done + popd >&/dev/null + rm -rf /tmp/certs + fi + # If no keystore has been created, add a keystore password to server configuration if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then setPasswords PASSWORD TRUSTSTORE_PASSWORD diff --git a/releases/latest/kernel-slim/helpers/runtime/docker-server.sh b/releases/latest/kernel-slim/helpers/runtime/docker-server.sh index 9ee5f0dad..87e90adb3 100755 --- a/releases/latest/kernel-slim/helpers/runtime/docker-server.sh +++ b/releases/latest/kernel-slim/helpers/runtime/docker-server.sh @@ -72,6 +72,22 @@ function importKeyCert() { rm -rf /tmp/certs fi + # Add additional CA certificates to the truststore + # CA bundles need to be split and added as individual certificates + if [ -n "${ADDITIONAL_CA_FOLDER}" ] && [ -d "${ADDITIONAL_CA_FOLDER}" ]; then + mkdir -p /tmp/certs + pushd /tmp/certs >&/dev/null + cat "${ADDITIONAL_CA_FOLDER}"/*.crt >${TMP_CERT} + csplit -s -z -f crt- "${TMP_CERT}" "${CRT_DELIMITER}" '{*}' + setPasswords PASSWORD TRUSTSTORE_PASSWORD + for CERT_FILE in crt-*; do + keytool -import -storetype pkcs12 -noprompt -keystore "${TRUSTSTORE_FILE}" -file "${CERT_FILE}" \ + -storepass "${TRUSTSTORE_PASSWORD}" -alias "service-sa-${CERT_FILE}" >&/dev/null + done + popd >&/dev/null + rm -rf /tmp/certs + fi + # If no keystore has been created, add a keystore password to server configuration if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then setPasswords PASSWORD TRUSTSTORE_PASSWORD