From 1539c7a67b3ae06114504e77a7173ce018c74df9 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sat, 11 Apr 2026 11:31:26 +0200
Subject: [PATCH] fix: import /certs/ca.pem into JVM truststore at startup

The server container mounts the platform's certs volume at /certs but
the CA bundle was never imported into the JVM truststore. OIDC discovery
failed with PKIX path building errors when a self-signed or custom CA
was in use.

The new entrypoint script splits the PEM bundle and imports each cert
via keytool before starting the app. This makes the conditional
CAMELEER_OIDC_TLS_SKIP_VERIFY logic in the SaaS provisioner work
correctly: when ca.pem exists, the JVM now actually trusts it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Dockerfile           |  4 +++-
 docker-entrypoint.sh | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 docker-entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 36a271c9..6676bc8c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,9 @@ RUN mvn clean package -DskipTests -U -B
 FROM eclipse-temurin:17-jre
 WORKDIR /app
 COPY --from=build /build/cameleer3-server-app/target/cameleer3-server-app-*.jar /app/server.jar
+COPY docker-entrypoint.sh /app/
+RUN chmod +x /app/docker-entrypoint.sh
 
 EXPOSE 8081
 ENV TZ=UTC
-ENTRYPOINT exec java -Duser.timezone=UTC -jar /app/server.jar
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100644
index 00000000..a84e9f5f
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+set -e
+
+# Import CA certificates from /certs/ca.pem into JVM truststore if present.
+# This allows the server to trust custom CAs (e.g., Traefik self-signed in dev,
+# or an internal PKI in production) for OIDC discovery and token exchange.
+if [ -f /certs/ca.pem ]; then
+    TRUSTSTORE="$JAVA_HOME/lib/security/cacerts"
+    STOREPASS="changeit"
+    TMPDIR=$(mktemp -d)
+
+    # Split PEM bundle into individual certificates
+    awk -v dir="$TMPDIR" '
+        /-----BEGIN CERTIFICATE-----/ { n++ }
+        n > 0 { print > dir "/cert-" n ".pem" }
+    ' /certs/ca.pem
+
+    count=0
+    for cert in "$TMPDIR"/cert-*.pem; do
+        [ -f "$cert" ] || continue
+        if keytool -importcert -noprompt -trustcacerts \
+            -alias "custom-ca-$count" \
+            -file "$cert" \
+            -keystore "$TRUSTSTORE" \
+            -storepass "$STOREPASS" 2>/dev/null; then
+            count=$((count + 1))
+        fi
+    done
+
+    rm -rf "$TMPDIR"
+    [ "$count" -gt 0 ] && echo "Imported $count CA certificate(s) into JVM truststore"
+fi
+
+exec java -Duser.timezone=UTC -jar /app/server.jar