1539c7a67b
The server container mounts the platform's certs volume at /certs but the CA bundle was never imported into the JVM truststore. OIDC discovery failed with PKIX path building errors when a self-signed or custom CA was in use. The new entrypoint script splits the PEM bundle and imports each cert via keytool before starting the app. This makes the conditional CAMELEER_OIDC_TLS_SKIP_VERIFY logic in the SaaS provisioner work correctly: when ca.pem exists, the JVM now actually trusts it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
35 lines
1.1 KiB
Bash
35 lines
1.1 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
# Import CA certificates from /certs/ca.pem into JVM truststore if present.
|
|
# This allows the server to trust custom CAs (e.g., Traefik self-signed in dev,
|
|
# or an internal PKI in production) for OIDC discovery and token exchange.
|
|
if [ -f /certs/ca.pem ]; then
|
|
TRUSTSTORE="$JAVA_HOME/lib/security/cacerts"
|
|
STOREPASS="changeit"
|
|
TMPDIR=$(mktemp -d)
|
|
|
|
# Split PEM bundle into individual certificates
|
|
awk -v dir="$TMPDIR" '
|
|
/-----BEGIN CERTIFICATE-----/ { n++ }
|
|
n > 0 { print > dir "/cert-" n ".pem" }
|
|
' /certs/ca.pem
|
|
|
|
count=0
|
|
for cert in "$TMPDIR"/cert-*.pem; do
|
|
[ -f "$cert" ] || continue
|
|
if keytool -importcert -noprompt -trustcacerts \
|
|
-alias "custom-ca-$count" \
|
|
-file "$cert" \
|
|
-keystore "$TRUSTSTORE" \
|
|
-storepass "$STOREPASS" 2>/dev/null; then
|
|
count=$((count + 1))
|
|
fi
|
|
done
|
|
|
|
rm -rf "$TMPDIR"
|
|
[ "$count" -gt 0 ] && echo "Imported $count CA certificate(s) into JVM truststore"
|
|
fi
|
|
|
|
exec java -Duser.timezone=UTC -jar /app/server.jar
|