fix(jvm): secure JVM truststore password handling via secret reference

pkalsi97 · squakez · commit 8143b8a65125 · 2025-12-16T16:42:24.000+01:00
diff --git a/docs/modules/traits/pages/jvm.adoc b/docs/modules/traits/pages/jvm.adoc
@@ -72,6 +72,12 @@ Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
 | The path where the generated truststore will be mounted
 Default: "/etc/camel/conf.d/_truststore"
 
+| jvm.ca-cert-password
+| string
+| **Required when ca-cert is set.** A secret reference containing the truststore password.
+If the secret key is not specified, "password" is used as the default key.
+Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+
 |===
 
 // End of autogenerated code - DO NOT EDIT! (configuration)
@@ -116,22 +122,34 @@ First, create a Kubernetes Secret containing the CA certificate:
 kubectl create secret generic my-private-ca --from-file=ca.crt=/path/to/ca-certificate.pem
 ----
 
-Then reference the secret when running the integration:
+Next, create a Secret containing the truststore password:
+
+[source,console]
+----
+kubectl create secret generic my-truststore-pwd --from-literal=password=mysecurepassword
+----
+
+Then reference both secrets when running the integration:
 
 [source,console]
 ----
-$ kamel run MyRoute.java -t jvm.ca-cert=secret:my-private-ca
+$ kamel run MyRoute.java -t jvm.ca-cert=secret:my-private-ca -t jvm.ca-cert-password=secret:my-truststore-pwd
 ----
 
 If your certificate is stored under a different key in the secret:
 
 [source,console]
 ----
-$ kamel run MyRoute.java -t jvm.ca-cert=secret:my-private-ca/custom-ca.pem
+$ kamel run MyRoute.java -t jvm.ca-cert=secret:my-private-ca/custom-ca.pem -t jvm.ca-cert-password=secret:my-truststore-pwd
 ----
 
 This will automatically:
 
 1. Mount the CA certificate secret
 2. Generate a JVM truststore using an init container
 3. Configure the JVM to use the generated truststore via `-Djavax.net.ssl.trustStore`
+4. Inject the truststore password securely as an environment variable from your secret
+
+NOTE: The `ca-cert-password` option is **required** when using `ca-cert`. The password is never exposed in command-line arguments - it is injected as an environment variable from the secret.
+
+
diff --git a/e2e/common/traits/jvm_test.go b/e2e/common/traits/jvm_test.go
@@ -102,11 +102,17 @@ func TestJVMTrait(t *testing.T) {
 			err = CreatePlainTextSecret(t, ctx, ns, "test-ca-cert", caCertData)
 			require.NoError(t, err)
 
+			passwordData := make(map[string]string)
+			passwordData["password"] = "test-password-123"
+			err = CreatePlainTextSecret(t, ctx, ns, "test-ca-password", passwordData)
+			require.NoError(t, err)
+
 			name := RandomizedSuffixName("cacert")
 			g.Expect(KamelRun(t, ctx, ns,
 				"./files/Java.java",
 				"--name", name,
 				"-t", "jvm.ca-cert=secret:test-ca-cert",
+				"-t", "jvm.ca-cert-password=secret:test-ca-password",
 			).Execute()).To(Succeed())
 
 			g.Eventually(IntegrationPodPhase(t, ctx, ns, name), TestTimeoutLong).Should(Equal(corev1.PodRunning))
diff --git a/helm/camel-k/crds/camel-k-crds.yaml b/helm/camel-k/crds/camel-k-crds.yaml
@@ -4731,6 +4731,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -7134,6 +7140,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -9439,6 +9451,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -11721,6 +11739,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -20837,6 +20861,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -23073,6 +23103,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -33551,6 +33587,12 @@ spec:
                               The path where the generated truststore will be mounted
                               Default: "/etc/camel/conf.d/_truststore"
                             type: string
+                          caCertPassword:
+                            description: |-
+                              Required when caCert is set. A secret reference containing the truststore password.
+                              If the secret key is not specified, "password" is used as the default key.
+                              Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                            type: string
                           classpath:
                             description: Additional JVM classpath (use `Linux` classpath
                               separator)
@@ -35719,6 +35761,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
diff --git a/pkg/apis/camel/v1/trait/jvm.go b/pkg/apis/camel/v1/trait/jvm.go
@@ -48,4 +48,8 @@ type JVMTrait struct {
 	// The path where the generated truststore will be mounted
 	// Default: "/etc/camel/conf.d/_truststore"
 	CACertMountPath string `json:"caCertMountPath,omitempty" property:"ca-cert-mount-path"`
+	// Required when caCert is set. A secret reference containing the truststore password.
+	// If the secret key is not specified, "password" is used as the default key.
+	// Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+	CACertPassword string `json:"caCertPassword,omitempty" property:"ca-cert-password"`
 }
diff --git a/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml b/pkg/resources/config/crd/bases/camel.apache.org_integrationplatforms.yaml
@@ -1482,6 +1482,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -3885,6 +3891,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
diff --git a/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml b/pkg/resources/config/crd/bases/camel.apache.org_integrationprofiles.yaml
@@ -1350,6 +1350,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -3632,6 +3638,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
diff --git a/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml b/pkg/resources/config/crd/bases/camel.apache.org_integrations.yaml
@@ -8164,6 +8164,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
@@ -10400,6 +10406,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
diff --git a/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml b/pkg/resources/config/crd/bases/camel.apache.org_pipes.yaml
@@ -8220,6 +8220,12 @@ spec:
                               The path where the generated truststore will be mounted
                               Default: "/etc/camel/conf.d/_truststore"
                             type: string
+                          caCertPassword:
+                            description: |-
+                              Required when caCert is set. A secret reference containing the truststore password.
+                              If the secret key is not specified, "password" is used as the default key.
+                              Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                            type: string
                           classpath:
                             description: Additional JVM classpath (use `Linux` classpath
                               separator)
@@ -10388,6 +10394,12 @@ spec:
                           The path where the generated truststore will be mounted
                           Default: "/etc/camel/conf.d/_truststore"
                         type: string
+                      caCertPassword:
+                        description: |-
+                          Required when caCert is set. A secret reference containing the truststore password.
+                          If the secret key is not specified, "password" is used as the default key.
+                          Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
+                        type: string
                       classpath:
                         description: Additional JVM classpath (use `Linux` classpath
                           separator)
diff --git a/pkg/trait/init_containers.go b/pkg/trait/init_containers.go
@@ -42,6 +42,7 @@ type containerTask struct {
 	image     string
 	command   string
 	isSidecar bool
+	env       []corev1.EnvVar
 }
 
 type initContainersTrait struct {
@@ -100,14 +101,20 @@ func (t *initContainersTrait) Configure(e *Environment) (bool, *TraitCondition,
 				secretKey = "ca.crt"
 			}
 
+			secretName, secretKey2, err := jvm.getTrustStorePasswordSecretRef()
+			if err != nil {
+				return false, nil, err
+			}
+
 			keytoolCmd := fmt.Sprintf(
-				"keytool -importcert -noprompt -alias custom-ca -storepass %s -keystore %s -file /etc/secrets/cacert/%s",
-				getTrustStorePassword(e.Integration.Name), jvm.getTrustStorePath(), secretKey,
+				"keytool -importcert -noprompt -alias custom-ca -storepass:env %s -keystore %s -file /etc/secrets/cacert/%s",
+				truststorePasswordEnvVar, jvm.getTrustStorePath(), secretKey,
 			)
 			caCertTask := containerTask{
 				name:    "generate-truststore",
 				image:   defaults.BaseImage(),
 				command: keytoolCmd,
+				env:     []corev1.EnvVar{getTrustStorePasswordEnvVar(secretName, secretKey2)},
 			}
 			t.tasks = append(t.tasks, caCertTask)
 		}
@@ -156,6 +163,7 @@ func (t *initContainersTrait) configureContainers(containers *[]corev1.Container
 			Name:    task.name,
 			Image:   task.image,
 			Command: splitContainerCommand(task.command),
+			Env:     task.env,
 		}
 		if task.isSidecar {
 			initCont.RestartPolicy = ptr.To(corev1.ContainerRestartPolicyAlways)
diff --git a/pkg/trait/init_containers_test.go b/pkg/trait/init_containers_test.go
@@ -393,7 +393,8 @@ func TestApplyInitContainerWithCACert(t *testing.T) {
 			Spec: v1.IntegrationSpec{
 				Traits: v1.Traits{
 					JVM: &trait.JVMTrait{
-						CACert: "secret:my-ca-secret",
+						CACert:         "secret:my-ca-secret",
+						CACertPassword: "secret:my-ca-password",
 					},
 				},
 			},
diff --git a/pkg/trait/jvm.go b/pkg/trait/jvm.go
@@ -378,7 +378,7 @@ func getLegacyCamelQuarkusDependenciesPaths() *sets.Set {
 	return s
 }
 
-// configureCACert returns the JVM arguments for truststore configuration.
+// configureCACert configures the CA certificate truststore and returns the JVM arguments.
 func (t *jvmTrait) configureCaCert(e *Environment) ([]string, error) {
 	if t.CACert == "" {
 		return nil, nil
@@ -389,8 +389,20 @@ func (t *jvmTrait) configureCaCert(e *Environment) ([]string, error) {
 		return nil, err
 	}
 
+	secretName, secretKey, err := t.getTrustStorePasswordSecretRef()
+	if err != nil {
+		return nil, fmt.Errorf("failed to configure truststore password: %w", err)
+	}
+
+	// Inject password
+	container := e.GetIntegrationContainer()
+	if container != nil {
+		envVar := getTrustStorePasswordEnvVar(secretName, secretKey)
+		container.Env = append(container.Env, envVar)
+	}
+
 	return []string{
 		"-Djavax.net.ssl.trustStore=" + t.getTrustStorePath(),
-		"-Djavax.net.ssl.trustStorePassword=" + getTrustStorePassword(e.Integration.Name),
+		fmt.Sprintf("-Djavax.net.ssl.trustStorePassword=$(%s)", truststorePasswordEnvVar),
 	}, nil
 }
diff --git a/pkg/trait/jvm_cacert.go b/pkg/trait/jvm_cacert.go
diff --git a/pkg/trait/jvm_test.go b/pkg/trait/jvm_test.go
diff --git a/pkg/trait/mount_test.go b/pkg/trait/mount_test.go

Original file line number	Diff line number	Diff line change
`@@ -48,4 +48,8 @@ type JVMTrait struct {`
`48`	`48`	`// The path where the generated truststore will be mounted`
`49`	`49`	`// Default: "/etc/camel/conf.d/_truststore"`
`50`	`50`	CACertMountPath string `json:"caCertMountPath,omitempty" property:"ca-cert-mount-path"`
	`51`	`+ // Required when caCert is set. A secret reference containing the truststore password.`
	`52`	`+ // If the secret key is not specified, "password" is used as the default key.`
	`53`	`+ // Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"`
	`54`	+ CACertPassword string `json:"caCertPassword,omitempty" property:"ca-cert-password"`
`51`	`55`	`}`