fix(jvm): simplify CA certificate add process by removing per-cert PasswordPath and cleanup tests

Author: pkalsi97

docs/modules/ROOT/partials/apis/camel-k-crds.adoc

@@ -6666,7 +6666,7 @@ The list of manifest platforms to use to build a container image (default `linux
 
 * <<#_camel_apache_org_v1_trait_JVMTrait, JVMTrait>>
 
-CACertConfig associates a CA certificate with its password file.
+CACertConfig specifies a CA certificate to import into the truststore.
 
 [cols="2,2a",options="header"]
 |===
@@ -6680,13 +6680,6 @@ string
 
 Path to the PEM-encoded CA certificate file to import.
 
-|`passwordPath` +
-string
-|
-
-
-Path to a file containing the password for importing this certificate.
-
 
 |===
 
@@ -7912,6 +7905,13 @@ A list of CA certificates to import into the truststore. Certificates must be mo
 
 Optional base truststore to use as the starting point for adding certificates.
 
+|`truststorePasswordPath` +
+string
+|
+
+
+Path to a file containing the password for the generated truststore. Required when using ca-certificates without base-truststore.
+
 |`caCertMountPath` +
 string
 |

docs/modules/traits/pages/jvm.adoc

@@ -71,6 +71,10 @@ Deprecated: no longer in use.
 | github.com/apache/camel-k/v2/pkg/apis/camel/v1/trait.BaseTruststore
 | Optional base truststore to use as the starting point for adding certificates.
 
+| jvm.truststore-password-path
+| string
+| Path to a file containing the password for the generated truststore. Required when using ca-certificates without base-truststore.
+
 | jvm.ca-cert-mount-path
 | string
 | The path where the generated truststore will be mounted (default `/etc/camel/conf.d/_truststore`).
@@ -118,7 +122,9 @@ $ kamel run --resource configmap:my-dep -t jvm.classpath=/etc/camel/resources/my
 
 == Trusting Custom CA Certificates
 
-When connecting to services that use TLS with certificates signed by a private CA (e.g., internal Elasticsearch, Kafka, or databases), you can use the `ca-cert` option to add the CA certificate to the JVM's truststore.
+When connecting to services that use TLS with certificates signed by a private CA (e.g., internal Elasticsearch, Kafka, or databases), you can use the `ca-certificates` option to add CA certificates to the JVM's truststore.
+
+=== Single Certificate
 
 First, create Kubernetes Secrets containing the CA certificate and truststore password:
 
@@ -135,25 +141,66 @@ Then mount the secrets using the mount trait and reference the file paths:
 $ kamel run MyRoute.java \
   -t mount.configs=secret:my-private-ca \
   -t mount.configs=secret:my-truststore-pwd \
-  -t jvm.ca-cert=/etc/camel/conf.d/_secrets/my-private-ca/ca.crt \
-  -t jvm.ca-cert-password=/etc/camel/conf.d/_secrets/my-truststore-pwd/password
+  -t jvm.ca-certificates[0].cert-path=/etc/camel/conf.d/_secrets/my-private-ca/ca.crt \
+  -t jvm.truststore-password-path=/etc/camel/conf.d/_secrets/my-truststore-pwd/password
 ----
 
-If your secret uses a different key name for the certificate:
+=== Multiple Certificates
+
+You can add multiple CA certificates to the truststore:
+
+[source,console]
+----
+$ kamel run MyRoute.java \
+  -t mount.configs=secret:ca1 \
+  -t mount.configs=secret:ca2 \
+  -t mount.configs=secret:truststore-pwd \
+  -t jvm.ca-certificates[0].cert-path=/etc/camel/conf.d/_secrets/ca1/ca.crt \
+  -t jvm.ca-certificates[1].cert-path=/etc/camel/conf.d/_secrets/ca2/ca.crt \
+  -t jvm.truststore-password-path=/etc/camel/conf.d/_secrets/truststore-pwd/password
+----
+
+=== Using a Base Truststore (Preserving JDK Public CAs)
+
+To preserve the JDK's default public CA certificates while adding your custom certificates, use the `base-truststore` option:
 
 [source,console]
 ----
 $ kamel run MyRoute.java \
   -t mount.configs=secret:my-private-ca \
-  -t mount.configs=secret:my-truststore-pwd \
-  -t jvm.ca-cert=/etc/camel/conf.d/_secrets/my-private-ca/custom-ca.pem \
-  -t jvm.ca-cert-password=/etc/camel/conf.d/_secrets/my-truststore-pwd/password
+  -t mount.configs=secret:cacerts-pwd \
+  -t jvm.base-truststore.truststore-path=/opt/java/openjdk/lib/security/cacerts \
+  -t jvm.base-truststore.password-path=/etc/camel/conf.d/_secrets/cacerts-pwd/password \
+  -t jvm.ca-certificates[0].cert-path=/etc/camel/conf.d/_secrets/my-private-ca/ca.crt
 ----
 
+NOTE: When using `base-truststore`, you can optionally provide `truststore-password-path` to set a different password for the output truststore. If not provided, the base truststore password is used.
+
+=== Truststore Password Resolution
+
+The truststore password is determined using this priority:
+
+1. `truststore-password-path` (if explicitly provided)
+2. `base-truststore.password-path` (if base-truststore is configured)
+3. Validation error (password is required when using `ca-certificates`)
+
 This will automatically:
 
 1. Mount the secrets to the integration container (via mount trait)
 2. Generate a JVM truststore using an init container
 3. Configure the JVM to use the generated truststore via `-Djavax.net.ssl.trustStore`
 
-NOTE: The `ca-cert-password` option is **required** when using `ca-cert`. Both values must be file paths to the mounted secrets.
+=== Deprecated Syntax (Backward Compatible)
+
+The legacy `ca-cert` and `ca-cert-password` options are still supported but deprecated:
+
+[source,console]
+----
+$ kamel run MyRoute.java \
+  -t mount.configs=secret:my-private-ca \
+  -t mount.configs=secret:my-truststore-pwd \
+  -t jvm.ca-cert=/etc/camel/conf.d/_secrets/my-private-ca/ca.crt \
+  -t jvm.ca-cert-password=/etc/camel/conf.d/_secrets/my-truststore-pwd/password
+----
+
+NOTE: We recommend migrating to the new `ca-certificates` syntax for better multi-certificate support and explicit truststore password configuration.

e2e/common/traits/jvm_test.go

@@ -92,36 +92,38 @@ func TestJVMTrait(t *testing.T) {
 		})
 
 		t.Run("JVM trait multiple CA certs", func(t *testing.T) {
-			// Test the new ca-certificates field with multiple certificates, each with its own password
+			// Test the new ca-certificates field with multiple certificates
 			cert1Pem, err := generateSelfSignedCert()
 			require.NoError(t, err)
 			cert2Pem, err := generateSelfSignedCert()
 			require.NoError(t, err)
 
-			// Create secrets with both cert and password together
+			// Create secrets with certificates
 			caCert1Data := make(map[string]string)
 			caCert1Data["ca.crt"] = string(cert1Pem)
-			caCert1Data["password"] = "test-password-1"
 			err = CreatePlainTextSecret(t, ctx, ns, "test-ca-cert-1", caCert1Data)
 			require.NoError(t, err)
 
 			caCert2Data := make(map[string]string)
 			caCert2Data["ca.crt"] = string(cert2Pem)
-			caCert2Data["password"] = "test-password-2"
 			err = CreatePlainTextSecret(t, ctx, ns, "test-ca-cert-2", caCert2Data)
 			require.NoError(t, err)
 
+			truststorePassData := make(map[string]string)
+			truststorePassData["password"] = "truststore-password"
+			err = CreatePlainTextSecret(t, ctx, ns, "truststore-pass-multi", truststorePassData)
+			require.NoError(t, err)
+
 			name := RandomizedSuffixName("multicacert")
 			g.Expect(KamelRun(t, ctx, ns,
 				"./files/Java.java",
 				"--name", name,
 				"-t", "mount.configs=secret:test-ca-cert-1",
 				"-t", "mount.configs=secret:test-ca-cert-2",
-				// Using new ca-certificates field: each certificate with its own password path
+				"-t", "mount.configs=secret:truststore-pass-multi",
 				"-t", "jvm.ca-certificates[0].cert-path=/etc/camel/conf.d/_secrets/test-ca-cert-1/ca.crt",
-				"-t", "jvm.ca-certificates[0].password-path=/etc/camel/conf.d/_secrets/test-ca-cert-1/password",
 				"-t", "jvm.ca-certificates[1].cert-path=/etc/camel/conf.d/_secrets/test-ca-cert-2/ca.crt",
-				"-t", "jvm.ca-certificates[1].password-path=/etc/camel/conf.d/_secrets/test-ca-cert-2/password",
+				"-t", "jvm.truststore-password-path=/etc/camel/conf.d/_secrets/truststore-pass-multi/password",
 			).Execute()).To(Succeed())
 
 			g.Eventually(IntegrationPodPhase(t, ctx, ns, name), TestTimeoutLong*2).Should(Equal(corev1.PodRunning))
@@ -141,10 +143,9 @@ func TestJVMTrait(t *testing.T) {
 			certPem, err := generateSelfSignedCert()
 			require.NoError(t, err)
 
-			// Create secret with cert and password
+			// Create secret with certificate
 			caCertData := make(map[string]string)
 			caCertData["ca.crt"] = string(certPem)
-			caCertData["password"] = "test-password-456"
 			err = CreatePlainTextSecret(t, ctx, ns, "test-ca-sys", caCertData)
 			require.NoError(t, err)
 
@@ -160,11 +161,9 @@ func TestJVMTrait(t *testing.T) {
 				"--name", name,
 				"-t", "mount.configs=secret:test-ca-sys",
 				"-t", "mount.configs=secret:base-ts-password",
-				// Using new base-truststore field with JDK cacerts as base
 				"-t", "jvm.base-truststore.truststore-path=/opt/java/openjdk/lib/security/cacerts",
 				"-t", "jvm.base-truststore.password-path=/etc/camel/conf.d/_secrets/base-ts-password/password",
 				"-t", "jvm.ca-certificates[0].cert-path=/etc/camel/conf.d/_secrets/test-ca-sys/ca.crt",
-				"-t", "jvm.ca-certificates[0].password-path=/etc/camel/conf.d/_secrets/test-ca-sys/password",
 			).Execute()).To(Succeed())
 
 			g.Eventually(IntegrationPodPhase(t, ctx, ns, name), TestTimeoutLong).Should(Equal(corev1.PodRunning))
@@ -184,21 +183,25 @@ func TestJVMTrait(t *testing.T) {
 			certPem, err := generateSelfSignedCert()
 			require.NoError(t, err)
 
-			// Create secret with both cert and password
+			// Create secret with certificate
 			caCertData := make(map[string]string)
 			caCertData["ca.crt"] = string(certPem)
-			caCertData["password"] = "changeit"
 			err = CreatePlainTextSecret(t, ctx, ns, "test-ca-single", caCertData)
 			require.NoError(t, err)
 
+			truststorePassData := make(map[string]string)
+			truststorePassData["password"] = "truststore-password"
+			err = CreatePlainTextSecret(t, ctx, ns, "truststore-pass-single", truststorePassData)
+			require.NoError(t, err)
+
 			name := RandomizedSuffixName("singlecert")
 			g.Expect(KamelRun(t, ctx, ns,
 				"./files/Java.java",
 				"--name", name,
 				"-t", "mount.configs=secret:test-ca-single",
-				// Using new ca-certificates field with explicit password
+				"-t", "mount.configs=secret:truststore-pass-single",
 				"-t", "jvm.ca-certificates[0].cert-path=/etc/camel/conf.d/_secrets/test-ca-single/ca.crt",
-				"-t", "jvm.ca-certificates[0].password-path=/etc/camel/conf.d/_secrets/test-ca-single/password",
+				"-t", "jvm.truststore-password-path=/etc/camel/conf.d/_secrets/truststore-pass-single/password",
 			).Execute()).To(Succeed())
 
 			g.Eventually(IntegrationPodPhase(t, ctx, ns, name), TestTimeoutLong).Should(Equal(corev1.PodRunning))