Skip to content

Commit e07d0da

Browse files
pkalsi97squakez
pkalsi97
authored and
squakez
committed
fix(jvm): change caCert params from secret refs to file paths
1 parent 18239ed commit e07d0da

File tree

16 files changed

+210
-315
lines changed

16 files changed

+210
-315
lines changed

docs/modules/ROOT/partials/apis/camel-k-crds.adoc

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -7801,25 +7801,26 @@ string
78017801
|
78027802
78037803
7804-
The secret should contain PEM-encoded certificates.
7805-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
7804+
Path to a PEM-encoded CA certificate file. The file must be mounted
7805+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
7806+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
78067807
78077808
|`caCertMountPath` +
78087809
string
78097810
|
78107811
78117812
7812-
The path where the generated truststore will be mounted
7813+
The path where the generated truststore will be mounted.
78137814
Default: "/etc/camel/conf.d/_truststore"
78147815
78157816
|`caCertPassword` +
78167817
string
78177818
|
78187819
78197820
7820-
Required when caCert is set. A secret reference containing the truststore password.
7821-
If the secret key is not specified, "password" is used as the default key.
7822-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
7821+
Required when caCert is set. Path to a file containing the truststore password.
7822+
The file must be mounted by the user using the mount trait.
7823+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
78237824
78247825
78257826
|===

docs/modules/traits/pages/jvm.adoc

Lines changed: 23 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -64,19 +64,20 @@ Deprecated: no longer in use.
6464

6565
| jvm.ca-cert
6666
| string
67-
| The secret should contain PEM-encoded certificates.
68-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
67+
| Path to a PEM-encoded CA certificate file. The file must be mounted
68+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
69+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
6970

7071
| jvm.ca-cert-mount-path
7172
| string
72-
| The path where the generated truststore will be mounted
73+
| The path where the generated truststore will be mounted.
7374
Default: "/etc/camel/conf.d/_truststore"
7475

7576
| jvm.ca-cert-password
7677
| string
77-
| Required when caCert is set. A secret reference containing the truststore password.
78-
If the secret key is not specified, "password" is used as the default key.
79-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
78+
| Required when caCert is set. Path to a file containing the truststore password.
79+
The file must be mounted by the user using the mount trait.
80+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
8081

8182
|===
8283

@@ -115,39 +116,41 @@ $ kamel run --resource configmap:my-dep -t jvm.classpath=/etc/camel/resources/my
115116

116117
When connecting to services that use TLS with certificates signed by a private CA (e.g., internal Elasticsearch, Kafka, or databases), you can use the `ca-cert` option to add the CA certificate to the JVM's truststore.
117118

118-
First, create a Kubernetes Secret containing the CA certificate:
119+
First, create Kubernetes Secrets containing the CA certificate and truststore password:
119120

120121
[source,console]
121122
----
122123
kubectl create secret generic my-private-ca --from-file=ca.crt=/path/to/ca-certificate.pem
123-
----
124-
125-
Next, create a Secret containing the truststore password:
126-
127-
[source,console]
128-
----
129124
kubectl create secret generic my-truststore-pwd --from-literal=password=mysecurepassword
130125
----
131126

132-
Then reference both secrets when running the integration:
127+
Then mount the secrets using the mount trait and reference the file paths:
133128

134129
[source,console]
135130
----
136-
$ kamel run MyRoute.java -t jvm.ca-cert=secret:my-private-ca -t jvm.ca-cert-password=secret:my-truststore-pwd
131+
$ kamel run MyRoute.java \
132+
-t mount.configs=secret:my-private-ca \
133+
-t mount.configs=secret:my-truststore-pwd \
134+
-t jvm.ca-cert=/etc/camel/conf.d/_secrets/my-private-ca/ca.crt \
135+
-t jvm.ca-cert-password=/etc/camel/conf.d/_secrets/my-truststore-pwd/password
137136
----
138137

139-
If your certificate is stored under a different key in the secret:
138+
If your secret uses a different key name for the certificate:
140139

141140
[source,console]
142141
----
143-
$ kamel run MyRoute.java -t jvm.ca-cert=secret:my-private-ca/custom-ca.pem -t jvm.ca-cert-password=secret:my-truststore-pwd
142+
$ kamel run MyRoute.java \
143+
-t mount.configs=secret:my-private-ca \
144+
-t mount.configs=secret:my-truststore-pwd \
145+
-t jvm.ca-cert=/etc/camel/conf.d/_secrets/my-private-ca/custom-ca.pem \
146+
-t jvm.ca-cert-password=/etc/camel/conf.d/_secrets/my-truststore-pwd/password
144147
----
145148

146149
This will automatically:
147150

148-
1. Mount the CA certificate secret
151+
1. Mount the secrets to the integration container (via mount trait)
149152
2. Generate a JVM truststore using an init container
150153
3. Configure the JVM to use the generated truststore via `-Djavax.net.ssl.trustStore`
151-
4. Inject the truststore password securely as an environment variable from your secret
152154

153-
NOTE: The `ca-cert-password` option is **required** when using `ca-cert`. The password is never exposed in command-line arguments - it is injected as an environment variable from the secret.
155+
NOTE: The `ca-cert-password` option is **required** when using `ca-cert`. Both values must be file paths to the mounted secrets.
156+

e2e/common/traits/jvm_test.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -111,8 +111,10 @@ func TestJVMTrait(t *testing.T) {
111111
g.Expect(KamelRun(t, ctx, ns,
112112
"./files/Java.java",
113113
"--name", name,
114-
"-t", "jvm.ca-cert=secret:test-ca-cert",
115-
"-t", "jvm.ca-cert-password=secret:test-ca-password",
114+
"-t", "mount.configs=secret:test-ca-cert",
115+
"-t", "mount.configs=secret:test-ca-password",
116+
"-t", "jvm.ca-cert=/etc/camel/conf.d/_secrets/test-ca-cert/ca.crt",
117+
"-t", "jvm.ca-cert-password=/etc/camel/conf.d/_secrets/test-ca-password/password",
116118
).Execute()).To(Succeed())
117119

118120
g.Eventually(IntegrationPodPhase(t, ctx, ns, name), TestTimeoutLong).Should(Equal(corev1.PodRunning))

helm/camel-k/crds/camel-k-crds.yaml

Lines changed: 56 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -4723,19 +4723,20 @@ spec:
47234723
type: array
47244724
caCert:
47254725
description: |-
4726-
The secret should contain PEM-encoded certificates.
4727-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
4726+
Path to a PEM-encoded CA certificate file. The file must be mounted
4727+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
4728+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
47284729
type: string
47294730
caCertMountPath:
47304731
description: |-
4731-
The path where the generated truststore will be mounted
4732+
The path where the generated truststore will be mounted.
47324733
Default: "/etc/camel/conf.d/_truststore"
47334734
type: string
47344735
caCertPassword:
47354736
description: |-
4736-
Required when caCert is set. A secret reference containing the truststore password.
4737-
If the secret key is not specified, "password" is used as the default key.
4738-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
4737+
Required when caCert is set. Path to a file containing the truststore password.
4738+
The file must be mounted by the user using the mount trait.
4739+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
47394740
type: string
47404741
classpath:
47414742
description: Additional JVM classpath (use `Linux` classpath
@@ -7145,19 +7146,20 @@ spec:
71457146
type: array
71467147
caCert:
71477148
description: |-
7148-
The secret should contain PEM-encoded certificates.
7149-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
7149+
Path to a PEM-encoded CA certificate file. The file must be mounted
7150+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
7151+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
71507152
type: string
71517153
caCertMountPath:
71527154
description: |-
7153-
The path where the generated truststore will be mounted
7155+
The path where the generated truststore will be mounted.
71547156
Default: "/etc/camel/conf.d/_truststore"
71557157
type: string
71567158
caCertPassword:
71577159
description: |-
7158-
Required when caCert is set. A secret reference containing the truststore password.
7159-
If the secret key is not specified, "password" is used as the default key.
7160-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
7160+
Required when caCert is set. Path to a file containing the truststore password.
7161+
The file must be mounted by the user using the mount trait.
7162+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
71617163
type: string
71627164
classpath:
71637165
description: Additional JVM classpath (use `Linux` classpath
@@ -9469,19 +9471,20 @@ spec:
94699471
type: array
94709472
caCert:
94719473
description: |-
9472-
The secret should contain PEM-encoded certificates.
9473-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
9474+
Path to a PEM-encoded CA certificate file. The file must be mounted
9475+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
9476+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
94749477
type: string
94759478
caCertMountPath:
94769479
description: |-
9477-
The path where the generated truststore will be mounted
9480+
The path where the generated truststore will be mounted.
94789481
Default: "/etc/camel/conf.d/_truststore"
94799482
type: string
94809483
caCertPassword:
94819484
description: |-
9482-
Required when caCert is set. A secret reference containing the truststore password.
9483-
If the secret key is not specified, "password" is used as the default key.
9484-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
9485+
Required when caCert is set. Path to a file containing the truststore password.
9486+
The file must be mounted by the user using the mount trait.
9487+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
94859488
type: string
94869489
classpath:
94879490
description: Additional JVM classpath (use `Linux` classpath
@@ -11770,19 +11773,20 @@ spec:
1177011773
type: array
1177111774
caCert:
1177211775
description: |-
11773-
The secret should contain PEM-encoded certificates.
11774-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
11776+
Path to a PEM-encoded CA certificate file. The file must be mounted
11777+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
11778+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
1177511779
type: string
1177611780
caCertMountPath:
1177711781
description: |-
11778-
The path where the generated truststore will be mounted
11782+
The path where the generated truststore will be mounted.
1177911783
Default: "/etc/camel/conf.d/_truststore"
1178011784
type: string
1178111785
caCertPassword:
1178211786
description: |-
11783-
Required when caCert is set. A secret reference containing the truststore password.
11784-
If the secret key is not specified, "password" is used as the default key.
11785-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
11787+
Required when caCert is set. Path to a file containing the truststore password.
11788+
The file must be mounted by the user using the mount trait.
11789+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
1178611790
type: string
1178711791
classpath:
1178811792
description: Additional JVM classpath (use `Linux` classpath
@@ -20905,19 +20909,20 @@ spec:
2090520909
type: array
2090620910
caCert:
2090720911
description: |-
20908-
The secret should contain PEM-encoded certificates.
20909-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
20912+
Path to a PEM-encoded CA certificate file. The file must be mounted
20913+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
20914+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
2091020915
type: string
2091120916
caCertMountPath:
2091220917
description: |-
20913-
The path where the generated truststore will be mounted
20918+
The path where the generated truststore will be mounted.
2091420919
Default: "/etc/camel/conf.d/_truststore"
2091520920
type: string
2091620921
caCertPassword:
2091720922
description: |-
20918-
Required when caCert is set. A secret reference containing the truststore password.
20919-
If the secret key is not specified, "password" is used as the default key.
20920-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
20923+
Required when caCert is set. Path to a file containing the truststore password.
20924+
The file must be mounted by the user using the mount trait.
20925+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
2092120926
type: string
2092220927
classpath:
2092320928
description: Additional JVM classpath (use `Linux` classpath
@@ -23160,19 +23165,20 @@ spec:
2316023165
type: array
2316123166
caCert:
2316223167
description: |-
23163-
The secret should contain PEM-encoded certificates.
23164-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
23168+
Path to a PEM-encoded CA certificate file. The file must be mounted
23169+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
23170+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
2316523171
type: string
2316623172
caCertMountPath:
2316723173
description: |-
23168-
The path where the generated truststore will be mounted
23174+
The path where the generated truststore will be mounted.
2316923175
Default: "/etc/camel/conf.d/_truststore"
2317023176
type: string
2317123177
caCertPassword:
2317223178
description: |-
23173-
Required when caCert is set. A secret reference containing the truststore password.
23174-
If the secret key is not specified, "password" is used as the default key.
23175-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
23179+
Required when caCert is set. Path to a file containing the truststore password.
23180+
The file must be mounted by the user using the mount trait.
23181+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
2317623182
type: string
2317723183
classpath:
2317823184
description: Additional JVM classpath (use `Linux` classpath
@@ -33657,19 +33663,20 @@ spec:
3365733663
type: array
3365833664
caCert:
3365933665
description: |-
33660-
The secret should contain PEM-encoded certificates.
33661-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
33666+
Path to a PEM-encoded CA certificate file. The file must be mounted
33667+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
33668+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
3366233669
type: string
3366333670
caCertMountPath:
3366433671
description: |-
33665-
The path where the generated truststore will be mounted
33672+
The path where the generated truststore will be mounted.
3366633673
Default: "/etc/camel/conf.d/_truststore"
3366733674
type: string
3366833675
caCertPassword:
3366933676
description: |-
33670-
Required when caCert is set. A secret reference containing the truststore password.
33671-
If the secret key is not specified, "password" is used as the default key.
33672-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
33677+
Required when caCert is set. Path to a file containing the truststore password.
33678+
The file must be mounted by the user using the mount trait.
33679+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
3367333680
type: string
3367433681
classpath:
3367533682
description: Additional JVM classpath (use `Linux` classpath
@@ -35844,19 +35851,20 @@ spec:
3584435851
type: array
3584535852
caCert:
3584635853
description: |-
35847-
The secret should contain PEM-encoded certificates.
35848-
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
35854+
Path to a PEM-encoded CA certificate file. The file must be mounted
35855+
by the user using the mount trait (e.g., mount.configs or mount.secrets).
35856+
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
3584935857
type: string
3585035858
caCertMountPath:
3585135859
description: |-
35852-
The path where the generated truststore will be mounted
35860+
The path where the generated truststore will be mounted.
3585335861
Default: "/etc/camel/conf.d/_truststore"
3585435862
type: string
3585535863
caCertPassword:
3585635864
description: |-
35857-
Required when caCert is set. A secret reference containing the truststore password.
35858-
If the secret key is not specified, "password" is used as the default key.
35859-
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
35865+
Required when caCert is set. Path to a file containing the truststore password.
35866+
The file must be mounted by the user using the mount trait.
35867+
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
3586035868
type: string
3586135869
classpath:
3586235870
description: Additional JVM classpath (use `Linux` classpath

0 commit comments

Comments
 (0)