Skip to content

fix(jvm): change caCert params from secret refs to file paths #6427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
squakez merged 2 commits into from
Dec 19, 2025
Merged

fix(jvm): change caCert params from secret refs to file paths #6427

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
37df816
fix(jvm): change caCert params from secret refs to file paths
pkalsi97 Dec 18, 2025
8592600
fix(jvm): consolidate caCert validation to init_containers and update…
pkalsi97 Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions docs/modules/ROOT/partials/apis/camel-k-crds.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7801,25 +7801,26 @@ string
|


The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"

|`caCertMountPath` +
string
|


The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"

|`caCertPassword` +
string
|


Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"


|===
Expand Down
43 changes: 23 additions & 20 deletions docs/modules/traits/pages/jvm.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,19 +64,20 @@ Deprecated: no longer in use.

| jvm.ca-cert
| string
| The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
| Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"

| jvm.ca-cert-mount-path
| string
| The path where the generated truststore will be mounted
| The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"

| jvm.ca-cert-password
| string
| Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
| Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"

|===

Expand Down Expand Up @@ -115,39 +116,41 @@ $ kamel run --resource configmap:my-dep -t jvm.classpath=/etc/camel/resources/my

When connecting to services that use TLS with certificates signed by a private CA (e.g., internal Elasticsearch, Kafka, or databases), you can use the `ca-cert` option to add the CA certificate to the JVM's truststore.

First, create a Kubernetes Secret containing the CA certificate:
First, create Kubernetes Secrets containing the CA certificate and truststore password:

[source,console]
----
kubectl create secret generic my-private-ca --from-file=ca.crt=/path/to/ca-certificate.pem
----

Next, create a Secret containing the truststore password:

[source,console]
----
kubectl create secret generic my-truststore-pwd --from-literal=password=mysecurepassword
----

Then reference both secrets when running the integration:
Then mount the secrets using the mount trait and reference the file paths:

[source,console]
----
$ kamel run MyRoute.java -t jvm.ca-cert=secret:my-private-ca -t jvm.ca-cert-password=secret:my-truststore-pwd
$ kamel run MyRoute.java \
-t mount.configs=secret:my-private-ca \
-t mount.configs=secret:my-truststore-pwd \
-t jvm.ca-cert=/etc/camel/conf.d/_secrets/my-private-ca/ca.crt \
-t jvm.ca-cert-password=/etc/camel/conf.d/_secrets/my-truststore-pwd/password
----

If your certificate is stored under a different key in the secret:
If your secret uses a different key name for the certificate:

[source,console]
----
$ kamel run MyRoute.java -t jvm.ca-cert=secret:my-private-ca/custom-ca.pem -t jvm.ca-cert-password=secret:my-truststore-pwd
$ kamel run MyRoute.java \
-t mount.configs=secret:my-private-ca \
-t mount.configs=secret:my-truststore-pwd \
-t jvm.ca-cert=/etc/camel/conf.d/_secrets/my-private-ca/custom-ca.pem \
-t jvm.ca-cert-password=/etc/camel/conf.d/_secrets/my-truststore-pwd/password
----

This will automatically:

1. Mount the CA certificate secret
1. Mount the secrets to the integration container (via mount trait)
2. Generate a JVM truststore using an init container
3. Configure the JVM to use the generated truststore via `-Djavax.net.ssl.trustStore`
4. Inject the truststore password securely as an environment variable from your secret

NOTE: The `ca-cert-password` option is **required** when using `ca-cert`. The password is never exposed in command-line arguments - it is injected as an environment variable from the secret.
NOTE: The `ca-cert-password` option is **required** when using `ca-cert`. Both values must be file paths to the mounted secrets.

6 changes: 4 additions & 2 deletions e2e/common/traits/jvm_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,10 @@ func TestJVMTrait(t *testing.T) {
g.Expect(KamelRun(t, ctx, ns,
"./files/Java.java",
"--name", name,
"-t", "jvm.ca-cert=secret:test-ca-cert",
"-t", "jvm.ca-cert-password=secret:test-ca-password",
"-t", "mount.configs=secret:test-ca-cert",
"-t", "mount.configs=secret:test-ca-password",
"-t", "jvm.ca-cert=/etc/camel/conf.d/_secrets/test-ca-cert/ca.crt",
"-t", "jvm.ca-cert-password=/etc/camel/conf.d/_secrets/test-ca-password/password",
).Execute()).To(Succeed())

g.Eventually(IntegrationPodPhase(t, ctx, ns, name), TestTimeoutLong).Should(Equal(corev1.PodRunning))
Expand Down
104 changes: 56 additions & 48 deletions helm/camel-k/crds/camel-k-crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4723,19 +4723,20 @@ spec:
type: array
caCert:
description: |-
The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
type: string
caCertMountPath:
description: |-
The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"
type: string
caCertPassword:
description: |-
Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
type: string
classpath:
description: Additional JVM classpath (use `Linux` classpath
Expand Down Expand Up @@ -7145,19 +7146,20 @@ spec:
type: array
caCert:
description: |-
The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
type: string
caCertMountPath:
description: |-
The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"
type: string
caCertPassword:
description: |-
Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
type: string
classpath:
description: Additional JVM classpath (use `Linux` classpath
Expand Down Expand Up @@ -9469,19 +9471,20 @@ spec:
type: array
caCert:
description: |-
The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
type: string
caCertMountPath:
description: |-
The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"
type: string
caCertPassword:
description: |-
Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
type: string
classpath:
description: Additional JVM classpath (use `Linux` classpath
Expand Down Expand Up @@ -11770,19 +11773,20 @@ spec:
type: array
caCert:
description: |-
The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
type: string
caCertMountPath:
description: |-
The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"
type: string
caCertPassword:
description: |-
Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
type: string
classpath:
description: Additional JVM classpath (use `Linux` classpath
Expand Down Expand Up @@ -20905,19 +20909,20 @@ spec:
type: array
caCert:
description: |-
The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
type: string
caCertMountPath:
description: |-
The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"
type: string
caCertPassword:
description: |-
Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
type: string
classpath:
description: Additional JVM classpath (use `Linux` classpath
Expand Down Expand Up @@ -23160,19 +23165,20 @@ spec:
type: array
caCert:
description: |-
The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
type: string
caCertMountPath:
description: |-
The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"
type: string
caCertPassword:
description: |-
Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
type: string
classpath:
description: Additional JVM classpath (use `Linux` classpath
Expand Down Expand Up @@ -33657,19 +33663,20 @@ spec:
type: array
caCert:
description: |-
The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
type: string
caCertMountPath:
description: |-
The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"
type: string
caCertPassword:
description: |-
Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
type: string
classpath:
description: Additional JVM classpath (use `Linux` classpath
Expand Down Expand Up @@ -35844,19 +35851,20 @@ spec:
type: array
caCert:
description: |-
The secret should contain PEM-encoded certificates.
Example: "secret:my-ca-certs" or "secret:my-ca-certs/custom-ca.crt"
Path to a PEM-encoded CA certificate file. The file must be mounted
by the user using the mount trait (e.g., mount.configs or mount.secrets).
Example: "/etc/camel/conf.d/_secrets/my-ca/ca.crt"
type: string
caCertMountPath:
description: |-
The path where the generated truststore will be mounted
The path where the generated truststore will be mounted.
Default: "/etc/camel/conf.d/_truststore"
type: string
caCertPassword:
description: |-
Required when caCert is set. A secret reference containing the truststore password.
If the secret key is not specified, "password" is used as the default key.
Example: "secret:my-truststore-password" or "secret:my-truststore-password/mykey"
Required when caCert is set. Path to a file containing the truststore password.
The file must be mounted by the user using the mount trait.
Example: "/etc/camel/conf.d/_secrets/truststore-pass/password"
type: string
classpath:
description: Additional JVM classpath (use `Linux` classpath
Expand Down
Loading
Loading