refactor: move truststore creation script to separate Java file

minmzzhang · minmzzhang · commit 8bbd870c2512 · 2026-01-20T16:45:11.000-05:00
Move inline jshell script to a proper Java file (qtodo-truststore.java)
loaded via ConfigMap. This improves code clarity and maintainability.

Changes:
- Add charts/qtodo/files/qtodo-truststore.java with proper Java class
- Add truststore-script-configmap.yaml to load the Java file
- Update app-deployment.yaml to use 'java /usr/local/bin/qtodo-truststore.java'
- Update superlinter.yml to exclude the Java file from linting

Suggested-by: Manuel Lorenzo &lt;mlorenzofr@redhat.com&gt;
Signed-off-by: Min Zhang &lt;minzhang@redhat.com&gt;
diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
@@ -32,7 +32,8 @@ jobs:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # Exclude bash scripts with Helm templating (they contain {{ }} syntax)
-          FILTER_REGEX_EXCLUDE: .*\.sh\.tpl$
+          # Exclude qtodo-truststore.java (default package, no package-info.java needed)
+          FILTER_REGEX_EXCLUDE: .*\.sh\.tpl$|.*qtodo-truststore\.java$
           # These are the validation we disable atm
           VALIDATE_ANSIBLE: false
           VALIDATE_BASH: false
diff --git a/charts/qtodo/files/qtodo-truststore.java b/charts/qtodo/files/qtodo-truststore.java
@@ -0,0 +1,94 @@
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.util.Collection;
+
+/**
+ * Utility class for importing CA certificates from a PEM bundle into a PKCS12
+ * truststore.
+ */
+public final class QtodoTruststore {
+    /** Conversion factor from milliseconds to seconds. */
+    private static final double MILLISECONDS_TO_SECONDS = 1000.0;
+
+    private QtodoTruststore() {
+        // Utility class - prevent instantiation
+    }
+
+    /**
+     * Main entry point for the truststore import utility.
+     *
+     * @param args Command line arguments (not used)
+     * @throws Exception if certificate import fails
+     */
+    public static void main(final String[] args) throws Exception {
+        long startTime = System.currentTimeMillis();
+
+        // Get environment variables
+        String bundlePath = System.getenv("CA_BUNDLE");
+        String p12Path = System.getenv("TRUSTSTORE_PATH");
+        String password = System.getenv("TRUSTSTORE_PASSWORD");
+
+        // Validate required environment variables
+        boolean missingVars = false;
+        if (bundlePath == null || bundlePath.isEmpty()) {
+            System.err.println(
+                "ERROR: CA_BUNDLE environment variable is not set");
+            missingVars = true;
+        }
+        if (p12Path == null || p12Path.isEmpty()) {
+            System.err.println(
+                "ERROR: TRUSTSTORE_PATH environment variable is not set");
+            missingVars = true;
+        }
+        if (password == null || password.isEmpty()) {
+            System.err.println(
+                "ERROR: TRUSTSTORE_PASSWORD environment variable "
+                + "is not set");
+            missingVars = true;
+        }
+
+        if (missingVars) {
+            System.exit(1);
+        }
+
+        System.out.println("Converting CA bundle to PKCS12 truststore...");
+        System.out.println("  CA bundle: " + bundlePath);
+        System.out.println("  Output: " + p12Path);
+
+        // Create empty PKCS12 keystore
+        KeyStore keyStore = KeyStore.getInstance("PKCS12");
+        keyStore.load(null, password.toCharArray());
+
+        // Load certificates from PEM bundle
+        CertificateFactory certFactory =
+            CertificateFactory.getInstance("X.509");
+        Collection<? extends Certificate> certs;
+
+        try (InputStream fis = new FileInputStream(bundlePath)) {
+            certs = certFactory.generateCertificates(fis);
+        }
+
+        // Import each certificate
+        int count = 0;
+        for (Certificate cert : certs) {
+            String alias = "ztvp-ca-" + String.format("%03d", count);
+            keyStore.setCertificateEntry(alias, cert);
+            count++;
+        }
+
+        // Save the keystore
+        try (FileOutputStream fos = new FileOutputStream(p12Path)) {
+            keyStore.store(fos, password.toCharArray());
+        }
+
+        long elapsed = System.currentTimeMillis() - startTime;
+        System.out.println("Successfully imported " + count
+            + " certificates into PKCS12 truststore");
+        System.out.println("Completed in "
+            + (elapsed / MILLISECONDS_TO_SECONDS) + " seconds");
+    }
+}
diff --git a/charts/qtodo/templates/app-deployment.yaml b/charts/qtodo/templates/app-deployment.yaml
@@ -33,64 +33,13 @@ spec:
         image: registry.redhat.io/ubi9/openjdk-17:latest
         imagePullPolicy: IfNotPresent
         command:
-          - /bin/bash
-          - -c
-          - |
-            set -e
-            echo "Converting CA bundle to PKCS12 truststore using Java KeyStore API..."
-            
-            # Validate password is provided
-            if [ -z "$TRUSTSTORE_PASSWORD" ]; then
-              echo "ERROR: TRUSTSTORE_PASSWORD not set"
-              exit 1
-            fi
-            
-            CA_BUNDLE="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
-            TRUSTSTORE_PATH="/run/secrets/truststore/truststore.p12"
-            
-            # Verify CA bundle exists
-            if [ ! -f "$CA_BUNDLE" ]; then
-              echo "ERROR: CA bundle not found at $CA_BUNDLE"
-              exit 1
-            fi
-            
-            # Count certificates in bundle
-            CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$CA_BUNDLE" || echo "0")
-            echo "Found $CERT_COUNT certificates in CA bundle"
-            
-            # Use jshell to bulk-import all certificates (single JVM, much faster than keytool loop)
-            jshell -R-Dpassword="$TRUSTSTORE_PASSWORD" -R-Dbundle="$CA_BUNDLE" -R-Doutput="$TRUSTSTORE_PATH" <<'JSHELL'
-            import java.security.*;
-            import java.security.cert.*;
-            import java.io.*;
-            import java.nio.file.*;
-            
-            String password = System.getProperty("password");
-            String bundlePath = System.getProperty("bundle");
-            String outputPath = System.getProperty("output");
-            
-            KeyStore ks = KeyStore.getInstance("PKCS12");
-            ks.load(null, password.toCharArray());
-            
-            CertificateFactory cf = CertificateFactory.getInstance("X.509");
-            byte[] pemBytes = Files.readAllBytes(Path.of(bundlePath));
-            
-            var certs = cf.generateCertificates(new ByteArrayInputStream(pemBytes));
-            int i = 0;
-            for (var cert : certs) {
-                ks.setCertificateEntry("ztvp-ca-" + String.format("%03d", i++), cert);
-            }
-            
-            try (FileOutputStream fos = new FileOutputStream(outputPath)) {
-                ks.store(fos, password.toCharArray());
-            }
-            System.out.println("Imported " + i + " certificates into PKCS12 truststore");
-            /exit
-            JSHELL
-            
-            echo "Successfully created PKCS12 truststore"
-            ls -lh "$TRUSTSTORE_PATH"
+          - java
+          - /usr/local/bin/qtodo-truststore.java
         env:
+          - name: CA_BUNDLE
+            value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+          - name: TRUSTSTORE_PATH
+            value: /run/secrets/truststore/truststore.p12
           - name: TRUSTSTORE_PASSWORD
             valueFrom:
               secretKeyRef:
@@ -102,6 +51,8 @@ spec:
             readOnly: true
           - name: truststore
             mountPath: /run/secrets/truststore
+          - name: qtodo-truststore-java
+            mountPath: /usr/local/bin
       - name: wait-for-keycloak
         image: registry.redhat.io/openshift4/ose-tools-rhel9:latest
         imagePullPolicy: IfNotPresent
@@ -335,4 +286,7 @@ spec:
             defaultMode: 420
         - name: truststore
           emptyDir: {}
+        - name: qtodo-truststore-java
+          configMap:
+            name: qtodo-truststore-java
 {{- end }}
diff --git a/charts/qtodo/templates/qtodo-truststore-config.yaml b/charts/qtodo/templates/qtodo-truststore-config.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.app.spire.enabled .Values.app.truststore.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: qtodo-truststore-java
+  namespace: qtodo
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+  labels:
+    app: qtodo
+    app.kubernetes.io/component: truststore-init
+data:
+  qtodo-truststore.java: |
+{{- .Files.Get "files/qtodo-truststore.java" | nindent 4 }}
+{{- end }}
