search

CircleCI-Public / cimg-openjdk

The CircleCI OpenJDK (Java) Docker Convenience Image.
https://circleci.com/developer/images/image/cimg/openjdk
MIT License
18 stars 25 forks source link

Make Truststore Path equal to all versions #130

Closed hupling closed 1 year ago

hupling commented 2 years ago

The truststore path is in each openjdk version different. Please make a link from the $JAVA_HOME/lib/security/cacerts to /etc/ssl/certs/java/cacerts This is the default in the openjdk alpine image from docker. This makes it easier to inject the truststore from a kubernetes secret.

expected: grafik

actually: grafik

JalexChen commented 1 year ago

hi @hupling - this is actually the default behavior and i've checked three of the latest releases. the truststore path you are referring to is the same outside of the java version, which has been defined in $JAVA_HOME. What's the use case for adding a new directory and link?

the only time the path could potentially not be the same is if you are switching versions, which isn't the intended use-case for the convenience images.

lastly, this image is built off ubuntu, not alpine, so it wouldn't necessarily make sense to mirror alpine

hupling commented 1 year ago

@JalexChen I use the image in the gitlab runner in kubernetes. When the gitlab runner creates a pod then I can inject a file via a volume. When the truststore path is equal over all images openjdk 8,11,17 then I don't need to inject the truststore three times because I don't know what version of openjdk the pipeline uses.

I think the cert path for ubuntu and alpine are equal.

Here an example with normal certs.

kind: Pod
apiVersion: v1
metadata:
  name: runner
  namespace: gitlabrunner
spec:
  restartPolicy: Never
  containers:
    - resources: {}
      stdin: true
      terminationMessagePath: /dev/termination-log
      name: build
      volumeMounts:
        - name: trusted-ca
          mountPath: /etc/pki/ca-trust/extracted/pem
        - name: trusted-ca1
          mountPath: /etc/ssl/certs/ca-certificates.crt
          subPath: ca-certificates.crt
      image: 'maven:3.8-openjdk-8'
  volumes:
    - name: trusted-ca
      configMap:
        name: trusted-ca
        items:
          - key: ca-bundle.crt
            path: tls-ca-bundle.pem
        defaultMode: 420
    - name: trusted-ca1
      configMap:
        name: trusted-ca1
        items:
          - key: ca-bundle.crt
            path: ca-certificates.crt
        defaultMode: 420