Closed hupling closed 1 year ago
hi @hupling - this is actually the default behavior and i've checked three of the latest releases. the truststore path you are referring to is the same outside of the java version, which has been defined in $JAVA_HOME. What's the use case for adding a new directory and link?
the only time the path could potentially not be the same is if you are switching versions, which isn't the intended use-case for the convenience images.
lastly, this image is built off ubuntu, not alpine, so it wouldn't necessarily make sense to mirror alpine
@JalexChen I use the image in the gitlab runner in kubernetes. When the gitlab runner creates a pod then I can inject a file via a volume. When the truststore path is equal over all images openjdk 8,11,17 then I don't need to inject the truststore three times because I don't know what version of openjdk the pipeline uses.
I think the cert path for ubuntu and alpine are equal.
Here an example with normal certs.
kind: Pod
apiVersion: v1
metadata:
name: runner
namespace: gitlabrunner
spec:
restartPolicy: Never
containers:
- resources: {}
stdin: true
terminationMessagePath: /dev/termination-log
name: build
volumeMounts:
- name: trusted-ca
mountPath: /etc/pki/ca-trust/extracted/pem
- name: trusted-ca1
mountPath: /etc/ssl/certs/ca-certificates.crt
subPath: ca-certificates.crt
image: 'maven:3.8-openjdk-8'
volumes:
- name: trusted-ca
configMap:
name: trusted-ca
items:
- key: ca-bundle.crt
path: tls-ca-bundle.pem
defaultMode: 420
- name: trusted-ca1
configMap:
name: trusted-ca1
items:
- key: ca-bundle.crt
path: ca-certificates.crt
defaultMode: 420
The truststore path is in each openjdk version different. Please make a link from the
$JAVA_HOME/lib/security/cacerts
to/etc/ssl/certs/java/cacerts
This is the default in the openjdk alpine image from docker. This makes it easier to inject the truststore from a kubernetes secret.expected:
actually: