feat: use PKCS12 truststore with openssl for qtodo

minmzzhang · minmzzhang · commit 986a455bc013 · 2026-01-16T17:14:32.000-05:00
Replace deprecated JKS truststore with modern PKCS12 format:
- Use ose-tools-rhel9 image with openssl for fast truststore creation
- Single openssl command instead of keytool loop (149 certs in &lt;1s)
- Configure via JAVA_TOOL_OPTIONS (Quarkus TLS registry doesn't work with OIDC)
- Update Hibernate ORM env var to non-deprecated name
- Add wait-for-keycloak init container to prevent OIDC 503 warnings

PKCS12 is the modern standard recommended over Java-specific JKS format.

Signed-off-by: Min Zhang &lt;minzhang@redhat.com&gt;
diff --git a/charts/qtodo/templates/app-deployment.yaml b/charts/qtodo/templates/app-deployment.yaml
@@ -30,46 +30,47 @@ spec:
 {{- if eq .Values.app.spire.enabled true }}
       initContainers:
       - name: init-ca-truststore
-        image: registry.redhat.io/ubi9/openjdk-17:latest
+        image: registry.redhat.io/openshift4/ose-tools-rhel9:latest
         imagePullPolicy: IfNotPresent
         command:
           - /bin/bash
           - -c
           - |
             set -e
-            echo "Converting CA bundle to Java truststore..."
+            echo "Converting CA bundle to PKCS12 truststore using openssl..."
             
             # Validate password is provided
             if [ -z "$TRUSTSTORE_PASSWORD" ]; then
               echo "ERROR: TRUSTSTORE_PASSWORD not set"
               exit 1
             fi
             
-            # Split the PEM bundle into individual certificates
-            csplit -s -z -f /tmp/cert- /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
+            CA_BUNDLE="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+            TRUSTSTORE_PATH="/run/secrets/truststore/truststore.p12"
             
-            # Create the truststore with each certificate
-            TRUSTSTORE_PATH="/run/secrets/truststore/cacerts"
+            # Verify CA bundle exists
+            if [ ! -f "$CA_BUNDLE" ]; then
+              echo "ERROR: CA bundle not found at $CA_BUNDLE"
+              exit 1
+            fi
             
-            # Remove any existing truststore
-            rm -f "$TRUSTSTORE_PATH"
+            # Count certificates in bundle
+            CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$CA_BUNDLE" || echo "0")
+            echo "Found $CERT_COUNT certificates in CA bundle"
             
-            # Import each certificate into the truststore
-            cert_index=0
-            for cert_file in /tmp/cert-*; do
-              if [ -s "$cert_file" ]; then
-                echo "Importing certificate $cert_index from $cert_file"
-                keytool -import -noprompt \
-                  -alias "ztvp-ca-$cert_index" \
-                  -keystore "$TRUSTSTORE_PATH" \
-                  -storepass "$TRUSTSTORE_PASSWORD" \
-                  -file "$cert_file" || echo "Warning: Failed to import $cert_file"
-                cert_index=$((cert_index + 1))
-              fi
-            done
+            # Create PKCS12 truststore from PEM bundle using openssl (single command, no loop)
+            openssl pkcs12 -export -nokeys \
+              -in "$CA_BUNDLE" \
+              -out "$TRUSTSTORE_PATH" \
+              -passout pass:"$TRUSTSTORE_PASSWORD" \
+              -name "ztvp-ca-bundle"
             
-            echo "Successfully created truststore with $cert_index certificates"
+            echo "Successfully created PKCS12 truststore"
             ls -lh "$TRUSTSTORE_PATH"
+            
+            # Verify the truststore
+            echo "Verifying PKCS12 truststore..."
+            openssl pkcs12 -info -in "$TRUSTSTORE_PATH" -passin pass:"$TRUSTSTORE_PASSWORD" -nokeys 2>&1 | head -10
         env:
           - name: TRUSTSTORE_PASSWORD
             valueFrom:
@@ -82,6 +83,38 @@ spec:
             readOnly: true
           - name: truststore
             mountPath: /run/secrets/truststore
+      - name: wait-for-keycloak
+        image: registry.redhat.io/openshift4/ose-tools-rhel9:latest
+        imagePullPolicy: IfNotPresent
+        command:
+          - /bin/sh
+          - -c
+          - |
+            echo "Waiting for Keycloak OIDC endpoint to be available..."
+            KEYCLOAK_URL="{{ default (printf "https://keycloak.%s/realms/ztvp/.well-known/openid-configuration" .Values.global.localClusterDomain) .Values.app.oidc.authServerUrl }}/.well-known/openid-configuration"
+            # Remove duplicate .well-known if authServerUrl already contains realm
+            KEYCLOAK_URL=$(echo "$KEYCLOAK_URL" | sed 's|/.well-known/openid-configuration/.well-known/openid-configuration|/.well-known/openid-configuration|')
+            
+            MAX_RETRIES=60
+            RETRY_INTERVAL=5
+            RETRY_COUNT=0
+            
+            while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
+              if curl -sf --cacert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem "$KEYCLOAK_URL" > /dev/null 2>&1; then
+                echo "Keycloak is available!"
+                exit 0
+              fi
+              RETRY_COUNT=$((RETRY_COUNT + 1))
+              echo "Keycloak not ready yet (attempt $RETRY_COUNT/$MAX_RETRIES). Retrying in ${RETRY_INTERVAL}s..."
+              sleep $RETRY_INTERVAL
+            done
+            
+            echo "WARNING: Keycloak not available after $MAX_RETRIES attempts. Continuing anyway..."
+            exit 0
+        volumeMounts:
+          - name: ztvp-trusted-ca
+            mountPath: /etc/pki/ca-trust/extracted/pem
+            readOnly: true
       - name: init-spiffe-helper
         image: {{ template "qtodo.image" .Values.app.images.spiffeHelper }}
         imagePullPolicy: {{ .Values.app.images.spiffeHelper.pullPolicy }}
@@ -213,7 +246,7 @@ spec:
           value: '0.0.0.0'
         - name: QUARKUS_HTTP_PORT
           value: '8080'
-        - name: QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION
+        - name: QUARKUS_HIBERNATE_ORM_SCHEMA_MANAGEMENT_STRATEGY
           value: 'drop-and-create'
 {{- if eq .Values.app.spire.enabled false }}
         - name: QUARKUS_DATASOURCE_USERNAME
@@ -241,9 +274,9 @@ spec:
             secretKeyRef:
               name: qtodo-truststore-secret
               key: truststore-password
-        # JVM-level truststore configuration for all SSL connections
+        # JVM-level truststore configuration for all SSL connections (PKCS12 format)
         - name: JAVA_TOOL_OPTIONS
-          value: "-Djavax.net.ssl.trustStore=/run/secrets/truststore/cacerts -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)"
+          value: "-Djavax.net.ssl.trustStore=/run/secrets/truststore/truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)"
 {{- end }}
 {{- end }}
 {{- if eq .Values.app.spire.enabled true }}
