feat: add secure Java truststore for qtodo with Vault integration

- Add init container to convert CA bundle to Java JKS truststore
- Add ExternalSecret for truststore password from Vault
- Configure JAVA_TOOL_OPTIONS for JVM-level SSL truststore
- Mount ztvp-trusted-ca ConfigMap for CA certificates
- Enable truststore by default when SPIRE is enabled

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

charts/qtodo/templates/app-config-env.yaml

@@ -4,8 +4,8 @@ metadata:
   name: qtodo-config-env
   namespace: {{ .Release.Namespace }}
 data:
-{{- if eq .Values.app.oidc.enabled true }}
-  QUARKUS_OIDC_ENABLED: "{{ .Values.app.oidc.enabled }}"
+{{- if eq .Values.app.spire.enabled true }}
+  QUARKUS_OIDC_ENABLED: "true"
   QUARKUS_OIDC_AUTH_SERVER_URL: "{{ default (printf "https://keycloak.%s/realms/ztvp" .Values.global.localClusterDomain) .Values.app.oidc.authServerUrl }}"
   QUARKUS_OIDC_CLIENT_ID: "{{ .Values.app.oidc.clientId }}"
   QUARKUS_OIDC_APPLICATION_TYPE: "{{ .Values.app.oidc.applicationType }}"

charts/qtodo/templates/app-deployment.yaml

@@ -29,6 +29,59 @@ spec:
     spec:
 {{- if eq .Values.app.spire.enabled true }}
       initContainers:
+      - name: init-ca-truststore
+        image: registry.redhat.io/ubi9/openjdk-17:latest
+        imagePullPolicy: IfNotPresent
+        command:
+          - /bin/bash
+          - -c
+          - |
+            set -e
+            echo "Converting CA bundle to Java truststore..."
+            
+            # Validate password is provided
+            if [ -z "$TRUSTSTORE_PASSWORD" ]; then
+              echo "ERROR: TRUSTSTORE_PASSWORD not set"
+              exit 1
+            fi
+            
+            # Split the PEM bundle into individual certificates
+            csplit -s -z -f /tmp/cert- /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
+            
+            # Create the truststore with each certificate
+            TRUSTSTORE_PATH="/run/secrets/truststore/cacerts"
+            
+            # Remove any existing truststore
+            rm -f "$TRUSTSTORE_PATH"
+            
+            # Import each certificate into the truststore
+            cert_index=0
+            for cert_file in /tmp/cert-*; do
+              if [ -s "$cert_file" ]; then
+                echo "Importing certificate $cert_index from $cert_file"
+                keytool -import -noprompt \
+                  -alias "ztvp-ca-$cert_index" \
+                  -keystore "$TRUSTSTORE_PATH" \
+                  -storepass "$TRUSTSTORE_PASSWORD" \
+                  -file "$cert_file" || echo "Warning: Failed to import $cert_file"
+                cert_index=$((cert_index + 1))
+              fi
+            done
+            
+            echo "Successfully created truststore with $cert_index certificates"
+            ls -lh "$TRUSTSTORE_PATH"
+        env:
+          - name: TRUSTSTORE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: qtodo-truststore-secret
+                key: truststore-password
+        volumeMounts:
+          - name: ztvp-trusted-ca
+            mountPath: /etc/pki/ca-trust/extracted/pem
+            readOnly: true
+          - name: truststore
+            mountPath: /run/secrets/truststore
       - name: init-spiffe-helper
         image: {{ template "qtodo.image" .Values.app.images.spiffeHelper }}
         imagePullPolicy: {{ .Values.app.images.spiffeHelper.pullPolicy }}
@@ -181,11 +234,29 @@ spec:
             secretKeyRef:
               name: oidc-client-secret
               key: client-secret
+{{- if eq .Values.app.truststore.enabled true }}
+        # Truststore password from Vault secret
+        - name: TRUSTSTORE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: qtodo-truststore-secret
+              key: truststore-password
+        # JVM-level truststore configuration for all SSL connections
+        - name: JAVA_TOOL_OPTIONS
+          value: "-Djavax.net.ssl.trustStore=/run/secrets/truststore/cacerts -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)"
+{{- end }}
 {{- end }}
 {{- if eq .Values.app.spire.enabled true }}
         volumeMounts:
           - name: db-credentials
             mountPath: /run/secrets/db-credentials
+          - name: truststore
+            mountPath: /run/secrets/truststore
+            readOnly: true
+          # Mount ZTVP CA bundle for non-Java tools (curl, openssl, etc.)
+          - name: ztvp-trusted-ca
+            mountPath: /etc/pki/ca-trust/extracted/pem
+            readOnly: true
 {{- end }}
         resources: {}
       serviceAccountName: qtodo
@@ -210,4 +281,6 @@ spec:
           configMap:
             name: ztvp-trusted-ca
             defaultMode: 420
+        - name: truststore
+          emptyDir: {}
 {{- end }}

charts/qtodo/templates/truststore-secret-external-secret.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.app.spire.enabled }}
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: qtodo-truststore-secret
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: '5'
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.name }}
+    kind: {{ .Values.global.secretStore.kind }}
+  target:
+    name: qtodo-truststore-secret
+    template:
+      type: Opaque
+      data:
+        truststore-password: "{{ `{{ .truststore_password }}` }}"
+  data:
+  - secretKey: truststore_password
+    remoteRef:
+      key: {{ .Values.app.truststore.vaultPath }}
+      property: truststore-password
+{{- end }}

charts/qtodo/values.yaml

@@ -63,6 +63,11 @@ app:
     enabled: true
     name: "oidc-client-secret"
     vaultPath: "secret/data/global/oidc-client-secret"
+  
+  # Truststore configuration for Java CA certificates
+  truststore:
+    enabled: true
+    vaultPath: "secret/data/global/qtodo-truststore"
 
 # PostgreSQL database configuration
 postgresql:

charts/ztvp-certificates/templates/ca-extraction-job-initial.yaml

@@ -7,6 +7,9 @@ metadata:
   namespace: {{ .Values.global.namespace }}
   annotations:
     argocd.argoproj.io/sync-wave: "-8"
+    # Run as regular sync resource (after RBAC at -9, before Policy at -5)
+    # Using Prune=false prevents OutOfSync after TTL deletes the completed Job
+    argocd.argoproj.io/sync-options: Prune=false
   labels:
     {{- include "ztvp-certificates.labels" . | nindent 4 }}
     app.kubernetes.io/component: initial-extraction

values-hub.yaml

@@ -163,39 +163,54 @@ clusterGroup:
       path: charts/ztvp-certificates
       annotations:
         argocd.argoproj.io/sync-wave: "-10"
-      # Use extraValueFiles for complex nested structures like additionalCertificates and rollout
+      # Ignore the ACM-replicated policy in local-cluster namespace
+      # ACM automatically creates policy replicas with name pattern: <source-ns>.<policy-name>
+      ignoreDifferences:
+        - group: policy.open-cluster-management.io
+          kind: Policy
+          name: openshift-config.ztvp-certificates-distribution
+          namespace: local-cluster
+          jsonPointers:
+            - /
+      # Use extraValueFiles for complex nested structures like additionalCertificates
       # The validated patterns framework only processes 'overrides' as --set parameters
       # Edit /overrides/values-ztvp-certificates.yaml to configure:
       #   - Additional CA certificates (additionalCertificates array)
       #   - Automatic rollout restart for consuming applications
       extraValueFiles:
         - /overrides/values-ztvp-certificates.yaml
       overrides:
-        # Job TTL: Retention time for completed CA extraction jobs
-        # Default: 300s (5 min). Extended for debugging/verification.
-        - name: job.ttlSecondsAfterFinished
-          value: "900"  # 15 minutes
+        # Disable Job TTL to prevent ArgoCD OutOfSync when Kubernetes deletes completed Jobs
+        # The initial Job runs once during first sync; CronJob handles ongoing extraction
+        - name: debug.keepFailedJobs
+          value: "true"
 
-        # Debug settings: Enable for troubleshooting certificate extraction issues
-        # verbose: Enables bash 'set -x' for detailed script execution logging
-        # keepFailedJobs: Prevents failed jobs from auto-cleanup (useful for debugging)
+        # Enable verbose logging for troubleshooting (uncomment if needed)
         # - name: debug.verbose
         #   value: "true"
-        # - name: debug.keepFailedJobs
-        #   value: "true"
 
-        # Primary custom CA: Use secretRef to reference an existing Kubernetes secret
-        # containing CA certificates. Uncomment to enable:
-        # Create secret: oc create secret generic custom-ca-bundle \
-        #   --from-file=ca.crt=/path/to/ca.crt -n openshift-config
+        # Primary custom CA: Use secretRef to reference an existing Kubernetes secret containing CA certificates
+        # Uncomment to add a primary custom CA:
+        # Single cert: oc create secret generic custom-ca-bundle --from-file=ca.crt=/path/to/ca.crt -n openshift-config
+        # Multiple certs: cat corp-root.crt intermediate.crt partner.crt > combined-ca.crt && oc create secret generic custom-ca-bundle --from-file=ca.crt=combined-ca.crt -n openshift-config
+        # Disabled for now - using auto-detection only
         # - name: customCA.secretRef.enabled
         #   value: "true"
-        # - name: customCA.secretRef.name
-        #   value: custom-ca-bundle
-        # - name: customCA.secretRef.namespace
-        #   value: openshift-config
-        # - name: customCA.secretRef.key
-        #   value: ca.crt
+        - name: customCA.secretRef.name
+          value: custom-ca-bundle
+        - name: customCA.secretRef.namespace
+          value: openshift-config
+        - name: customCA.secretRef.key
+          value: ca.crt
+        
+        # Automatic rollout configuration (simple overrides work fine)
+        - name: rollout.enabled
+          value: "true"
+        - name: rollout.strategy
+          value: labeled
+        
+        # Note: additionalCertificates (complex nested array) temporarily disabled
+        # Need to find proper way to pass complex structures in Validated Patterns
     acm:
       name: acm
       namespace: open-cluster-management

values-secret.yaml.template

@@ -47,6 +47,13 @@ secrets:
     - name: db-password
       onMissingValue: generate
       vaultPolicy: validatedPatternDefaultPolicy
+  - name: qtodo-truststore
+    vaultPrefixes:
+    - global
+    fields:
+    - name: truststore-password
+      onMissingValue: generate
+      vaultPolicy: alphaNumericPolicy
   - name: keycloak-users
     vaultPrefixes:
     - global