#2 OZG-7121 helm: Init truststore and keystore in deployment

src/main/helm/templates/certificate.yaml

@@ -17,17 +17,6 @@ spec:
   duration: 8760h0m0s # 1 Jahr
   renewBefore: 5840h0m0s # 8 Monate
   commonName: {{ .Release.Name }}
-  keystores:
-    jks:
-      create: true
-      passwordSecretRef:
-        name: xta-test-server-default-secret
-        key: keystorePassword
-    pkcs12:
-      create: true
-      passwordSecretRef:
-          name: xta-test-server-default-secret
-          key: keystorePassword
   subject:
     organizations:
       - "XtaTestOrga"

src/main/helm/templates/deployment.yaml

@@ -57,14 +57,31 @@ spec:
         labelSelector:
           matchLabels:
             app.kubernetes.io/name: {{ .Release.Name }}
+      initContainers:
+        - name: init-keystore-and-truststore
+          image: alpine:3.21
+          command: [ "/bin/sh", "-c" ]
+          args:
+            - |
+              apk add --no-cache openssl openjdk11
+
+              echo "[1.0] Import Root CA into Xta-Server-Truststore"
+              keytool -importcert -alias xta-test-root-ca -keystore /store/keystore.jks -storetype JKS -storepass password -file /tls/ca.crt -noprompt
+
+              # Create a PKCS#12 keystore from tls.crt and tls.key
+              openssl pkcs12 -export -in /tls/tls.crt -inkey /tls/tls.key -out /store/keystore.p12 -name xta-test-server -passout pass:password
+          volumeMounts:
+            - name: xta-test-server-tls-store
+              mountPath: "/tls/"
+              readOnly: true
+            - name: store-dir
+              mountPath: "/store/"
       containers:   
       - env:
           - name: spring_profiles_active
             value: {{ include "app.envSpringProfiles" . }}
           - name: server_ssl_key-store
             value: /store/keystore.p12
-          - name: server_ssl_key-alias
-            value: certificate
           - name: server_ssl_trust-store
             value: /store/truststore.jks
           {{- with include "app.getCustomList" . }}
@@ -124,12 +141,14 @@ spec:
         volumeMounts:
           - name: temp-dir
             mountPath: "/tmp"
-          - name: xta-test-server-tls-store
+          - name: store-dir
             mountPath: "/store/"
             readOnly: true
       volumes:
         - name: temp-dir
           emptyDir: {}
+        - name: store-dir
+          emptyDir: {}
         - name: xta-test-server-tls-store
           secret:
             secretName: {{ .Release.Name }}-tls-secret

src/main/resources/store/generate.sh

@@ -12,6 +12,9 @@ if [ ! -f $ISSUER_ALIAS.key ] || [ ! -f $ISSUER_ALIAS.crt ]; then
   openssl genrsa -out $ISSUER_ALIAS.key 2048
   echo "[1.1] Generate a self-signed certificate for the Xta-Root-CA"
   openssl req -x509 -new -nodes -key $ISSUER_ALIAS.key -sha256 -days 4000 -out $ISSUER_ALIAS.crt -config ca-openssl.cnf -extensions v3_ca
+
+  # echo "[1.2] Generate a keystore for the Xta-Root-CA"
+  # openssl pkcs12 -export -in $ISSUER_ALIAS.crt -inkey $ISSUER_ALIAS.key -out $ISSUER_ALIAS.p12 -name xta-test-server -passout pass:password
 else
   echo "[1.0] Root CA found. Skipping generation."
 fi

src/test/helm/deployment_env_test.yaml

@@ -51,17 +51,6 @@ tests:
           content:
             name: server_ssl_key-store
             value: /store/keystore.p12
-  - it: should set key alias
-    set:
-      ozgcloud:
-        environment: dev
-      imagePullSecret: image-pull-secret
-    asserts:
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content:
-            name: server_ssl_key-alias
-            value: certificate
   - it: should set truststore
     set:
       ozgcloud:

src/test/helm/deployment_volumes_test.yaml

@@ -25,6 +25,29 @@ tests:
             name: temp-dir
             emptyDir: {}
 
+  - it: should have store volume
+    asserts:
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: store-dir
+            emptyDir: {}
+  - it: should have store volume mount in initContainer
+    asserts:
+      - contains:
+          path: spec.template.spec.initContainers[0].volumeMounts
+          content:
+            name: store-dir
+            mountPath: "/store/"
+  - it: should have truststore volume mount in container
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: store-dir
+            mountPath: "/store/"
+            readOnly: true
+
   - it: should have tls store volume
     asserts:
       - contains:
@@ -33,12 +56,11 @@ tests:
             name: xta-test-server-tls-store
             secret:
               secretName: helm-test-tls-secret
-
-  - it: should have truststore volume mount
+  - it: should have truststore volume mount in initContainer
     asserts:
       - contains:
-          path: spec.template.spec.containers[0].volumeMounts
+          path: spec.template.spec.initContainers[0].volumeMounts
           content:
             name: xta-test-server-tls-store
-            mountPath: "/store/"
+            mountPath: "/tls/"
             readOnly: true
\ No newline at end of file