Add Windows CA certificate injection support for servercore images#954
Draft
gdams wants to merge 6 commits into
Draft
Add Windows CA certificate injection support for servercore images#954gdams wants to merge 6 commits into
gdams wants to merge 6 commits into
Conversation
Servercore-only equivalent of entrypoint.sh for Linux. When USE_SYSTEM_CA_CERTS is set, imports certificates from the Windows certificate store (Cert:\LocalMachine\Root) and from C:\certificates\*.crt into the JVM truststore using keytool. This is a prototype — not yet wired into the servercore Dockerfile template or the generator.
- Add COPY and ENTRYPOINT directives to servercore.Dockerfile.j2 - Generate entrypoint.ps1 alongside Dockerfile for servercore builds - Add test parity: entrypoint.ps1 rendering and servercore wiring tests - Enable java-ca-certificates-update test for windowsservercore
- Add exit $LASTEXITCODE to entrypoint.ps1 so child process exit codes propagate correctly (PowerShell does not replace the process like exec does in bash) - Add Windows branch to java-ca-certificates-update/run.sh that uses cmd /C instead of sh -c, mounts at C:/certificates, and builds a custom PowerShell entrypoint image for the override test - Skip Phase 2 (non-root) on Windows — --user and --read-only are not supported on Windows containers - Add custom-entrypoint.ps1 for the entrypoint override test - Ensure generated entrypoint.ps1 files end with a trailing newline
- Add catch blocks to both try/finally in entrypoint.ps1 so that individual cert import failures (e.g. unexportable system certs) don't terminate the entrypoint ($ErrorActionPreference = 'Stop') - Export MSYS_NO_PATHCONV=1 in the Windows test branch to prevent Git Bash from mangling C:/certificates volume mount paths (exit 125)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a PowerShell entrypoint for Windows Server Core containers that provides CA certificate injection parity with the existing Linux
entrypoint.sh.Changes
docker_templates/entrypoint.ps1.j2— New PowerShell entrypoint template, equivalent toentrypoint.sh.j2for Linux:Cert:\LocalMachine\Root) into the JVM truststoreC:\certificates\*.crtUSE_SYSTEM_CA_CERTSenvironment variable (same as Linux)JAVA_TOOL_OPTIONSdocker_templates/servercore.Dockerfile.j2— Wires the entrypoint into servercore images withCOPYandENTRYPOINTdirectivesgenerate_dockerfiles.py— Generatesentrypoint.ps1alongside Dockerfiles for servercore buildstest_generate_dockerfiles.py— Test parity with Linux entrypoint tests:test_entrypoint_ps1_rendering— validates cert store import, command forwarding, truststore paths for JDK 8/11+/JREtest_servercore_entrypoint_wiring— validates COPY/ENTRYPOINT in generated Dockerfile.test/config.sh— Enablesjava-ca-certificates-updatetest for windowsservercore (nanoserver remains excluded — no PowerShell)Depends on #952