enable credhub certificate hot reload

loewenstein-sap · pbusko · pbusko · commit 3e31aadd706d · 2026-03-26T15:24:14.000+01:00
Co-authored-by: Pavel Busko &lt;pavel.busko@sap.com&gt;
diff --git a/certs/all-in-one.conf b/certs/all-in-one.conf
@@ -35,5 +35,6 @@ DNS.11              = log-api
 DNS.12              = log-cache
 DNS.13              = log_cache
 DNS.14              = reverse-log-proxy
+DNS.15              = credhub
 
 IP.1                = 127.0.0.1
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -210,9 +210,14 @@ variable "CREDHUB_RELEASE_VERSION" {
 }
 
 target "credhub" {
+  dockerfile = "releases/credhub/credhub.Dockerfile"
+
   tags = [ "${REGISTRY_PREFIX}credhub:latest", "${REGISTRY_PREFIX}credhub:${CREDHUB_RELEASE_VERSION}" ]
 
-  context = "https://github.com/pivotal/credhub-release.git#${CREDHUB_RELEASE_VERSION}:src/credhub"
+  contexts = {
+    src = "https://github.com/pivotal/credhub-release.git#${CREDHUB_RELEASE_VERSION}:src/credhub"
+    "files" = "releases/credhub/files"
+  }
 }
 
 variable "CFLINUXFS4_VERSION" {
diff --git a/helmfile.yaml.gotmpl b/helmfile.yaml.gotmpl
@@ -253,7 +253,7 @@ releases:
       - postgresql
     values:
       - dbPassword: {{ .Values.secrets.dbPassword }}
-      - caCertificateSecret: instance-identity
+      - certificateSecret: all-in-one-tls
 
   - name: locket
     namespace: default
diff --git a/releases/credhub/credhub.Dockerfile b/releases/credhub/credhub.Dockerfile
@@ -0,0 +1,18 @@
+# Build image
+FROM --platform=$BUILDPLATFORM bellsoft/liberica-openjdk-debian:21 AS builder
+
+WORKDIR /app
+COPY --from=src . .
+
+RUN ./gradlew bootJar -x test -x check
+
+# Runtime image
+FROM bellsoft/liberica-openjre-debian:21
+
+WORKDIR /app
+
+COPY --from=files --chmod=0755 /entrypoint.sh /entrypoint.sh
+COPY --from=builder /app/applications/credhub-api/build/libs/credhub.jar .
+
+EXPOSE 9000
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/releases/credhub/files/entrypoint.sh b/releases/credhub/files/entrypoint.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+APPLICATION_YAML=${APPLICATION_YAML:-/application.yml}
+
+if [ ! -f "/ssl/trust_store.jks" ]; then
+    echo "Creating trust store from CA certificate"
+    keytool -import -noprompt -trustcacerts -alias uaa_ca -file /ssl/ca.crt -keystore /tmp/trust_store.jks -storepass ${TRUST_STORE_PASSWORD}
+    export TRUST_STORE_PATH=/tmp/trust_store.jks
+fi
+
+JAVA_OPTS="-Djava.security.egd=file:/dev/urandom"
+JAVA_OPTS="$JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=4096"
+JAVA_OPTS="$JAVA_OPTS -Djdk.tls.namedGroups=\"secp384r1\""
+JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=${TRUST_STORE_PATH}"
+JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${TRUST_STORE_PASSWORD}"
+JAVA_OPTS="$JAVA_OPTS -Dspring.config.location=${APPLICATION_YAML}"
+
+trap 'kill -TERM "$java_pid"' TERM INT
+
+java $JAVA_OPTS -ea -jar /app/credhub.jar --management.server.port=9001 &
+java_pid=$!
+
+wait "$java_pid"
diff --git a/releases/credhub/helm/files/credhub.yaml b/releases/credhub/helm/files/credhub.yaml
@@ -1,8 +1,8 @@
 {{ $_ := required ".Values.dbPassword must be provided" .Values.dbPassword }}
 auth-server:
   url: {{ .Values.uaa.address }}
-  trust_store: /app/stores/trust_store.jks
-  trust_store_password: changeit
+  trust_store: ${TRUST_STORE_PATH}
+  trust_store_password: ${TRUST_STORE_PASSWORD}
 encryption:
   key_creation_enabled: true
   providers:
@@ -46,17 +46,34 @@ server:
   port: 8844
   ssl:
     enabled: true
-    key_store: /app/stores/key_store.jks
-    key_store_password: changeit
-    key_password: changeit
-    key_alias: cert
+    bundle: credhub
     ciphers: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
     client_auth: want
-    trust_store: /app/stores/trust_store.jks
-    trust_store_password: changeit
-    trust_store_type: JKS
     enabled_protocols: TLSv1.2,TLSv1.3
+  tomcat:
+    accesslog:
+      enabled: true
+      pattern: '%h %l %u %t "%r" %s %b %D'
+      directory: /dev
+      prefix: stdout
+      suffix:
+      file-date-format:
+      buffered: false
+      rotate: false
 spring:
+  ssl:
+    bundle:
+      pem:
+        credhub:
+          reload-on-update: true
+          keystore:
+            certificate: file:/ssl/tls.crt
+            private-key: file:/ssl/tls.key
+          truststore:
+            certificate: file:/ssl/ca.crt
+      watch:
+        file:
+          quiet-period: 1s
   flyway:
     enabled: true
     locations:
diff --git a/releases/credhub/helm/templates/credhub.yaml b/releases/credhub/helm/templates/credhub.yaml
@@ -36,25 +36,16 @@ spec:
         env:
         - name: TRUST_STORE_PASSWORD
           value: changeit
-        - name: KEY_STORE_PASSWORD
-          value: changeit
-        - name: ENCRYPTION_PASSWORD
-          value: changeit
-        - name: SERVER_CA_PRIVATE_KEY_PATH
-          value: /etc/ssl/ca/tls.key
-        - name: SERVER_CA_CERT_PATH
-          value: /etc/ssl/ca/tls.crt
-        - name: UAA_CA_PATH
-          value: /etc/ssl/ca/tls.crt
-        - name: UAA_URL
-          value: https://uaa.{{ .Release.Namespace }}.svc.cluster.local
-        - name: SUBJECT_ALTERNATIVE_NAMES
-          value: "DNS:{{ .Values.hostname }},DNS:credhub.{{ .Release.Namespace }}.svc.cluster.local,DNS:credhub.{{ .Release.Namespace }}.svc,DNS:credhub.{{ .Release.Namespace }},DNS:credhub"
+        - name: TRUST_STORE_PATH
+          value: /ssl/trust_store.jks
         volumeMounts:
         - name: config
-          mountPath: /app/config
-        - name: ca
-          mountPath: /etc/ssl/ca
+          mountPath: /application.yml
+          subPath: application.yml
+        - name: ssl
+          mountPath: /ssl
+        - name: tmp
+          mountPath: /tmp
       {{- if .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml .Values.nodeSelector | nindent 8 }}
@@ -67,9 +58,11 @@ spec:
       - name: config
         configMap:
           name: credhub-config
-      - name: ca
+      - name: tmp
+        emptyDir: {}
+      - name: ssl
         secret:
-          secretName: {{ required "caCertificateSecret is required" .Values.caCertificateSecret }}
+          secretName: {{ required "certificateSecret is required" .Values.certificateSecret }}
 ---
 apiVersion: v1
 kind: Service
diff --git a/releases/credhub/helm/values.schema.json b/releases/credhub/helm/values.schema.json
@@ -2,7 +2,7 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "additionalProperties": false,
   "properties": {
-    "caCertificateSecret": {
+    "certificateSecret": {
       "type": "string"
     },
     "dbPassword": {
diff --git a/releases/credhub/helm/values.yaml b/releases/credhub/helm/values.yaml
@@ -12,4 +12,4 @@ tolerations: ~
 
 dbPassword: ~
 
-caCertificateSecret: ""
+certificateSecret: ""

Original file line number	Diff line number	Diff line change
`@@ -210,9 +210,14 @@ variable "CREDHUB_RELEASE_VERSION" {`
`210`	`210`	`}`
`211`	`211`
`212`	`212`	`target "credhub" {`
	`213`	`+ dockerfile = "releases/credhub/credhub.Dockerfile"`
	`214`	`+`
`213`	`215`	`tags = [ "${REGISTRY_PREFIX}credhub:latest", "${REGISTRY_PREFIX}credhub:${CREDHUB_RELEASE_VERSION}" ]`
`214`	`216`
`215`		`- context = "https://github.com/pivotal/credhub-release.git#${CREDHUB_RELEASE_VERSION}:src/credhub"`
	`217`	`+ contexts = {`
	`218`	`+ src = "https://github.com/pivotal/credhub-release.git#${CREDHUB_RELEASE_VERSION}:src/credhub"`
	`219`	`+ "files" = "releases/credhub/files"`
	`220`	`+ }`
`216`	`221`	`}`
`217`	`222`
`218`	`223`	`variable "CFLINUXFS4_VERSION" {`
Original file line number	Diff line number	Diff line change
`@@ -12,4 +12,4 @@ tolerations: ~`
`12`	`12`
`13`	`13`	`dbPassword: ~`
`14`	`14`
`15`		`-caCertificateSecret: ""`
	`15`	`+certificateSecret: ""`