Extract function to generate import keytool command
What does this MR do?
This change updates the command to import a custom X509 certificate using keytool
. The -cacerts
option is not available in the Java 8 keystore. Java 11, 13, 14 do support the -cacerts
option but this is unnecessary if specify the keystore path using the -keystore
option. The implementation provided in this MR of the keytool invocation should work for Java 8, 11, 13, and 14.
I was able to reproduce this defect by applying the following .gitlab-ci.yml
file as can be seen in this job.
dependency_scanning:
variables:
DS_JAVA_VERSION: "8"
ADDITIONAL_CA_CERT_BUNDLE: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
The combination of specifying Java 8 with an ADDITIONAL_CA_CERT_BUNDLE
variable produced the following error:
[DEBU] [gemnasium-maven] [2020-09-09T15:02:59Z] ▶ /opt/asdf/shims/keytool -importcert -file /etc/ssl/certs/ca-cert-additional-gitlab-bundle.pem -cacerts -storepass changeit -noprompt
Illegal option: -cacerts
The updated command produces the following output.
[DEBU] [gemnasium-maven] [2020-09-15T23:00:34Z] ▶ /opt/asdf/shims/keytool -importcert -alias custom -file /etc/ssl/certs/ca-cert-additional-gitlab-bundle.pem -trustcacerts -noprompt -storepass changeit -keystore /opt/asdf/installs/java/adoptopenjdk-14.0.1+7.1/lib/security/cacerts
Certificate was added to keystore
I was able to verify this change using the integration tests defined in here.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by mo khan