From 214de856a0a84d9e36b40281242fb663d85b032b Mon Sep 17 00:00:00 2001
From: Michael Folz <folz@med.uni-frankfurt.de>
Date: Tue, 10 Sep 2024 11:03:57 +0200
Subject: [PATCH] #237 - Minor suggestions to improve the container image

- mount certificates file and use_system_ca_certs
- remove custom docker entrypoint
---
 Dockerfile           |  3 +--
 docker-compose.yml   |  3 ++-
 docker-entrypoint.sh | 35 -----------------------------------
 3 files changed, 3 insertions(+), 38 deletions(-)
 delete mode 100644 docker-entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index ae7983d5..4d5db517 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,6 +22,5 @@ HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:809
 
 COPY ./target/*.jar ./dataportal-backend.jar
 COPY ontology ontology
-COPY ./docker-entrypoint.sh /
 
-ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["exec", "java", "$JAVA_OPTS" , "-jar", "dataportal-backend.jar"]
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 7e22e18e..df4835e0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,6 +13,7 @@ services:
       init-elasticsearch:
         condition: service_completed_successfully
     environment:
+      USE_SYSTEM_CA_CERTS: 1
       # ----- app
       QUERY_VALIDATION_ENABLED: ${DATAPORTAL_BACKEND_QUERY_VALIDATION_ENABLED:-true}
       CQL_TRANSLATE_ENABLED: ${DATAPORTAL_BACKEND_CQL_TRANSLATE_ENABLED:-true}
@@ -96,7 +97,7 @@ services:
       - ${DATAPORTAL_BACKEND_LOCAL_TERM_CODE_MAPPING_PATH:-./ontology/dataportal-term-code-mapping.json}:${DATAPORTAL_BACKEND_ONTOLOGY_FILES_FOLDER:-/opt/dataportal-backend/ontology}/dataportal-term-code-mapping.json
       - ${DATAPORTAL_BACKEND_DSF_SECURITY_DIR:-/dev/null}:/opt/dataportal-backend/dsf-security/
       - ${DATAPORTAL_BACKEND_ONTOLOGY_DB_MIGRATION_FOLDER:-../ontology/migration}:/opt/dataportal-backend/ontology/migration
-
+      - ${DATAPORTAL_BACKEND_CERTS_DIR:-./certs}:/certificates/
   dataportal-postgres:
     container_name: dataportal-postgres
     image: 'postgres:16-alpine'
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
deleted file mode 100644
index 2c603dc2..00000000
--- a/docker-entrypoint.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/bash
-
-TRUSTSTORE_FILE="/opt/dataportal-backend/truststore/self-signed-truststore.jks"
-TRUSTSTORE_PASS=${TRUSTSTORE_PASS:-changeit}
-KEY_PASS=${KEY_PASS:-changeit}
-
-shopt -s nullglob
-IFS=$'\n'
-ca_files=(certs/*.pem)
-
-if [ ! "${#ca_files[@]}" -eq 0 ]; then
-
-    echo "# At least one CA file with extension *.pem found in certs folder -> starting dataportal backend with own CAs"
-
-    if [[ -f "$TRUSTSTORE_FILE" ]]; then
-          echo "## Truststore already exists -> resetting truststore"
-          rm "$TRUSTSTORE_FILE"
-    fi
-
-    keytool -genkey -alias self-signed-truststore -keyalg RSA -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -keypass "$KEY_PASS" -dname "CN=self-signed,OU=self-signed,O=self-signed,L=self-signed,S=self-signed,C=TE"
-    keytool -delete -alias self-signed-truststore -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt
-
-    for filename in "${ca_files[@]}"; do
-
-      echo "### ADDING CERT: $filename"
-      keytool -delete -alias "$filename" -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt > /dev/null 2>&1
-      keytool -importcert -alias "$filename" -file "$filename" -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt
-
-    done
-
-    java $JAVA_OPTS -Djavax.net.ssl.trustStore="$TRUSTSTORE_FILE" -Djavax.net.ssl.trustStorePassword="$TRUSTSTORE_PASS" -jar dataportal-backend.jar
-else
-    echo "# No CA *.pem cert files found in /opt/dataportal-backend/certs -> starting dataportal backend without own CAs"
-    java $JAVA_OPTS -jar dataportal-backend.jar
-fi