chore: remove certs from startup.sh the cert authority is now baked into the $BASE_IMAGE

Author: coling01

.github/workflows/ci-build-publish.yml

@@ -157,7 +157,7 @@ jobs:
           tags: |
             ghcr.io/${{ github.repository }}:${{ needs.Artefact-Version.outputs.artefact_version }}
           build-args: |
-            BASE_IMAGE=openjdk:21-jdk-slim
+            BASE_IMAGE=eclipse-temurin:25
             JAR_FILENAME=${{ needs.Build.outputs.artefact_name }}.jar
 
   Deploy:
@@ -179,5 +179,6 @@ jobs:
               "ARTIFACT_ID": "${{ env.REPO_NAME }}",
               "ARTIFACT_VERSION": "${{ needs.Artefact-Version.outputs.artefact_version }}",
               "TARGET_REPOSITORY": "${{ github.repository }}"
+              "agentDemand": "ubuntu-j25",
+              "baseImage": "hmcts/apm-services:25-jre"
             }
-

Dockerfile

@@ -1,25 +1,23 @@
-# Dockerfile (project root)
+# See ci-build-publish.yml which sets baseImage=hmcts/apm-services:25-jre and agentDemand:ubuntu-j25
+# azure pipeline replaces $BASE_IMAGE with crmdvrepo01.azurecr.io + $baseImage
+# This image has the hmcts self signing certificate authority added to truststore so we dont need to worry about about the certs
+# If pulling this locally we need to authenticate to acr ... az login; az acr login -n crmdvrepo01
 ARG BASE_IMAGE
 FROM ${BASE_IMAGE:-eclipse-temurin:25-jre}
 
 # install curl for debugging
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends curl \
+    && apt-get install -y curl \
     && rm -rf /var/lib/apt/lists/*
 
-# run as non-root
+# run as non-root ... group and user "app"
 RUN groupadd -r app && useradd -r -g app app
 WORKDIR /app
 
-# copy startup script and app jar file
+# ---- Application files ----
 COPY docker/* /app/
 COPY build/libs/*.jar /app/
 COPY lib/applicationinsights.json /app/
 
-# Not sure this does anything useful we can drop once we sort certificates
-RUN test -n "$JAVA_HOME" \
- && test -f "$JAVA_HOME/lib/security/cacerts" \
- && chmod 777 "$JAVA_HOME/lib/security/cacerts"
-
 USER app
 ENTRYPOINT ["/bin/sh","./startup.sh"]

docker/startup.sh

@@ -1,41 +1,10 @@
 #!/usr/bin/env sh
-# Script to perform any custom docker startup actions
-# Allows local running where the jarfile is under ./build/lib
-# or dockerfile running where the app jarfile is under /app
-#
+# Add any startup requirements in here
 logmsg() {
     SCRIPTNAME=$(basename $0)
     echo "$SCRIPTNAME : $1"
 }
 
-logmsg "running and loading certificates ..."
-if [ -z "$JAVA_HOME" ]; then
-    export JAVA_HOME="/usr/local/openjdk-21"
-fi
-export KEYSTORE="$JAVA_HOME/lib/security/cacerts"
-if [ -z "$CERTS_DIR" ]; then
-    logmsg "Warning - expects \$CERTS_DIR to be set. i.e. export CERTS_DIR="/etc/certs
-    logmsg "Defaulting to /etc/certs"
-    export CERTS_DIR="/etc/certs"
-fi
-
-if [ ! -f "$KEYSTORE" ]; then
-    logmsg "Error - expects keystore $KEYSTORE to already exist"
-    exit 1
-fi
-
-export count=1
-logmsg "Loading certificates from $CERTS_DIR into keystore $KEYSTORE"
-for FILE in $(ls $CERTS_DIR)
-do
-    alias="mojcert$count"
-    logmsg "Adding $CERTS_DIR/$FILE to keystore with alias $alias"
-    keytool -importcert -file $CERTS_DIR/$FILE -keystore $KEYSTORE -storepass changeit -alias $alias -noprompt
-    count=$((count+1))
-done
-
-keytool -list -keystore $KEYSTORE -storepass changeit | grep "Your keystore contains"
-
 export LOCALJARFILE=$(ls ./build/libs/*.jar 2>/dev/null | grep -v 'plain' | head -n1)
 export DOCKERJARFILE=$(ls /app/*.jar 2>/dev/null | grep -v 'plain' | head -n1)
 if [ -f "$DOCKERJARFILE" ]; then