Merge pull request #114 from hmcts/feature/java25-remove-certs

samirgarg · web-flow · commit bcd04cd5aed2 · 2026-02-25T14:30:22.000Z
chore: remove certs from startup.sh the cert authority is now baked i…
diff --git a/.github/workflows/ci-build-publish.yml b/.github/workflows/ci-build-publish.yml
@@ -157,7 +157,7 @@ jobs:
           tags: |
             ghcr.io/${{ github.repository }}:${{ needs.Artefact-Version.outputs.artefact_version }}
           build-args: |
-            BASE_IMAGE=openjdk:21-jdk-slim
+            BASE_IMAGE=eclipse-temurin:25
             JAR_FILENAME=${{ needs.Build.outputs.artefact_name }}.jar
 
   Deploy:
@@ -178,6 +178,7 @@ jobs:
               "GROUP_ID": "uk.gov.hmcts.cp",
               "ARTIFACT_ID": "${{ env.REPO_NAME }}",
               "ARTIFACT_VERSION": "${{ needs.Artefact-Version.outputs.artefact_version }}",
-              "TARGET_REPOSITORY": "${{ github.repository }}"
+              "TARGET_REPOSITORY": "${{ github.repository }}",
+              "agentDemand": "ubuntu-j25",
+              "baseImage": "hmcts/apm-services:25-jre"
             }
-
diff --git a/Dockerfile b/Dockerfile
@@ -1,25 +1,23 @@
-# Dockerfile (project root)
+# See ci-build-publish.yml which sets baseImage=hmcts/apm-services:25-jre and agentDemand:ubuntu-j25
+# azure pipeline replaces $BASE_IMAGE with crmdvrepo01.azurecr.io + $baseImage
+# This image has the hmcts self signing certificate authority added to truststore so we dont need to worry about about the certs
+# If pulling this locally we need to authenticate to acr ... az login; az acr login -n crmdvrepo01
 ARG BASE_IMAGE
 FROM ${BASE_IMAGE:-eclipse-temurin:25-jre}
 
 # install curl for debugging
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends curl \
+    && apt-get install -y curl \
     && rm -rf /var/lib/apt/lists/*
 
-# run as non-root
+# run as non-root ... group and user "app"
 RUN groupadd -r app && useradd -r -g app app
 WORKDIR /app
 
-# copy startup script and app jar file
+# ---- Application files ----
 COPY docker/* /app/
 COPY build/libs/*.jar /app/
 COPY lib/applicationinsights.json /app/
 
-# Not sure this does anything useful we can drop once we sort certificates
-RUN test -n "$JAVA_HOME" \
- && test -f "$JAVA_HOME/lib/security/cacerts" \
- && chmod 777 "$JAVA_HOME/lib/security/cacerts"
-
 USER app
 ENTRYPOINT ["/bin/sh","./startup.sh"]
diff --git a/docker/startup.sh b/docker/startup.sh
@@ -1,41 +1,10 @@
 #!/usr/bin/env sh
-# Script to perform any custom docker startup actions
-# Allows local running where the jarfile is under ./build/lib
-# or dockerfile running where the app jarfile is under /app
-#
+# Add any startup requirements in here
 logmsg() {
     SCRIPTNAME=$(basename $0)
     echo "$SCRIPTNAME : $1"
 }
 
-logmsg "running and loading certificates ..."
-if [ -z "$JAVA_HOME" ]; then
-    export JAVA_HOME="/usr/local/openjdk-21"
-fi
-export KEYSTORE="$JAVA_HOME/lib/security/cacerts"
-if [ -z "$CERTS_DIR" ]; then
-    logmsg "Warning - expects \$CERTS_DIR to be set. i.e. export CERTS_DIR="/etc/certs
-    logmsg "Defaulting to /etc/certs"
-    export CERTS_DIR="/etc/certs"
-fi
-
-if [ ! -f "$KEYSTORE" ]; then
-    logmsg "Error - expects keystore $KEYSTORE to already exist"
-    exit 1
-fi
-
-export count=1
-logmsg "Loading certificates from $CERTS_DIR into keystore $KEYSTORE"
-for FILE in $(ls $CERTS_DIR)
-do
-    alias="mojcert$count"
-    logmsg "Adding $CERTS_DIR/$FILE to keystore with alias $alias"
-    keytool -importcert -file $CERTS_DIR/$FILE -keystore $KEYSTORE -storepass changeit -alias $alias -noprompt
-    count=$((count+1))
-done
-
-keytool -list -keystore $KEYSTORE -storepass changeit | grep "Your keystore contains"
-
 export LOCALJARFILE=$(ls ./build/libs/*.jar 2>/dev/null | grep -v 'plain' | head -n1)
 export DOCKERJARFILE=$(ls /app/*.jar 2>/dev/null | grep -v 'plain' | head -n1)
 if [ -f "$DOCKERJARFILE" ]; then
