cacerts permission causes issue with sonarqube helm chart

Summary

The file ${JAVA_HOME}/lib/security/cacerts has a 444 permission in the Iron Bank image, but a 644 permission in the original containers. The helm chart (as used for Big Bang) uses an initContainer for ca-certs with the keytool command. This initContainer copies "${JAVA_HOME}/lib/security/cacerts" to /tmp/certs/cacerts. Then keytool writes to add additional cacerts to the /tmp/certs/cacerts file. However it fails when the original file has 444 permissions.

In this container ${JAVA_HOME}/lib/security/cacerts (/usr/lib/jvm/jre-17-openjdk/lib/security/cacerts) is a link to /etc/pki/java/cacerts which is a link to /etc/pki/ca-trust/extracted/java/cacerts. (444 permission)

In the original container from SonarSource, ${JAVA_HOME}/lib/security/cacerts (/opt/java/openjdk/lib/security/cacerts) is not a link. (644 permission)

Steps to reproduce

Use the SonarQube helm chart for Big Bang with CA-Certs enabled.

Example configmap snippet

  sonarqube:
    enabled: true
    values:
      upstream:
        caCerts:
          enabled: true
          secret: additionalCA

What is the current bug behavior?

As SonarQube is initializing, the ca-certs container in the sonarqube-sonarqube-0 pod has the following error

│ Certificate was added to keystore                                                                                                               
│ keytool error: java.io.FileNotFoundException: /tmp/certs/cacerts (Permission denied)

What is the expected correct behavior?

keytool has the correct permissions to add cacerts and sonarqube is able to start correctly.

Relevant logs and/or screenshots

Possible fixes

Update the ${JAVA_HOME}/lib/security/cacerts file to have 644 permission

Tasks

• Bug has been identified and corrected within the container

Please read the Iron Bank Documentation for more info