From bf658e35b06487eea1a9c3217386c6927cf91292 Mon Sep 17 00:00:00 2001
From: Leo Christy Jesuraj <leojc@ca.ibm.com>
Date: Mon, 2 Jun 2025 17:50:53 -0400
Subject: [PATCH] Add keystore.xml to overrides, not defaults, when keystore is
 generated by Liberty container startup process

Signed-off-by: Leo Christy Jesuraj <leojc@ca.ibm.com>
---
 .../latest/beta/helpers/runtime/docker-server.sh    | 13 ++++++++-----
 .../latest/full/helpers/runtime/docker-server.sh    | 13 ++++++++-----
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/releases/latest/beta/helpers/runtime/docker-server.sh b/releases/latest/beta/helpers/runtime/docker-server.sh
index 4c36a2e1c..9ee5f0dad 100755
--- a/releases/latest/beta/helpers/runtime/docker-server.sh
+++ b/releases/latest/beta/helpers/runtime/docker-server.sh
@@ -23,6 +23,8 @@ function importKeyCert() {
 
   # Import the private key and certificate into new keystore
   if [ -f "${CERT_FOLDER}/${KEY_FILE}" ] && [ -f "${CERT_FOLDER}/${CRT_FILE}" ]; then
+    # Mounted certificates found. Assume the user wants to overwrite any existing keystore
+    # and add these certificates
     echo "Found mounted TLS certificates, generating keystore"
     setPasswords PASSWORD TRUSTSTORE_PASSWORD
     mkdir -p /output/resources/security
@@ -44,7 +46,7 @@ function importKeyCert() {
     fi
 
     # Since we are creating new keystore, always write new password to a file
-    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
+    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathOverride
     
     # Add mounted CA to the truststore
     if [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
@@ -70,10 +72,10 @@ function importKeyCert() {
     rm -rf /tmp/certs
   fi
 
-  # Add the keystore password to server configuration
-  if [ ! -e $keystorePath ]; then
+  # If no keystore has been created, add a keystore password to server configuration
+  if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then
     setPasswords PASSWORD TRUSTSTORE_PASSWORD
-    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
+    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathDefault
   fi
   if [ -e $TRUSTSTORE_FILE ]; then
     setPasswords PASSWORD TRUSTSTORE_PASSWORD
@@ -89,7 +91,8 @@ SNIPPETS_SOURCE=/opt/ol/helpers/build/configuration_snippets
 SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
 SNIPPETS_TARGET_OVERRIDES=/config/configDropins/overrides
 
-keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
+keystorePathDefault="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
+keystorePathOverride="$SNIPPETS_TARGET_OVERRIDES/keystore.xml"
 
 if [ "$SSL" = "true" ] || [ "$TLS" = "true" ]; then
   cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET_OVERRIDES/tls.xml
diff --git a/releases/latest/full/helpers/runtime/docker-server.sh b/releases/latest/full/helpers/runtime/docker-server.sh
index 4c36a2e1c..9ee5f0dad 100755
--- a/releases/latest/full/helpers/runtime/docker-server.sh
+++ b/releases/latest/full/helpers/runtime/docker-server.sh
@@ -23,6 +23,8 @@ function importKeyCert() {
 
   # Import the private key and certificate into new keystore
   if [ -f "${CERT_FOLDER}/${KEY_FILE}" ] && [ -f "${CERT_FOLDER}/${CRT_FILE}" ]; then
+    # Mounted certificates found. Assume the user wants to overwrite any existing keystore
+    # and add these certificates
     echo "Found mounted TLS certificates, generating keystore"
     setPasswords PASSWORD TRUSTSTORE_PASSWORD
     mkdir -p /output/resources/security
@@ -44,7 +46,7 @@ function importKeyCert() {
     fi
 
     # Since we are creating new keystore, always write new password to a file
-    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
+    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathOverride
     
     # Add mounted CA to the truststore
     if [ -f "${CERT_FOLDER}/${CA_FILE}" ]; then
@@ -70,10 +72,10 @@ function importKeyCert() {
     rm -rf /tmp/certs
   fi
 
-  # Add the keystore password to server configuration
-  if [ ! -e $keystorePath ]; then
+  # If no keystore has been created, add a keystore password to server configuration
+  if [ ! -e "$keystorePathDefault" ] && [ ! -e "$keystorePathOverride" ]; then
     setPasswords PASSWORD TRUSTSTORE_PASSWORD
-    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $SNIPPETS_TARGET_DEFAULTS/keystore.xml
+    sed "s|REPLACE|$PASSWORD|g" $SNIPPETS_SOURCE/keystore.xml > $keystorePathDefault
   fi
   if [ -e $TRUSTSTORE_FILE ]; then
     setPasswords PASSWORD TRUSTSTORE_PASSWORD
@@ -89,7 +91,8 @@ SNIPPETS_SOURCE=/opt/ol/helpers/build/configuration_snippets
 SNIPPETS_TARGET_DEFAULTS=/config/configDropins/defaults
 SNIPPETS_TARGET_OVERRIDES=/config/configDropins/overrides
 
-keystorePath="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
+keystorePathDefault="$SNIPPETS_TARGET_DEFAULTS/keystore.xml"
+keystorePathOverride="$SNIPPETS_TARGET_OVERRIDES/keystore.xml"
 
 if [ "$SSL" = "true" ] || [ "$TLS" = "true" ]; then
   cp $SNIPPETS_SOURCE/tls.xml $SNIPPETS_TARGET_OVERRIDES/tls.xml