Skip to content

Iss2509 - Store KeyStore credentials in the CREDS, provide to HTTP/Docker Manager#551

Merged
jadecarino merged 11 commits intogalasa-dev:mainfrom
jadecarino:iss2509-docker-keystore
Mar 23, 2026
Merged

Iss2509 - Store KeyStore credentials in the CREDS, provide to HTTP/Docker Manager#551
jadecarino merged 11 commits intogalasa-dev:mainfrom
jadecarino:iss2509-docker-keystore

Conversation

@jadecarino
Copy link
Copy Markdown
Member

@jadecarino jadecarino commented Mar 19, 2026
edited
Loading

Why?

Refer to galasa-dev/projectmanagement#2509

This pull request adds the ability to store a KeyStore credential in the local and ETCD CREDS stores. The purpose of this is to be able to provide that credential to the HTTP Manager so it can use it to set up client authentication with the enclosed certificates. The HTTP Manager can then pass this to the Docker Manager, so it can contact protected Docker engines via HTTPS.

Changes

Framework/Credentials

  • Adds a new credential type able to be stored in the credentials stores and used by Galasa tests, CredentialsKeyStore, which represents a Java KeyStore.
  • The CredentialsKeyStore has three parts: the KeyStore data which should be formatted as a prefix of "base64:" followed by the bytes of a Java KeyStore base64-encoded, the KeyStore password, and the KeyStore type (PKCS12 or JKS).
  • Unit tests for CredentialsKeyStore class.

Managers

  • New CPS property for the Docker Manager to provide a credentials ID for a particular Docker engine. If provided, the Docker Manager will attempt to retrieve the CredentialsKeyStore from the credentials.properties, and configure an HTTPS connection with the included certificates.
  • Changes to the HTTP Manager to set up client authentication using this KeyStore's certificates.
  • Changes to DockerExecImpl as this uses a raw HttpConnection instead of the manager's HTTPClient, and so couldn't access the KeyStore certificates, so this change checks if an SSL Context is available, and if so uses it in the HttpConnection.
  • DockerManagerIVT has been successfully ran against a protected Docker engine to test these changes.

REST API

  • KeyStore credentials can be stored and retrieved in the ETCD CREDS store by REST API calls.
  • Unit tests for servlet calls to create/update KeyStore credentials.
  • REST API changes tested in Minikube system.

Documentation

  • User facing documentation.
  • Release notes.

@jadecarino jadecarino requested a review from eamansour March 19, 2026 10:00
eamansour
eamansour reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@eamansour eamansour left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good! I've added a few thoughts and suggestions to the PR - happy to approve once they're addressed!

Comment thread docs/content/docs/managers/cloud-managers/docker-tls-configuration.md
Comment thread docs/docker-tls-configuration.md Outdated
Comment thread docs/docker-tls-configuration.md Outdated
Comment thread docs/content/docs/managers/cloud-managers/docker-tls-configuration.md
Comment thread docs/docker-tls-configuration.md Outdated
Comment thread ...ets/src/main/java/dev/galasa/framework/api/secrets/internal/routes/AbstractSecretsRoute.java
Comment thread ...asa.framework/src/test/java/dev/galasa/framework/internal/creds/CredentialsKeyStoreTest.java Outdated
Comment thread ...asa.framework/src/test/java/dev/galasa/framework/internal/creds/CredentialsKeyStoreTest.java Outdated
Comment thread ...ent/dev.galasa.docker.manager/src/main/java/dev/galasa/docker/internal/DockerEngineImpl.java Outdated
Comment thread ...t/dev.galasa.framework/src/main/java/dev/galasa/framework/spi/creds/CredentialsKeyStore.java Outdated
eamansour
eamansour approved these changes Mar 23, 2026
View reviewed changes
Comment thread modules/framework/galasa-parent/dev.galasa/src/main/java/dev/galasa/ICredentialsKeyStore.java
jadecarino added 11 commits March 23, 2026 11:32
@jadecarino
feat: Add new KeyStore credential type that can be stored in local an…
0738c09 
…d ETCD credentials, and provided to HTTP Client Manager, allowing Docker Manager to contact protected engines via HTTPS

Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
feat: KeyStore secrets can be set and retrieved into the ETCD CREDS s…
32567fb 
…tore by the REST API

Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
chore: Tidy comments and add more unit tests
19dc812 
Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
docs: Add release note and user-facing doc for KeyStore credential fe…
2a838b8 
…ature

Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
Update .secrets.baseline
3ccc959 
Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
review: Remove unneccessary inline comment in DockerEngineImpl
f720782 
Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
review/docs: Move user documentation for setting up Docker TLS certs …
46c586a 
…into the Mkdocs website layout, add Windows commands, fix layout issues

Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
review: CredentialsKeyStore.getKeyStore() throws CredentialsException…
abb5475 
… if keystore can't be loaded instead of RuntimeException

Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
review/test: Remove need for real IO operations in CredentialsKeyStor…
1b869eb 
…eTest, replace with mock objects

Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
review: Remove requirement for the keystore CPS property and field in…
ccf2237 
… JSON payload to need a 'base64:' prefix, to reduce chance of user error if users forget to add the prefix

Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino
review: Respond with a new Galasa error if keystorePassword is not pr…
9e72675 
…ovided, instead of the code running into a NullPointerException

Signed-off-by: Jade Carino <carino_jade@yahoo.co.uk>
@jadecarino jadecarino force-pushed the iss2509-docker-keystore branch from 1641dce to 9e72675 Compare March 23, 2026 11:56
@jadecarino jadecarino merged commit b349a05 into galasa-dev:main Mar 23, 2026
37 checks passed
@jadecarino jadecarino mentioned this pull request Apr 13, 2026
Closed
4 tasks
@jadecarino jadecarino deleted the iss2509-docker-keystore branch April 13, 2026 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eamansour eamansour eamansour approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jadecarino @eamansour @github-advanced-security