I have to store my Kafka Keystore.jks and Truststore.jks file in PCF so that my spring boot app runs there can use it to access the cluster.
The solution that I have in my mind is as follows.
My Jenkins pipeline is hooked up to Hashicorp Vault. So I can keep the BASE64 encoded content in Vault and read it from there during the deployment. But I don't know how to dump that content as a file in PCF VM before my Java app starts. I tried to pursue .profile route; unfortunately Java Build pack doesn't support .profile. Any pointers will be greatly appreciated, Thank you!
A few options:
Put your JKS files which are password protected as a file inside your app. Pass in the password to read them using an environment variable, user provided service, via Spring Config Server or via CredHub service broker.
Same as #1, but create a small custom buildpack that installs your JKS files. Use the platforms multi-buildpack functionality to run your custom buildpack first and Java buildpack second. This option is a little more convenient if you have lots of apps using the same JKS files.
Base64 encode your JKS files and stuff them into an environment variable, user provided service, Spring Config Server or via CredHub service broker. Retrieve & decode them as your app starts, either in a .profile file or in the app itself.
When building your JAR file, you can run run jar uf <path/to/file.jar> .profile and it will add the .profile file to the root of your JAR.
You can confirm it's in the right place by running jar tf <path/to/file.jar>. The output should look like this...
...
BOOT-INF/lib/jackson-annotations-2.9.0.jar
BOOT-INF/lib/jackson-core-2.9.6.jar
BOOT-INF/lib/reactive-streams-1.0.2.jar
BOOT-INF/lib/logback-core-1.2.3.jar
BOOT-INF/lib/log4j-api-2.10.0.jar
<rest of your files here>
...
.profile
Note how there is no path in front of .profile. That's where it needs to be to work properly.
Hope that helps!