From bd6e4a5ddcf35f10519b72105acbb198d3c40d96 Mon Sep 17 00:00:00 2001
From: Markus Skyttner <mskyttner@pm.me>
Date: Wed, 14 Aug 2024 11:48:19 +0200
Subject: [PATCH] upgrade to shinyproxy 3.1.1

---
 Dockerfile | 11 ++++++-----
 README.md  | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1903f74..81afa62 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,16 @@
 #FROM eclipse-temurin:17.0.10_7-jre-alpine
-FROM eclipse-temurin:22_36-jre-alpine
 
 ##RUN apt-get update -y && apt-get install -y \
    # provides envsubst; required for application config file interpolation
 
+FROM eclipse-temurin:22_36-jre-alpine
+
 RUN apk add --no-cache \
    gettext ca-certificates openssl bash
 
 ARG INSTALL_DIR=/opt/shinyproxy
 ARG CONFIG_DIR=/opt/shinyproxy
-ARG SHINYPROXY_VERSION=3.1.0
+ARG SHINYPROXY_VERSION=3.1.1
 
 ENV INSTALL_DIR=$INSTALL_DIR
 ENV CONFIG_DIR=$CONFIG_DIR
@@ -24,11 +25,11 @@ RUN wget -c -T 5 "https://www.shinyproxy.io/downloads/shinyproxy-${SHINYPROXY_VE
 
 COPY ./certs/prod/localhost.crt /certificates/prod.crt
 COPY ./certs/dev/localhost.crt /certificates/dev.crt
-
 RUN USE_SYSTEM_CA_CERTS=true /__cacert_entrypoint.sh
 
-#RUN update-ca-certificates
-	
+RUN update-ca-certificates
+#RUN CACERT="$JAVA_HOME/lib/security/cacerts" trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+
 #COPY ./docker-entrypoint.sh init-config.sh
 
 #RUN chmod +x ./init-config.sh \
diff --git a/README.md b/README.md
index 3eaa708..5bd1877 100644
--- a/README.md
+++ b/README.md
@@ -13,3 +13,43 @@ Documentation and release notes:
 
 - https://shinyproxy.io/
 - https://shinyproxy.io/downloads/#310
+
+## Gotcha
+
+See <https://stackoverflow.com/questions/77969011/unable-to-add-certs-to-cacerts-with-eclipse-temurin-jdk-image>
+
+To avoid "unable to write file" during "make build".... this is how cacerts are installed using the script in `/__cacert_entrypoint.sh`:
+
+```bash
+#!/usr/bin/env sh
+# Converted to POSIX shell to avoid the need for bash in the image
+
+set -e
+
+# Opt-in is only activated if the environment variable is set
+if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
+
+    # Copy certificates from /certificates to the system truststore, but only if the directory exists and is not empty.
+    # The reason why this is not part of the opt-in is because it leaves open the option to mount certificates at the
+    # system location, for whatever reason.
+    if [ -d /certificates ] && [ -n "$(ls -A /certificates 2>/dev/null)" ]; then
+        cp -a /certificates/* /usr/local/share/ca-certificates/
+    fi
+
+    CACERT="$JAVA_HOME/lib/security/cacerts"
+
+    # JDK8 puts its JRE in a subdirectory
+    if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then
+        CACERT="$JAVA_HOME/jre/lib/security/cacerts"
+    fi
+
+    # OpenJDK images used to create a hook for `update-ca-certificates`. Since we are using an entrypoint anyway, we
+    # might as well just generate the truststore and skip the hooks.
+    update-ca-certificates
+
+    trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$CACERT"
+fi
+
+exec "$@"
+
+```