ARG RUNTIME_IMAGE=nexus.ervu.rt-sk.ru/release/etl-base:1.12.6.1
FROM $RUNTIME_IMAGE

COPY mappings /opt/etl/config/projects/mappings
COPY mappings /opt/etl/config/projects/mappings
COPY certs/arango-leaf.pem /tmp/arango-leaf.pem
COPY certs/globalsign-gcc-r3.pem /tmp/globalsign-gcc-r3.pem
COPY certs/globalsign-root-r3.pem /tmp/globalsign-root-r3.pem

RUN set -eux; \
  CANDIDATES=""; \
  if [ -n "${JAVA_HOME:-}" ]; then \
    CANDIDATES="$CANDIDATES $JAVA_HOME/lib/security/cacerts"; \
  fi; \
  JAVA_BIN="$(readlink -f "$(which java)")"; \
  CANDIDATES="$CANDIDATES $(dirname "$JAVA_BIN")/../lib/security/cacerts \
                         /etc/ssl/certs/java/cacerts \
                         /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts \
                         /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts \
                         /usr/lib/jvm/java-17-openjdk/lib/security/cacerts \
                         /usr/lib/jvm/java-11-openjdk/lib/security/cacerts"; \
  for p in $CANDIDATES; do \
    if [ -f "$p" ]; then CACERTS="$p"; break; fi; \
  done; \
  echo ">> Using cacerts at: ${CACERTS:-<not found>}"; \
  [ -n "${CACERTS:-}" ] && [ -f "$CACERTS" ] || { echo "cacerts not found"; exit 1; }; \
  for f in /tmp/arango-leaf.pem /tmp/globalsign-gcc-r3.pem; do \
    [ -f "$f" ] || continue; \
    alias="$(basename "$f" .pem)"; \
    keytool -delete -alias "$alias" -keystore "$CACERTS" -storepass changeit >/dev/null 2>&1 || true; \
    keytool -importcert -trustcacerts -noprompt -alias "$alias" -file "$f" \
      -keystore "$CACERTS" -storepass changeit; \
    rm -f "$f"; \
  done; \
  keytool -list -keystore "$CACERTS" -storepass changeit | grep -E 'arango-leaf|globalsign-gcc-r3' || true
