Issue mounting truststore using helmchart

[kuliktomas]

Hi, I am using the ejbca-ce helm chart and mounting custom trust an keystore.

importAppserverKeystore: true
appserverKeystoreSecret: ejbca-keystore
importAppserverTruststore: true
appserverTruststoreSecret: ejbca-truststore

keystore is happilly read and used but truststore is not. I am using the two environment variables to set the passwords

APPSERVER_KEYSTORE_SECRET: "password"
APPSERVER_TRUSTSTORE_SECRET: "password"

and found this issue with truststore (from the log)

2025-11-24 14:05:09,261+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Use provided secret for the truststore
/opt/keyfactor/bin/internal/after-deployed.sh: line 103: /opt/keyfactor/secrets/external/tls/ts/truststore.storepasswd: Read-only file system
2025-11-24 14:05:09,269+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) No truststore and/or password file were detected at '/opt/keyfactor/secrets/external/tls/ts/truststore.[jks|storepasswd]'. Check mount points and file permissions if this is not what you expected.

I looked through the after-deployed.sh script and found that the keystore step does not try to create a password file while the truststore does, which does not work as it is a read only mount. The truststore.jks is mounted and i can access it via keytool.

lines 50-53 Keystore

if [ -n "$secretKeyStorepasswd" ] ; then
    log "INFO" "Use provided secret for the keystore"
    **# echo "${secretKeyStorepasswd}" > "$keyStoreStorepasswd"**  --> note the line commented out
    storepasswd=$secretKeyStorepasswd

lines101-104 Trustore

if [ -n "$secretStorepasswd" ] ; then
    log "INFO" "Use provided secret for the truststore"
    **echo "${secretStorepasswd}" > "$keyStoreStorepasswd"** --> attempt to create a file fails
fi

is there any workaround other than mounting both files manually via volume mount? Or potentially I am misunderstanding the problem?

Thank you! Tomas

[dobicinaitis]

Awesome analysis! 👏 Your assessment is 100% correct. I've logged the issue in our internal bug tracker (KFC-268).
The safest workaround would indeed be to include a truststore.storepasswd file in the ejbca-truststore secret.

[kuliktomas]

super, I have just mounted the password as a file, works without any issue.