Quarkus tls registry ignores environment variables in some cases

[Malandril]

Describe the bug

The quarkus tls registry ignores some keystore properties that are in environment variables.
It can be triggered reliably when "a lot" of @ConfigMapping are present.
I could reproduce it since quarkus 3.17.0.
When injecting a smallrye-config @ConfigProperty corresponding to one of the tls registry config works as intended

Expected behavior

Environment variable should work to configure the tls registry.

Actual behavior

Environment variable are ignored.

How to Reproduce?

Reproducer available here https://github.com/Malandril/-quark-bug-tls

To reproduce export the following variables:

export QUARKUS_TLS_MYTLS_KEY_STORE_P12_PASSWORD=changeit 
export QUARKUS_TLS_MYTLS_KEY_STORE_P12_PATH="$(pwd)/test.p12" 

Then run the app: ./gradlew qD

If you query the endpoint curl localhost:8080/test/hello the keystore will be null, but the properties are well
loaded by quarkus.
Output:

{
    "keystore": null,
    "configuredPath": "quark-bug-tls/test.p12"
}

If you comment some the inject configMappings, and restart, the app will work fine and the keystore will be loaded correcly.

--- a/src/main/java/com/test/scheduler/HelloController.java
+++ b/src/main/java/com/test/scheduler/HelloController.java
@@ -37,30 +37,30 @@ public class HelloController {

     @Inject
     Intermediate intermediate;
-    @Inject
-    B b;
-    @Inject
-    C c;
-    @Inject
-    D d;
-    @Inject
-    E e;
-    @Inject
-    G g;
-    @Inject
-    H h;
-    @Inject
-    I i;
-    @Inject
-    J j;
-    @Inject
-    K k;
-    @Inject
-    L l;
-    @Inject
-    M m;
-    @Inject
-    N n;
+//    @Inject
+//    B b;
+//    @Inject
+//    C c;
+//    @Inject
+//    D d;
+//    @Inject
+//    E e;
+//    @Inject
+//    G g;
+//    @Inject
+//    H h;
+//    @Inject
+//    I i;
+//    @Inject
+//    J j;
+//    @Inject
+//    K k;
+//    @Inject
+//    L l;
+//    @Inject
+//    M m;
+//    @Inject
+//    N n;

     @ConfigProperty(name = "quarkus.tls.mytls.key.store.p12.path")
     String string;

Output of the endpoint after patch:

{
    "keystore": {
        "type": "PKCS12",
        "provider": {
            "Alg.Alias.KeyFactory.OID.1.2.840.113549.1.9.16.3.17": "HSS/LMS",
            "Signature.SHA3-384withDSA ImplementedIn": "Software",
            ...
        }
    },
    "configuredPath": "quark-bug-tls/test.p12"
}

Quarkus version or git rev

3.17.3

Build tool (ie. output of mvnw --version or gradlew --version)

gradle 8.11.1

Additional information

Using system properties to pass tls configuratin works as expected, i could only reproduce it with environment variables.

[gsmet]

Thanks for the bug report and the reproducer!

Could you clarify exactly what you remove to make it work so that we don’t play hide and seek? Thanks!

[quarkus-bot]

/cc @radcortez (config)

[radcortez]

No worries, I already had a look and the issue is here:

https://github.com/smallrye/smallrye-config/blob/95881f00a09fdae86437e4f4aad94e1511185d9e/implementation/src/main/java/io/smallrye/config/ConfigMappingContext.java#L202-L215

To reduce work, we try to match only a single root to compare against the names of that particular root. This works fine if every root has a different prefix, but we have a root that is just quarkus. So quarkus.tls would both match quarkus and quarkus.tls. Adding more mappings changes the order in which they appear on the list, which explains why it works until a certain point.

Until we have a fix, I recommend just setting the properties as empty in application.properties as described in https://quarkus.io/guides/config-reference#environment-variables.

quarkus.tls.mytls.key-store.p12.password=
quarkus.tls.mytls.key-store.p12.path=

We added that other piece for mappings so we could do that automatically. It shouldn't be too hard to fix.