Merge branch 'main' into domain-proxy

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM registry.access.redhat.com/ubi9/go-toolset:1.22.5-1731639025@sha256:45170b6e45114849b5d2c0e55d730ffa4a709ddf5f58b9e810548097b085e78f as builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.22.7-1733160835@sha256:e8e961aebb9d3acedcabb898129e03e6516b99244eb64330e5ca599af9c7aa3d as builder
 
 # Copy the Go Modules manifests
 COPY go.mod go.mod

deploy/pipeline/mw-pipeline-v0.1.yaml

@@ -0,0 +1,163 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: mw-pipeline
+spec:
+  params:
+    - name: QUAY_REPO
+      type: string
+    - name: URL
+      description: Repository URL to clone from
+      type: string
+    - name: REVISION
+      description: 'Revision to checkout. (branch, tag, sha, ref, etc...)'
+      type: string
+      default: main
+    - name: BUILD_SCRIPT
+      description: 'The build script to embed with the Containerfile'
+      type: string
+      default: |
+        date
+    - name: RECIPE_IMAGE
+      type: string
+    - name: BUILD_TOOL
+      type: string
+    - name: BUILD_TOOL_VERSION
+      type: string
+    - name: JAVA_VERSION
+      type: string
+    - name: MVN_REPO_DEPLOY_URL
+      description: Maven repository to deploy to
+      type: string
+      default: http://indyhost/ #TODO remove default
+    - name: MVN_REPO_DEPENDENCIES_URL
+      description: Maven repository to get dependencies from
+      type: string
+    - name: ACCESS_TOKEN
+      type: string
+    - name: BUILD_ID
+      type: string
+    - name: caTrustConfigMapName
+      type: string
+    - name: ENABLE_INDY_PROXY
+      type: string
+    - name: JVM_BUILD_SERVICE_REQPROCESSOR_IMAGE
+      type: string
+  workspaces:
+    - name: source
+      description: Workspace containing the source code
+    # - name: ssh-directory
+    # configMap:
+    #   name: ssh-directory
+  tasks:
+    - name: git-clone
+      params:
+        - name: url
+          value: $(params.URL)
+        - name: revision
+          value: $(params.REVISION)
+        - name: verbose
+          value: 'true'
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: git-clone
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1
+          - name: kind
+            value: task
+      workspaces:
+        - name: output
+          workspace: source
+        # - name: ssh-directory
+        #   workspace: ssh-directory
+    - name: pre-build
+      runAfter:
+        - git-clone
+      params:
+        - name: JVM_BUILD_SERVICE_REQPROCESSOR_IMAGE
+          value: $(params.JVM_BUILD_SERVICE_REQPROCESSOR_IMAGE)
+        - name: IMAGE_URL
+          value: $(params.QUAY_REPO):trusted-source-$(context.pipelineRun.name)
+        - name: NAME
+          value: $(context.pipelineRun.name)
+        - name: RECIPE_IMAGE
+          value: $(params.RECIPE_IMAGE)
+        - name: BUILD_TOOL
+          value: $(params.BUILD_TOOL)
+        - name: BUILD_TOOL_VERSION
+          value: $(params.BUILD_TOOL_VERSION)
+        - name: JAVA_VERSION
+          value: $(params.JAVA_VERSION)
+        - name: BUILD_SCRIPT
+          value: $(params.BUILD_SCRIPT)
+        # TODO: Below is needed for deploy-pre-build-source step and could be skipped if its removed.
+        - name: SCM_URL
+          value: $(params.URL)
+        - name: SCM_HASH
+          value: $(params.REVISION)
+      taskRef:
+        resolver: http
+        params:
+          - name: url
+            value: https://raw.githubusercontent.com/rnc/jvm-build-service/refs/heads/NCL8774/deploy/tasks/pre-build.yaml
+      workspaces:
+        - name: source
+          workspace: source
+
+    - name: buildah-oci-ta
+      runAfter:
+        - pre-build
+      params:
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.pre-build.results.PRE_BUILD_IMAGE_DIGEST)
+        - name: HERMETIC
+          value: "false"
+        - name: IMAGE # output image
+          value: $(params.QUAY_REPO):build-$(context.pipelineRun.name)
+        - name: DOCKERFILE # local path to the containerfile
+          value: .jbs/Containerfile
+        - name: caTrustConfigMapName
+          value: $(params.caTrustConfigMapName)
+        - name: ENABLE_INDY_PROXY
+          value: $(params.ENABLE_INDY_PROXY)
+        - name: BUILD_ARGS  #TODO this should be baked in the OCI source image only a ACCESS_TOKEN should be passed
+          value:
+            - PROXY_URL=$(params.MVN_REPO_DEPENDENCIES_URL)
+            - BUILD_ID=$(params.BUILD_ID)
+            - ACCESS_TOKEN=$(params.ACCESS_TOKEN)
+      taskRef:
+        #resolver: bundles
+        #params:
+        #  - name: name
+        #    value: buildah-oci-ta
+        #  - name: bundle
+        #    value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2
+        #  - name: kind
+        #    value: task
+
+        resolver: http
+        params:
+          - name: url
+            value: https://raw.githubusercontent.com/rnc/jvm-build-service/refs/heads/NCL8774/deploy/tasks/buildah-oci-ta.yaml
+
+    - name: maven-deployment
+      runAfter:
+        - buildah-oci-ta
+      params:
+        - name: JVM_BUILD_SERVICE_REQPROCESSOR_IMAGE
+          value: $(params.JVM_BUILD_SERVICE_REQPROCESSOR_IMAGE)
+        - name: IMAGE_URL
+          value: $(tasks.buildah-oci-ta.results.IMAGE_URL)
+        - name: IMAGE_DIGEST
+          value: $(tasks.buildah-oci-ta.results.IMAGE_DIGEST)
+        - name: MVN_REPO
+          value: $(params.MVN_REPO_DEPLOY_URL)
+        - name: ACCESS_TOKEN
+          value: $(params.ACCESS_TOKEN)
+      taskRef:
+        resolver: http
+        params:
+          - name: url
+            value: https://raw.githubusercontent.com/rnc/jvm-build-service/refs/heads/NCL8774/deploy/tasks/maven-deployment.yaml

deploy/tasks/README.md

@@ -0,0 +1,22 @@
+
+
+# Task Definitions
+
+Note that while `pre-build.yaml` and `maven-deployment.yaml` are created by our team the `buildah-oci-yaml` is a temporary copy from https://github.com/konflux-ci/build-definitions/blob/main/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml.
+
+
+## buildah-oci-ta
+
+It should be base-lined to the most recent definition from Konflux build-definitions repository and then the following changes should be applied to that:
+
+### Indy Sidecar
+Adds Indy configuration to the build:
+* https://github.com/redhat-appstudio/jvm-build-service/blob/main/deploy/tasks/buildah-oci-ta.yaml#L134-L137
+* https://github.com/redhat-appstudio/jvm-build-service/blob/main/deploy/tasks/buildah-oci-ta.yaml#L170-L180
+* https://github.com/redhat-appstudio/jvm-build-service/blob/main/deploy/tasks/buildah-oci-ta.yaml#L737-L757
+
+
+### Trusted CA
+Adds the trusted ca to the build:
+* https://github.com/redhat-appstudio/jvm-build-service/blob/main/deploy/tasks/buildah-oci-ta.yaml#L504-L508
+

deploy/tasks/maven-deployment.yaml

@@ -29,6 +29,8 @@ spec:
     - name: MVN_PASSWORD
       description: Name of the secret holding the Maven repository password
       type: string
+      # https://github.com/tektoncd/pipeline/issues/8249
+      default: ""
     - name: MVN_SERVER_ID
       description: Server identification in Maven settings.
       type: string
@@ -66,7 +68,7 @@ spec:
         name: workdir
   steps:
     - name: restore-trusted-artifact
-      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af
       script: |
         echo "Restoring artifacts to workspace"
         URL=$IMAGE_URL

deploy/tasks/pre-build.yaml

@@ -57,7 +57,8 @@ spec:
     - name: JVM_BUILD_SERVICE_REQPROCESSOR_IMAGE
       description: Name of the processor image. Useful to override for development.
       type: string
-      default: "quay.io/redhat-user-workloads/konflux-jbs-pnc-tenant/jvm-build-service/build-request-processor:latest"
+      default: "quay.io/ncross/hacbs-jvm-build-request-processor:latest"
+      # default: "quay.io/redhat-user-workloads/konflux-jbs-pnc-tenant/jvm-build-service/build-request-processor:latest"
   results:
     - name: PRE_BUILD_IMAGE_DIGEST
       description: Digest of the image just built
@@ -115,7 +116,7 @@ spec:
         - --git-disable-ssl-verification=$(params.GIT_SSL_VERIFICATION)
         - --git-reuse-repository=$(params.GIT_REUSE_REPOSITORY)
     - name: create-pre-build-image
-      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af
       script: |
         echo "Creating pre-build-image archive"
         create-archive --store $(params.IMAGE_URL) $(results.PRE_BUILD_IMAGE_DIGEST.path)=$(workspaces.source.path)/source

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/google/go-containerregistry v0.20.1 // indirect
 	github.com/google/uuid v1.6.0
-	github.com/konflux-ci/image-controller v0.0.0-20241106111942-98d78b2e0f48
+	github.com/konflux-ci/image-controller v0.0.0-20241128141349-9986c9955e05
 	github.com/onsi/gomega v1.34.2
 	github.com/openshift/api v0.0.0-20220912161038-458ad9ca9ca5 // indirect
 	github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142

go.sum

@@ -284,8 +284,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
 github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
-github.com/konflux-ci/image-controller v0.0.0-20241106111942-98d78b2e0f48 h1:rSuqJEJfaWs6rucYuFxLVUcht04t5RFe1WFs5H9ZclI=
-github.com/konflux-ci/image-controller v0.0.0-20241106111942-98d78b2e0f48/go.mod h1:a/94a7ohVwjq6/MayAi15Ylcahl+zzkAzVeVFak/PUQ=
+github.com/konflux-ci/image-controller v0.0.0-20241128141349-9986c9955e05 h1:5Xawkybl99uEiXhkdkxWtHDWitgnf+kAjpNVTanVGRE=
+github.com/konflux-ci/image-controller v0.0.0-20241128141349-9986c9955e05/go.mod h1:a/94a7ohVwjq6/MayAi15Ylcahl+zzkAzVeVFak/PUQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=

java-components/build-request-processor/src/main/docker/Dockerfile.all-in-one

@@ -5,7 +5,7 @@ COPY ./ .
 
 RUN mvn -V -B package -pl build-request-processor -am -Dmaven.test.skip
 
-FROM registry.access.redhat.com/ubi8/openjdk-21-runtime@sha256:c1bf8370627eaed6711ea22915b476d4216517c35c8f8268c0d39ed983bceaff
+FROM registry.access.redhat.com/ubi8/openjdk-21-runtime@sha256:0a8cf41082f11f5bc56bd9438851e54593e17051df49592e953fb59376c7d539
 USER 0
 WORKDIR /work/
 

java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/build/preprocessor/AbstractPreprocessor.java

@@ -72,7 +72,6 @@ public void run() {
         }
 
         Log.warnf("### Using tool %s with version %s and javaHome %s", type, buildToolVersion, javaVersion);
-        Log.warnf("### ENV %s", System.getenv("jvm-build-service"));
 
         String javaHome;
         if (javaVersion.equals("7") || javaVersion.equals("8")) {
@@ -151,14 +150,27 @@ public void run() {
             fi
             echo "PATH:$PATH"
 
+            update-ca-trust
+
+            # Go through certificates and insert them into the cacerts
+            for cert in $(find /etc/pki/ca-trust/source/anchors -type f); do
+              echo "Inserting $cert into java cacerts"
+              keytool -import -alias $(basename $cert)-ca \\
+                -file $cert \\
+                -keystore /etc/pki/java/cacerts \\
+                -storepass changeit --noprompt
+            done
+
             # End of generic build script
+
+            echo "Building the project ..."
             """;
 
         if (isNotEmpty(buildScript)) {
             // Now add in the build script from either JBS or PNC. This might contain e.g. "mvn -Pfoo install"
             runBuild += buildScript;
         }
-        Log.warnf("### runBuild is\n%s", runBuild);
+        Log.debugf("### runBuild is\n%s", runBuild);
 
         try {
             Path runBuildSh = Paths.get(jbsDirectory.toString(), "run-build.sh");

java-components/build-request-processor/src/main/java/com/redhat/hacbs/container/build/preprocessor/maven/MavenPrepareCommand.java

@@ -1,5 +1,7 @@
 package com.redhat.hacbs.container.build.preprocessor.maven;
 
+import static org.apache.commons.lang3.StringUtils.isNotEmpty;
+
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.nio.file.FileVisitResult;
@@ -128,13 +130,14 @@ private boolean handlePlugins(List<Plugin> plugins, boolean topLevel)
 
         if (disabledPlugins != null) {
             for (String s : disabledPlugins) {
-                String[] ga = s.split(":");
+                if (isNotEmpty(s)) {
+                    String[] ga = s.split(":");
 
-                if (ga.length != 2) {
-                    throw new IOException("Error parsing groupId/artifactId:  " + s);
+                    if (ga.length != 2) {
+                        throw new IOException("Error parsing groupId/artifactId:  " + s);
+                    }
+                    toRemove.add(new PluginInfo(ga[0], ga[1]));
                 }
-
-                toRemove.add(new PluginInfo(ga[0], ga[1]));
             }
         }
 

java-components/cache/src/main/docker/Dockerfile.all-in-one

@@ -7,7 +7,7 @@ RUN mkdir -p /work/cache/target/classes
 
 RUN mvn -V -B package -pl cache -am -Dmaven.test.skip
 
-FROM registry.access.redhat.com/ubi8/openjdk-21-runtime@sha256:c1bf8370627eaed6711ea22915b476d4216517c35c8f8268c0d39ed983bceaff
+FROM registry.access.redhat.com/ubi8/openjdk-21-runtime@sha256:0a8cf41082f11f5bc56bd9438851e54593e17051df49592e953fb59376c7d539
 USER 0
 WORKDIR /work/
 

java-components/cli/pom.xml

@@ -24,6 +24,12 @@
             <groupId>io.github.redhat-appstudio.jvmbuild</groupId>
             <artifactId>hacbs-resource-model</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>io.github.redhat-appstudio.jvmbuild</groupId>
+            <artifactId>driver</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>info.picocli</groupId>
             <artifactId>picocli-shell-jline2</artifactId>
@@ -102,10 +108,12 @@
         <dependency>
             <groupId>com.github.stefanbirkner</groupId>
             <artifactId>system-lambda</artifactId>
+            <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.wiremock</groupId>
             <artifactId>wiremock</artifactId>
+            <scope>test</scope>
         </dependency>
     </dependencies>
     <build>

java-components/cli/src/main/docker/Dockerfile.all-in-one

@@ -1,11 +1,20 @@
 FROM registry.access.redhat.com/ubi8/openjdk-21@sha256:5ab904e6262629fca79d6f65fa859bfa376405522d2f660bdbfaaae2742586f1 AS builder
 
+USER root
+RUN microdnf --setopt=install_weak_deps=0 --setopt=tsflags=nodocs install -y git
+
+USER 185
 WORKDIR /work
 COPY ./ .
 
-RUN mvn -V -B package -pl cli -am -DskipTests
+# Quarkus GitInfo causes injection failure if there isn't a git commit to use.
+RUN git init && \
+    git config user.email "[email protected]" && \
+    git config user.name "HACBS" && \
+    git add cli && git commit -m "CLI" -a && \
+    mvn -V -B package -pl cli -am -DskipTests
 
-FROM registry.access.redhat.com/ubi8/openjdk-21-runtime@sha256:c1bf8370627eaed6711ea22915b476d4216517c35c8f8268c0d39ed983bceaff
+FROM registry.access.redhat.com/ubi8/openjdk-21-runtime@sha256:0a8cf41082f11f5bc56bd9438851e54593e17051df49592e953fb59376c7d539
 WORKDIR /work/
 
 COPY --from=builder /work/cli/target/quarkus-app/lib/ /deployments/lib/