CB-16402 set UBI8 base image for Java based docker images

autoscale/src/main/java/com/sequenceiq/periscope/config/DatabaseConfig.java

@@ -3,8 +3,6 @@
 import static java.util.concurrent.TimeUnit.MINUTES;
 import static java.util.concurrent.TimeUnit.SECONDS;
 
-import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.sql.SQLException;
 
 import javax.inject.Inject;
@@ -92,9 +90,9 @@ public class DatabaseConfig {
     public DataSource dataSource() throws SQLException {
         DatabaseUtil.createSchemaIfNeeded("postgresql", databaseAddress, dbName, dbUser, dbPassword, dbSchemaName);
         HikariConfig config = new HikariConfig();
-        if (ssl && Files.exists(Paths.get(certFile))) {
+        if (ssl) {
             config.addDataSourceProperty("ssl", "true");
-            config.addDataSourceProperty("sslrootcert", certFile);
+            config.addDataSourceProperty("sslfactory", "org.postgresql.ssl.DefaultJavaSSLFactory");
         }
         if (periscopeNodeConfig.isNodeIdSpecified()) {
             config.addDataSourceProperty("ApplicationName", periscopeNodeConfig.getId());

cloud-consumption/src/main/java/com/sequenceiq/consumption/configuration/DatabaseConfig.java

@@ -3,8 +3,6 @@
 import static java.util.concurrent.TimeUnit.MINUTES;
 import static java.util.concurrent.TimeUnit.SECONDS;
 
-import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.sql.Statement;
@@ -97,9 +95,9 @@ public class DatabaseConfig {
     public DataSource dataSource() throws SQLException {
         createSchemaIfNeeded("postgresql", databaseAddress, dbName, dbUser, dbPassword, dbSchemaName);
         HikariConfig config = new HikariConfig();
-        if (ssl && Files.exists(Paths.get(certFile))) {
+        if (ssl) {
             config.addDataSourceProperty("ssl", "true");
-            config.addDataSourceProperty("sslrootcert", certFile);
+            config.addDataSourceProperty("sslfactory", "org.postgresql.ssl.DefaultJavaSSLFactory");
         }
         if (nodeConfig.isNodeIdSpecified()) {
             config.addDataSourceProperty("ApplicationName", nodeConfig.getId());

cloud-gcp/src/main/java/com/sequenceiq/cloudbreak/cloud/gcp/client/GcpHttpClientConfig.java

@@ -1,19 +1,33 @@
 package com.sequenceiq.cloudbreak.cloud.gcp.client;
 
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.util.Objects;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
-import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
+import com.google.api.client.googleapis.GoogleUtils;
 import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.util.SecurityUtils;
 
 @Configuration
 public class GcpHttpClientConfig {
 
     @Bean
     public HttpTransport httpTransport() throws GeneralSecurityException, IOException {
-        return GoogleNetHttpTransport.newTrustedTransport();
+        return new NetHttpTransport.Builder()
+                .trustCertificates(getCertificateTrustStore())
+                .build();
+    }
+
+    private KeyStore getCertificateTrustStore() throws IOException, GeneralSecurityException {
+        KeyStore certTrustStore = SecurityUtils.getDefaultKeyStore();
+        InputStream keyStoreStream = GoogleUtils.class.getResourceAsStream("google.p12");
+        SecurityUtils.loadKeyStore(certTrustStore, Objects.requireNonNull(keyStoreStream), "notasecret");
+        return certTrustStore;
     }
 }

common/src/main/java/com/sequenceiq/cloudbreak/client/CertificateTrustManager.java

@@ -1,16 +1,12 @@
 package com.sequenceiq.cloudbreak.client;
 
-import java.security.KeyManagementException;
-import java.security.SecureRandom;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
 
 import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
-import org.glassfish.jersey.SslConfigurator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -32,55 +28,17 @@ public static HostnameVerifier hostnameVerifier() {
     }
 
     public static SSLContext sslContext() {
-        // Create a trust manager that does not validate certificate chains
-        TrustManager[] trustAllCerts = {trustEverythingTrustManager()};
         try {
-            // Install the all-trusting trust manager
-            SSLContext sc = SslConfigurator.newInstance().createSSLContext();
-            sc.init(null, trustAllCerts, new SecureRandom());
-            LOGGER.debug("Trust all SSL certificates has been installed");
-            return sc;
-        } catch (KeyManagementException e) {
-            LOGGER.error(e.getMessage(), e);
-            throw new RuntimeException("F", e);
+            SSLContext defaultSslContext = SSLContext.getDefault();
+            LOGGER.debug("Default SSL context has been initialised");
+            return defaultSslContext;
+        } catch (NoSuchAlgorithmException e) {
+            String errorMessage = String.format("Failed to initialise SSL context due to: '%s'", e.getMessage());
+            LOGGER.error(errorMessage, e);
+            throw new RuntimeException(errorMessage, e);
         }
     }
 
-    public static SSLContext sslSavingTrustStoreContext() {
-        TrustManager[] trustManagers = {new CertificateTrustManager.SavingX509TrustManager()};
-        SSLContext sslContext = SslConfigurator.newInstance().createSSLContext();
-        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
-        try {
-            sslContext.init(null, trustManagers, new SecureRandom());
-        } catch (KeyManagementException e) {
-            LOGGER.error(e.getMessage(), e);
-            throw new RuntimeException("FF", e);
-        }
-        return sslContext;
-    }
-
-    private static X509TrustManager trustEverythingTrustManager() {
-        return new X509TrustManager() {
-            @Override
-            public X509Certificate[] getAcceptedIssuers() {
-                LOGGER.debug("accept all issuer");
-                return null;
-            }
-
-            @Override
-            public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {
-                LOGGER.debug("checkClientTrusted");
-                // Trust everything
-            }
-
-            @Override
-            public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {
-                LOGGER.debug("checkServerTrusted");
-                // Trust everything
-            }
-        };
-    }
-
     public static class SavingX509TrustManager implements X509TrustManager {
 
         private X509Certificate[] chain;
@@ -103,5 +61,4 @@ public X509Certificate[] getChain() {
             return chain;
         }
     }
-
 }

core/src/main/java/com/sequenceiq/cloudbreak/conf/DatabaseConfig.java

@@ -3,8 +3,6 @@
 import static java.util.concurrent.TimeUnit.MINUTES;
 import static java.util.concurrent.TimeUnit.SECONDS;
 
-import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.sql.SQLException;
 
 import javax.inject.Inject;
@@ -108,9 +106,9 @@ public DataSource dataSource() {
     private HikariDataSource getDataSource() throws SQLException {
         DatabaseUtil.createSchemaIfNeeded("postgresql", databaseAddress, dbName, dbUser, dbPassword, dbSchemaName);
         HikariConfig config = new HikariConfig();
-        if (ssl && Files.exists(Paths.get(certFile))) {
+        if (ssl) {
             config.addDataSourceProperty("ssl", "true");
-            config.addDataSourceProperty("sslrootcert", certFile);
+            config.addDataSourceProperty("sslfactory", "org.postgresql.ssl.DefaultJavaSSLFactory");
         }
         if (nodeConfig.isNodeIdSpecified()) {
             config.addDataSourceProperty("ApplicationName", nodeConfig.getId());

datalake/src/main/java/com/sequenceiq/datalake/configuration/DatabaseConfig.java

@@ -3,8 +3,6 @@
 import static java.util.concurrent.TimeUnit.MINUTES;
 import static java.util.concurrent.TimeUnit.SECONDS;
 
-import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.sql.SQLException;
 
 import javax.inject.Inject;
@@ -90,9 +88,9 @@ public class DatabaseConfig {
     public DataSource dataSource() throws SQLException {
         DatabaseUtil.createSchemaIfNeeded("postgresql", databaseAddress, dbName, dbUser, dbPassword, dbSchemaName);
         HikariConfig config = new HikariConfig();
-        if (ssl && Files.exists(Paths.get(certFile))) {
+        if (ssl) {
             config.addDataSourceProperty("ssl", "true");
-            config.addDataSourceProperty("sslrootcert", certFile);
+            config.addDataSourceProperty("sslfactory", "org.postgresql.ssl.DefaultJavaSSLFactory");
         }
         if (nodeConfig.isNodeIdSpecified()) {
             config.addDataSourceProperty("ApplicationName", nodeConfig.getId());

docker-autoscale/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker-private.infra.cloudera.com/cloudera_base/cldr-java:11.0.13-cldr-jre-slim-buster-15122021
+FROM docker-private.infra.cloudera.com/cloudera_base/ubi8/cldr-openjdk-11-runtime:1.14-3-03082022
 # We can not use alpine based image because of https://github.com/grpc/grpc-java/issues/8751
 MAINTAINER info@cloudera.com
 
@@ -10,7 +10,7 @@ ENV VERSION ${VERSION}
 
 WORKDIR /
 
-RUN apt-get install unzip
+RUN microdnf install unzip
 
 # install the periscope app
 ADD ${REPO_URL}/com/sequenceiq/periscope/$VERSION/periscope-$VERSION.jar /periscope.jar

docker-autoscale/bootstrap/start_autoscale_app.sh

@@ -14,7 +14,7 @@ echo "Importing certificates to the default Java certificate  trust store."
 if [ -d "$TRUSTED_CERT_DIR" ]; then
     for cert in $(ls -A "$TRUSTED_CERT_DIR"); do
         if [ -f "$TRUSTED_CERT_DIR/$cert" ]; then
-            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /usr/local/openjdk-11/lib/security/cacerts -storepass changeit; then
+            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/pki/java/cacerts -storepass changeit; then
                 echo -e "Certificate added to default Java trust store with alias $cert."
             else
                 echo -e "WARNING: Failed to add $cert to trust store.\n"

docker-cloudbreak/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker-private.infra.cloudera.com/cloudera_base/cldr-java:11.0.13-cldr-jre-slim-buster-15122021
+FROM docker-private.infra.cloudera.com/cloudera_base/ubi8/cldr-openjdk-11-runtime:1.14-3-03082022
 # We can not use alpine based image because of https://github.com/grpc/grpc-java/issues/8751
 MAINTAINER info@cloudera.com
 
@@ -10,7 +10,7 @@ ENV VERSION ${VERSION}
 
 WORKDIR /
 
-RUN apt-get install unzip
+RUN microdnf install unzip
 
 # install the cloudbreak app
 ADD ${REPO_URL}/com/sequenceiq/cloudbreak/$VERSION/cloudbreak-$VERSION.jar /cloudbreak.jar

docker-cloudbreak/bootstrap/start_cloudbreak_app.sh

@@ -14,7 +14,7 @@ echo "Importing certificates to the default Java certificate  trust store."
 if [ -d "$TRUSTED_CERT_DIR" ]; then
     for cert in $(ls -A "$TRUSTED_CERT_DIR"); do
         if [ -f "$TRUSTED_CERT_DIR/$cert" ]; then
-            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /usr/local/openjdk-11/lib/security/cacerts -storepass changeit; then
+            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/pki/java/cacerts -storepass changeit; then
                 echo -e "Certificate added to default Java trust store with alias $cert."
             else
                 echo -e "WARNING: Failed to add $cert to trust store.\n"

docker-consumption/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker-private.infra.cloudera.com/cloudera_base/cldr-java:11.0.13-cldr-jre-slim-buster-15122021
+FROM docker-private.infra.cloudera.com/cloudera_base/ubi8/cldr-openjdk-11-runtime:1.14-3-03082022
 # We can not use alpine based image because of https://github.com/grpc/grpc-java/issues/8751
 MAINTAINER info@cloudera.com
 
@@ -10,7 +10,7 @@ ENV VERSION ${VERSION}
 
 WORKDIR /
 
-RUN apt-get install unzip
+RUN microdnf install unzip
 
 # install the consumption app
 ADD ${REPO_URL}/com/sequenceiq/cloud-consumption/$VERSION/cloud-consumption-$VERSION.jar /consumption.jar

docker-consumption/bootstrap/start_consumption_app.sh

@@ -14,7 +14,7 @@ echo "Importing certificates to the default Java certificate  trust store."
 if [ -d "$TRUSTED_CERT_DIR" ]; then
     for cert in $(ls -A "$TRUSTED_CERT_DIR"); do
         if [ -f "$TRUSTED_CERT_DIR/$cert" ]; then
-            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /usr/local/openjdk-11/lib/security/cacerts -storepass changeit; then
+            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/pki/java/cacerts -storepass changeit; then
                 echo -e "Certificate added to default Java trust store with alias $cert."
             else
                 echo -e "WARNING: Failed to add $cert to trust store.\n"

docker-datalake/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker-private.infra.cloudera.com/cloudera_base/cldr-java:11.0.13-cldr-jre-slim-buster-15122021
+FROM docker-private.infra.cloudera.com/cloudera_base/ubi8/cldr-openjdk-11-runtime:1.14-3-03082022
 # We can not use alpine based image because of https://github.com/grpc/grpc-java/issues/8751
 MAINTAINER info@cloudera.com
 
@@ -10,7 +10,7 @@ ENV VERSION ${VERSION}
 
 WORKDIR /
 
-RUN apt-get install unzip
+RUN microdnf install unzip
 
 # install the datalake app
 ADD ${REPO_URL}/com/sequenceiq/datalake/$VERSION/datalake-$VERSION.jar /datalake.jar

docker-datalake/bootstrap/start_datalake_app.sh

@@ -14,7 +14,7 @@ echo "Importing certificates to the default Java certificate  trust store."
 if [ -d "$TRUSTED_CERT_DIR" ]; then
     for cert in $(ls -A "$TRUSTED_CERT_DIR"); do
         if [ -f "$TRUSTED_CERT_DIR/$cert" ]; then
-            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /usr/local/openjdk-11/lib/security/cacerts -storepass changeit; then
+            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/pki/java/cacerts -storepass changeit; then
                 echo -e "Certificate added to default Java trust store with alias $cert."
             else
                 echo -e "WARNING: Failed to add $cert to trust store.\n"

docker-environment/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker-private.infra.cloudera.com/cloudera_base/cldr-java:11.0.13-cldr-jre-slim-buster-15122021
+FROM docker-private.infra.cloudera.com/cloudera_base/ubi8/cldr-openjdk-11-runtime:1.14-3-03082022
 # We can not use alpine based image because of https://github.com/grpc/grpc-java/issues/8751
 MAINTAINER info@cloudera.com
 
@@ -10,7 +10,7 @@ ENV VERSION ${VERSION}
 
 WORKDIR /
 
-RUN apt-get install unzip
+RUN microdnf install unzip
 
 # install the environment app
 ADD ${REPO_URL}/com/sequenceiq/environment/$VERSION/environment-$VERSION.jar /environment.jar

docker-environment/bootstrap/start_environment_app.sh

@@ -14,7 +14,7 @@ echo "Importing certificates to the default Java certificate  trust store."
 if [ -d "$TRUSTED_CERT_DIR" ]; then
     for cert in $(ls -A "$TRUSTED_CERT_DIR"); do
         if [ -f "$TRUSTED_CERT_DIR/$cert" ]; then
-            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /usr/local/openjdk-11/lib/security/cacerts -storepass changeit; then
+            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/pki/java/cacerts -storepass changeit; then
                 echo -e "Certificate added to default Java trust store with alias $cert."
             else
                 echo -e "WARNING: Failed to add $cert to trust store.\n"

docker-freeipa/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker-private.infra.cloudera.com/cloudera_base/cldr-java:11.0.13-cldr-jre-slim-buster-15122021
+FROM docker-private.infra.cloudera.com/cloudera_base/ubi8/cldr-openjdk-11-runtime:1.14-3-03082022
 # We can not use alpine based image because of https://github.com/grpc/grpc-java/issues/8751
 MAINTAINER info@cloudera.com
 
@@ -10,7 +10,7 @@ ENV VERSION ${VERSION}
 
 WORKDIR /
 
-RUN apt-get install unzip
+RUN microdnf install unzip
 
 # install the freeipa app
 ADD ${REPO_URL}/com/sequenceiq/freeipa/$VERSION/freeipa-$VERSION.jar /freeipa.jar

docker-freeipa/bootstrap/start_freeipa_app.sh

@@ -14,7 +14,7 @@ echo "Importing certificates to the default Java certificate  trust store."
 if [ -d "$TRUSTED_CERT_DIR" ]; then
     for cert in $(ls -A "$TRUSTED_CERT_DIR"); do
         if [ -f "$TRUSTED_CERT_DIR/$cert" ]; then
-            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /usr/local/openjdk-11/lib/security/cacerts -storepass changeit; then
+            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/pki/java/cacerts -storepass changeit; then
                 echo -e "Certificate added to default Java trust store with alias $cert."
             else
                 echo -e "WARNING: Failed to add $cert to trust store.\n"

docker-redbeams/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker-private.infra.cloudera.com/cloudera_base/cldr-java:11.0.13-cldr-jre-slim-buster-15122021
+FROM docker-private.infra.cloudera.com/cloudera_base/ubi8/cldr-openjdk-11-runtime:1.14-3-03082022
 # We can not use alpine based image because of https://github.com/grpc/grpc-java/issues/8751
 MAINTAINER info@cloudera.com
 
@@ -10,7 +10,7 @@ ENV VERSION ${VERSION}
 
 WORKDIR /
 
-RUN apt-get install unzip
+RUN microdnf install unzip
 
 # install the Redbeams app
 ADD ${REPO_URL}/com/sequenceiq/redbeams/$VERSION/redbeams-$VERSION.jar /redbeams.jar

docker-redbeams/bootstrap/start_redbeams_app.sh

@@ -14,7 +14,7 @@ echo "Importing certificates to the default Java certificate trust store."
 if [ -d "$TRUSTED_CERT_DIR" ]; then
     for cert in $(ls -A "$TRUSTED_CERT_DIR"); do
         if [ -f "$TRUSTED_CERT_DIR/$cert" ]; then
-            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /usr/local/openjdk-11/lib/security/cacerts -storepass changeit; then
+            if keytool -import -alias "$cert" -noprompt -file "$TRUSTED_CERT_DIR/$cert" -keystore /etc/pki/java/cacerts -storepass changeit; then
                 echo -e "Certificate added to default Java trust store with alias $cert."
             else
                 echo -e "WARNING: Failed to add $cert to trust store.\n"

environment/src/main/java/com/sequenceiq/environment/configuration/DatabaseConfig.java

@@ -3,8 +3,6 @@
 import static java.util.concurrent.TimeUnit.MINUTES;
 import static java.util.concurrent.TimeUnit.SECONDS;
 
-import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.sql.Statement;
@@ -97,9 +95,9 @@ public class DatabaseConfig {
     public DataSource dataSource() throws SQLException {
         createSchemaIfNeeded("postgresql", databaseAddress, dbName, dbUser, dbPassword, dbSchemaName);
         HikariConfig config = new HikariConfig();
-        if (ssl && Files.exists(Paths.get(certFile))) {
+        if (ssl) {
             config.addDataSourceProperty("ssl", "true");
-            config.addDataSourceProperty("sslrootcert", certFile);
+            config.addDataSourceProperty("sslfactory", "org.postgresql.ssl.DefaultJavaSSLFactory");
         }
         if (nodeConfig.isNodeIdSpecified()) {
             config.addDataSourceProperty("ApplicationName", nodeConfig.getId());