fix(#7712): S2i build no longer renames artifacts

[iocanel]

Fixes: #7712 #7766 #7740

This pull request changes the way that the artifact is handled during the s2i build process.

• The artifact is no longer renamed.
• The user is able to specify the target directory and or the target filename (if the s2i builder image changes the name).
• The artifact name that is used in the manifests comes from JarBuildItem / NativeBuildItem unless the user specifies something else (see above).

[iocanel]

CC @Ladicek @maxandersen

[iocanel]

Found some issues with the PR related to native mode ...
I am on it.

It should be ok now.

[maxandersen]

as this changes the behavior of kubernetes/openshift setup best to get this fixed before final.

[geoand]

I would like @Ladicek to test this if possible.

I agree with @maxandersen that we need this in for Final from a usability perspective. Moreover it changes the s2i configuration which we really want to do before the Final is out to avoid unnecessary breaking changes down the line

[Ladicek]

/me looking

[Ladicek]

This seems to work fine from my perspective. I don't test native binaries in OpenShift yet, but for the JVM mode, this is OK.

(I'm still not sure why we need the full java ... cmdline, but it can't hurt either, so I'm fine with that.)

[geoand]

Thanks for checking @Ladicek

[geoand]

Added some minor comments about the config property javadoc (which should be fixed since they end up in the docs)

[iocanel]

This seems to work fine from my perspective. I don't test native binaries in OpenShift yet, but for the JVM mode, this is OK.

It's the ubi quarkus native binary image that does rename the artifact. It doesn't affect JVM mode.

(I'm still not sure why we need the full java ... cmdline, but it can't hurt either, so I'm fine with that.)

Because there is no guarantee that the s2i builder image the user selects will support JAVA_APP_JAR etc.

[geoand]

Please squash the commits when you are done :)

[iocanel]

Please squash the commits when you are done :)

Done!

[geoand]

LGTM

[Ladicek]

(I'm still not sure why we need the full java ... cmdline, but it can't hurt either, so I'm fine with that.)

Because there is no guarantee that the s2i builder image the user selects will support JAVA_APP_JAR etc.

I have actually noticed that it might hurt, or at least be suboptimal. I filed #7766 for that.

[gsmet]

@geoand please don't assign PRs to 1.3.0.Final. I do it when I backport things.

As long as they are not backported, they don't end up in 1.3.0.Final as we already have a branch.

Thanks!

[geoand]

So the milestone should be 1.4.0.Final?

[iocanel]

Added a couple more commits that fixes: #7766 and #7740.
Also it changes the default s2i java base image to openjdk.

[iocanel]

This case still causes duplicate entry in the YAML file:

As this is a non-blocker issue, I think that the fix for that particular uses case should be deferred post 1.3.0.Final.

[geoand]

This case still causes duplicate entry in the YAML file:

As this is a non-blocker issue, I think that the fix for that particular uses case should be deferred post 1.3.0.Final.

I agree

[Ladicek]

Yea, there's no way how to indicate priority in GitHub issues (except labels, but I can't assign those). If it were, I'd mark that particular issue as not a blocker -- but since you already tried to fix it, I wanted to report that the fix is incomplete :-)

[Ladicek]

Ah, one thing. This doesn't mean I didn't find any other issue. I'm still checking. This one was just too easy to find :-)

[geoand]

@Ladicek I propose we merge now and if you find any issues open them along with an indication of how serious they are for .Final

[Ladicek]

I agree with merging (as I didn't spot any other glaring issue yet), but would like to have these 2 questions answered first:

1. Can we use the registry.access.redhat.com/openjdk/openjdk-11-rhel7 image by default?
2. Can the fact that "known image" matching algorithm ignores the registry name have security consequences? Or any other consequences? I can only think of the possibility to abuse that by creating identically named image in an internal registry. But I'd like other folks to think about that too, at least a little.

[iocanel]

I agree with merging (as I didn't spot any other glaring issue yet), but would like to have these 2 questions answered first:

1. Can we use the registry.access.redhat.com/openjdk/openjdk-11-rhel7 image by default?

This is already the image we use. If your question is if we should, then maybe @maxandersen can answer that.

2. Can the fact that "known image" matching algorithm ignores the registry name have security consequences? Or any other consequences? I can only think of the possibility to abuse that by creating identically named image in an internal registry. But I'd like other folks to think about that too, at least a little.

Let me start by saying that we can't take the registry into consideration, as this would break all private registries. Now, let's see what the implications might be:

Security wise, nothing changes. We don't grant any special privileges to known images, we just align our generated manifests (something anyone can do by hand anyway).

Other consequences?

Yeah, if someone creates an identically named image that doesn't respect the same environment variable conventions as the original one, publish that to a private, and use that instead, then the resulting container will probably fail to start. But I think we can live with that (at least for now).

[Ladicek]

I agree with merging (as I didn't spot any other glaring issue yet), but would like to have these 2 questions answered first:

1. Can we use the registry.access.redhat.com/openjdk/openjdk-11-rhel7 image by default?

This is already the image we use.

No we don't. We currently use the Fabric8 image by default. This PR changes that to the Red Hat image. I'm not sure if that's right. Technically, the image is available for everyone. However, I think that "conditions apply". If you don't have a Red Hat subscription (even the $0 developer subscription), you shouldn't use it. Or something like that.

2. Can the fact that "known image" matching algorithm ignores the registry name have security consequences? Or any other consequences? I can only think of the possibility to abuse that by creating identically named image in an internal registry. But I'd like other folks to think about that too, at least a little.

Let me start by saying that we can't take the registry into consideration, as this would break all private registries. Now, let's see what the implications might be:

Security wise, nothing changes. We don't grant any special privileges to known images, we just align our generated manifests (something anyone can do by hand anyway).

Other consequences?

Yeah, if someone creates an identically named image that doesn't respect the same environment variable conventions as the original one, publish that to a private, and use that instead, then the resulting container will probably fail to start. But I think we can live with that (at least for now).

OK, agree.

[iocanel]

No we don't. We currently use the Fabric8 image by default. This PR changes that to the Red Hat image.

I stand corrected!

[geoand]

No we don't. We currently use the Fabric8 image by default. This PR changes that to the Red Hat image.

I stand corrected!

Which leaves us where with regards to @Ladicek 's comment?

[iocanel]

No we don't. We currently use the Fabric8 image by default. This PR changes that to the Red Hat image.

I stand corrected!

Which leaves us where with regards to @Ladicek 's comment?

We need to check if we can use registry.access.redhat.com/openjdk/openjdk-11-rhel7 as a default image. It seems that @maxandersen is swarmed though. @tqvarnst since we discussed about this on Monday, are there any legal obstacles in proceeding with this change (adopting openjdk-11-rhel7 as the default s2i base image)?

[Ladicek]

I don't like us using the Fabric8 image, but I don't think there's a better image that we can use by default. When UBI image with Java comes out, we should switch to that for sure, but until then...

[gsmet]

For the default Dockerfiles, we use ubi and install Java manually.

[geoand]

We can't do that for s2i however

[maxandersen]

long thread and not sure what questions are left but just two things to state:

• we are stuck with fabric8 image until ubi-java comes out - for customers they'll need to explicitly set whatever supported image is needed.
• we are not going to use any image that require auth as default.

[Ladicek]

I wonder what happens on Windows, would this possibly generate Windows-style paths into the Kubernetes YAML? (Didn't check, just thinking aloud.)

[Ladicek]

This works fine for my usecase. There might be follow-up issues, but this is a good base IMHO.

[geoand]

Since we are practically out of time, I'm going to merge this to get the needed fixes into Final