gradle docker buildBootImage hangs for a bit around 88%

[xenoterracide]

I see a lot of

2022-08-26T16:03:11.843-0400 [DEBUG] [org.gradle.cache.internal.DefaultFileLockManager] Releasing lock on daemon addresses registry.
2022-08-26T16:03:11.844-0400 [DEBUG] [org.gradle.cache.internal.DefaultFileLockManager] Waiting to acquire shared lock on daemon addresses registry.
2022-08-26T16:03:11.844-0400 [DEBUG] [org.gradle.cache.internal.DefaultFileLockManager] Lock acquired on daemon addresses registry.
2022-08-26T16:03:11.844-0400 [DEBUG] [org.gradle.cache.internal.DefaultFileLockManager] Releasing lock on daemon addresses registry.

It finally fails here, this is definitely an our proxy issue (yay for formally approved man in the middle attacks)

2022-08-26T16:04:43.107-0400 [QUIET] [system.out]     [creator]         Downloading from https://github.com/bell-sw/Liberica/releases/download/17.0.4.1+1/bellsoft-jre17.0.4.1+1-linux-amd64.tar.gz
2022-08-26T16:04:43.473-0400 [QUIET] [system.out]     [creator]     unable to invoke layer creator
2022-08-26T16:04:43.473-0400 [QUIET] [system.out]     [creator]     unable to get dependency jre
2022-08-26T16:04:43.473-0400 [QUIET] [system.out]     [creator]     unable to download https://github.com/bell-sw/Liberica/releases/download/17.0.4.1+1/bellsoft-jre17.0.4.1+1-linux-amd64.tar.gz
2022-08-26T16:04:43.473-0400 [QUIET] [system.out]     [creator]     unable to request https://github.com/bell-sw/Liberica/releases/download/17.0.4.1+1/bellsoft-jre17.0.4.1+1-linux-amd64.tar.gz
2022-08-26T16:04:43.474-0400 [QUIET] [system.out]     [creator]     Get "https://github.com/bell-sw/Liberica/releases/download/17.0.4.1+1/bellsoft-jre17.0.4.1+1-linux-amd64.tar.gz": x509: certificate signed by unknown authority
2022-08-26T16:04:43.

At the same time, I still doesn't see any documentation how to get the right cert, and more importantly we couldn't fetch from this in our CI. So is there a way to get this from artifactory? TBH, I'm not exactly sure why it needs to download a custom JRE if one is already available. Seems like not a great thing. I'm sure this seems like questions, but, I didn't find anything in the docs https://docs.spring.io/spring-boot/docs/2.7.3/gradle-plugin/reference/htmlsingle/#build-image . I think more documentation is needed here.

tried this, doesn't work, but I can't imagine how as it's not mounted... I'll dig more monday. Not sure if there's a good way to modify the keystore, that might be what's needed, I've had to do both.

tasks.named<BootBuildImage>("bootBuildImage") {
  environment(mutableMapOf("SSL_CERT_FILE" to "~/.certs/company.crt"))
}

[scottfrederick]

The [creator] part of the log output indicates that the problem you're having is in the Cloud Native Builder container that is running the buildpacks. Assuming you're using the default Paketo builder, there are a few things you can try to address the problem.

If getting a custom certificate loaded in the builder container can solve the problem, then you might be able to use the bindings feature of the Spring Boot plugin to mount a certificate as documented by the Paketo ca-certificates buildpack.

If configuring the builder container to use the corporate proxy helps, there's an example of that configuration in the Spring Boot plugin documentation.

So is there a way to get this from artifactory?

The Paketo Bellsoft Liberica buildpack documents a way to provide an alternate download location for the artifacts. This would give you full control over the download location, but probably requires the most work on your part to maintain your own artifcact repository.

I think more documentation is needed here.

The Spring Boot plugins provide an integration to CNB buildpacks. The Paketo builder and buildpacks are used by default, but users can override that to use a builder and buildpacks of their choice. The Spring Boot documentation can't cover every configuration scenario, and we don't want to make the documentation specific to Paketo or duplicate the documentation provided by Paketo and other CNB providers. This means users sometimes need to consult both the Spring Boot docs and their CNB builder docs to solve specific problems.

If there's something specific that you think we could add to the Spring Boot documentation that isn't Paketo-specific, we can take a look at that.

[xenoterracide]

If there's something specific that you think we could add to the Spring Boot documentation that isn't Paketo-specific, we can take a look at that.

I think perhaps there are a couple of scenarios that could be improved... but I'm not sure they wouldn't be paketo specific. I'm just thinking that the "Corporate Proxy+Artifactory(reverse proxy/mirror)" scenario for using this might be so common that it might be worth it.

Right now I think I may just write the quick dockerfile because I was hoping for something super easy. Realistically I'm wondering if for local all I need to do is get my proxy variable in there, but, I hadn't seen anything for that.

[scottfrederick]

The way that buildpacks choose to download dependencies, and any mechanism they might provide for navigating proxies or overrding the download location, are out of Spring Boot's control. This information would need to be documented by the buildpack provider. If you raise an issue with Paketo or another CNB provider, feel free to drop a link in a comment here. I'm going to close this for now, but we can assess linking to external documentation if something is created.