diff --git a/.baseimage b/.baseimage index 1e126be4..3cb9424c 100644 --- a/.baseimage +++ b/.baseimage @@ -1,2 +1,2 @@ sha256:cf095e5668919ba1b4ace3888107684ad9d587b1830d3eb56973e6a54f456e67 -618c747c18f6a4ee0bed719dc862927431fcdd41df9986ab5e999b6a3e1b5d92 - +165b03727fc64d107d6126ce5009c7a23cdd20939989da58c6acb0fea1683966 - diff --git a/.rhcicd/clowdapp.yaml b/.rhcicd/clowdapp.yaml index 287b7265..f5726289 100644 --- a/.rhcicd/clowdapp.yaml +++ b/.rhcicd/clowdapp.yaml @@ -37,11 +37,11 @@ objects: image: ${IMAGE}:${IMAGE_TAG} resources: requests: - cpu: ${CPU_REQUEST} - memory: ${MEMORY_REQUEST} + cpu: ${CPU_REQUEST_ENGINE} + memory: ${MEMORY_REQUEST_ENGINE} limits: - cpu: ${CPU_LIMIT} - memory: ${MEMORY_LIMIT} + cpu: ${CPU_LIMIT_ENGINE} + memory: ${MEMORY_LIMIT_ENGINE} volumes: - name: certs emptyDir: {} @@ -77,8 +77,6 @@ objects: value: ${EXTERNAL_LOGGING_LEVEL} - name: JAVA_OPTIONS value: ${JAVA_OPTIONS} - - name: GC_CONTAINER_OPTIONS - value: "-XX:+UseG1GC" - name: QUARKUS_HTTP_PORT value: "8000" - name: QUARKUS_LOG_CLOUDWATCH_ENABLED @@ -99,11 +97,11 @@ parameters: value: "false" - name: JAVA_OPTIONS description: Additional options to JDK runtime - value: "-XX:+ExitOnOutOfMemoryError -Xms640m -Xmx1024m" -- name: CPU_LIMIT + value: "-XX:+ExitOnOutOfMemoryError -Xms128m -Xmx512m" +- name: CPU_LIMIT_ENGINE description: CPU limit value: 250m -- name: CPU_REQUEST +- name: CPU_REQUEST_ENGINE description: CPU request value: 125m - name: ENV_NAME @@ -117,10 +115,10 @@ parameters: value: latest - name: EXTERNAL_LOGGING_LEVEL value: INFO -- name: MEMORY_LIMIT +- name: MEMORY_LIMIT_ENGINE description: Memory limit value: 1000Mi -- name: MEMORY_REQUEST +- name: MEMORY_REQUEST_ENGINE description: Memory request value: 500Mi - name: MIN_REPLICAS diff --git a/.tekton/policies-engine-pull-request.yaml b/.tekton/policies-engine-pull-request.yaml index f707aadf..f37602e0 100644 --- a/.tekton/policies-engine-pull-request.yaml +++ b/.tekton/policies-engine-pull-request.yaml @@ -242,7 +242,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:c3fb20564f297f8a5590db73f45910b1e6ec674dd4ef644779f95b60feca3e8b + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:2f07e7813b6f3d0cb26e41a3732ce813809963537b1926df7c24020c9867ea0b - name: kind value: task resolver: bundles diff --git a/.tekton/policies-engine-push.yaml b/.tekton/policies-engine-push.yaml index 68c782fc..f6a66e81 100644 --- a/.tekton/policies-engine-push.yaml +++ b/.tekton/policies-engine-push.yaml @@ -239,7 +239,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:c3fb20564f297f8a5590db73f45910b1e6ec674dd4ef644779f95b60feca3e8b + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:2f07e7813b6f3d0cb26e41a3732ce813809963537b1926df7c24020c9867ea0b - name: kind value: task resolver: bundles diff --git a/src/main/docker/Dockerfile-build.jvm b/src/main/docker/Dockerfile-build.jvm index f30bb11f..8c969b75 100644 --- a/src/main/docker/Dockerfile-build.jvm +++ b/src/main/docker/Dockerfile-build.jvm @@ -26,7 +26,7 @@ RUN microdnf install -y openssl curl ca-certificates ${JAVA_PACKAGE} \ && chown 1001:root /deployments \ && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security -ENV JAVA_OPTIONS="-XX:+ExitOnOutOfMemoryError -Xms640m -Xmx1024m" +ENV JAVA_OPTIONS="-XX:+ExitOnOutOfMemoryError -Xms128m -Xmx512m" # Use four distinct layers so if there are application changes the library layers can be re-used COPY --from=build --chown=1001 /home/jboss/target/quarkus-app/lib/ /deployments/lib/ diff --git a/src/main/java/com/redhat/cloud/policies/engine/clowder/KafkaSaslInitializer.java b/src/main/java/com/redhat/cloud/policies/engine/clowder/KafkaSaslInitializer.java deleted file mode 100644 index ee99cfdd..00000000 --- a/src/main/java/com/redhat/cloud/policies/engine/clowder/KafkaSaslInitializer.java +++ /dev/null @@ -1,80 +0,0 @@ -package com.redhat.cloud.policies.engine.clowder; - -import io.quarkus.logging.Log; -import io.quarkus.runtime.StartupEvent; -import jakarta.annotation.Priority; -import org.eclipse.microprofile.config.Config; -import org.eclipse.microprofile.config.ConfigProvider; - -import jakarta.enterprise.context.ApplicationScoped; -import jakarta.enterprise.event.Observes; - -import static jakarta.interceptor.Interceptor.Priority.PLATFORM_BEFORE; - -/* - * This bean is required to make sure that SmallRye Reactive Messaging will use the configuration from - * clowder-quarkus-config-source during the Kafka SASL authentication process. - */ -@ApplicationScoped -public class KafkaSaslInitializer { - - private static final String KAFKA_SASL_JAAS_CONFIG = "kafka.sasl.jaas.config"; - private static final String KAFKA_SASL_MECHANISM = "kafka.sasl.mechanism"; - private static final String KAFKA_SECURITY_PROTOCOL = "kafka.security.protocol"; - private static final String KAFKA_SSL_TRUSTSTORE_LOCATION = "kafka.ssl.truststore.location"; - private static final String KAFKA_SSL_TRUSTSTORE_TYPE = "kafka.ssl.truststore.type"; - private static final String PLAIN = "PLAIN"; - private static final String SASL_SSL = "SASL_SSL"; - private static final String SCRAM_SHA_512 = "SCRAM-SHA-512"; - - void init(@Observes @Priority(PLATFORM_BEFORE) StartupEvent event) { - Config config = ConfigProvider.getConfig(); - config.getOptionalValue(KAFKA_SECURITY_PROTOCOL, String.class).ifPresent(securityProtocol -> { - switch (securityProtocol) { - case SASL_SSL: - Log.info("Initializing Kafka SASL configuration..."); - String saslMechanism = config.getValue(KAFKA_SASL_MECHANISM, String.class); - String saslJaasConfig = config.getValue(KAFKA_SASL_JAAS_CONFIG, String.class); - switch (saslMechanism) { - case PLAIN: - configurePlainAuthentication(securityProtocol, saslMechanism, saslJaasConfig); - break; - case SCRAM_SHA_512: - configureScramAuthentication(securityProtocol, saslMechanism, saslJaasConfig); - config.getOptionalValue(KAFKA_SSL_TRUSTSTORE_LOCATION, String.class).ifPresent(truststoreLocation -> { - String truststoreType = config.getValue(KAFKA_SSL_TRUSTSTORE_TYPE, String.class); - configureTruststore(truststoreLocation, truststoreType); - }); - break; - default: - throw new IllegalStateException("Unexpected Kafka SASL mechanism: " + saslMechanism); - } - break; - default: - throw new IllegalStateException("Unexpected Kafka security protocol: " + securityProtocol); - } - }); - } - - private static void configurePlainAuthentication(String securityProtocol, String saslMechanism, String saslJaasConfig) { - setValue(KAFKA_SECURITY_PROTOCOL, securityProtocol); - setValue(KAFKA_SASL_MECHANISM, saslMechanism); - setValue(KAFKA_SASL_JAAS_CONFIG, saslJaasConfig); - } - - private static void configureScramAuthentication(String securityProtocol, String saslMechanism, String saslJaasConfig) { - setValue(KAFKA_SECURITY_PROTOCOL, securityProtocol); - setValue(KAFKA_SASL_MECHANISM, saslMechanism); - setValue(KAFKA_SASL_JAAS_CONFIG, saslJaasConfig); - } - - private static void configureTruststore(String truststoreLocation, String truststoreType) { - setValue(KAFKA_SSL_TRUSTSTORE_LOCATION, truststoreLocation); - setValue(KAFKA_SSL_TRUSTSTORE_TYPE, truststoreType); - } - - private static void setValue(String configKey, String configValue) { - System.setProperty(configKey, configValue); - Log.infof("%s has been set", configKey); - } -} diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index fc1cbc52..ff81e5c1 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -30,6 +30,9 @@ kafka.bootstrap.servers=localhost:9092 # kafka.ssl.truststore.location= # kafka.ssl.truststore.type=PEM +# Enable ClowdConfigSource to load Kafka SSL configuration +feature-flags.expose-kafka-ssl-config-keys.enabled=true + # Source <= hosts mp.messaging.incoming.events.connector=smallrye-kafka mp.messaging.incoming.events.topic=platform.inventory.events