From f481247919c2d76f99c80a627d6f6c911f9b6440 Mon Sep 17 00:00:00 2001 From: Viliam Krizan Date: Tue, 7 Jan 2025 15:24:45 +0100 Subject: [PATCH 1/9] fix: kafka sasl init oom RHINENG-15124 --- .../engine/clowder/KafkaSaslInitializer.java | 80 ------------------- 1 file changed, 80 deletions(-) delete mode 100644 src/main/java/com/redhat/cloud/policies/engine/clowder/KafkaSaslInitializer.java diff --git a/src/main/java/com/redhat/cloud/policies/engine/clowder/KafkaSaslInitializer.java b/src/main/java/com/redhat/cloud/policies/engine/clowder/KafkaSaslInitializer.java deleted file mode 100644 index ee99cfdd..00000000 --- a/src/main/java/com/redhat/cloud/policies/engine/clowder/KafkaSaslInitializer.java +++ /dev/null @@ -1,80 +0,0 @@ -package com.redhat.cloud.policies.engine.clowder; - -import io.quarkus.logging.Log; -import io.quarkus.runtime.StartupEvent; -import jakarta.annotation.Priority; -import org.eclipse.microprofile.config.Config; -import org.eclipse.microprofile.config.ConfigProvider; - -import jakarta.enterprise.context.ApplicationScoped; -import jakarta.enterprise.event.Observes; - -import static jakarta.interceptor.Interceptor.Priority.PLATFORM_BEFORE; - -/* - * This bean is required to make sure that SmallRye Reactive Messaging will use the configuration from - * clowder-quarkus-config-source during the Kafka SASL authentication process. - */ -@ApplicationScoped -public class KafkaSaslInitializer { - - private static final String KAFKA_SASL_JAAS_CONFIG = "kafka.sasl.jaas.config"; - private static final String KAFKA_SASL_MECHANISM = "kafka.sasl.mechanism"; - private static final String KAFKA_SECURITY_PROTOCOL = "kafka.security.protocol"; - private static final String KAFKA_SSL_TRUSTSTORE_LOCATION = "kafka.ssl.truststore.location"; - private static final String KAFKA_SSL_TRUSTSTORE_TYPE = "kafka.ssl.truststore.type"; - private static final String PLAIN = "PLAIN"; - private static final String SASL_SSL = "SASL_SSL"; - private static final String SCRAM_SHA_512 = "SCRAM-SHA-512"; - - void init(@Observes @Priority(PLATFORM_BEFORE) StartupEvent event) { - Config config = ConfigProvider.getConfig(); - config.getOptionalValue(KAFKA_SECURITY_PROTOCOL, String.class).ifPresent(securityProtocol -> { - switch (securityProtocol) { - case SASL_SSL: - Log.info("Initializing Kafka SASL configuration..."); - String saslMechanism = config.getValue(KAFKA_SASL_MECHANISM, String.class); - String saslJaasConfig = config.getValue(KAFKA_SASL_JAAS_CONFIG, String.class); - switch (saslMechanism) { - case PLAIN: - configurePlainAuthentication(securityProtocol, saslMechanism, saslJaasConfig); - break; - case SCRAM_SHA_512: - configureScramAuthentication(securityProtocol, saslMechanism, saslJaasConfig); - config.getOptionalValue(KAFKA_SSL_TRUSTSTORE_LOCATION, String.class).ifPresent(truststoreLocation -> { - String truststoreType = config.getValue(KAFKA_SSL_TRUSTSTORE_TYPE, String.class); - configureTruststore(truststoreLocation, truststoreType); - }); - break; - default: - throw new IllegalStateException("Unexpected Kafka SASL mechanism: " + saslMechanism); - } - break; - default: - throw new IllegalStateException("Unexpected Kafka security protocol: " + securityProtocol); - } - }); - } - - private static void configurePlainAuthentication(String securityProtocol, String saslMechanism, String saslJaasConfig) { - setValue(KAFKA_SECURITY_PROTOCOL, securityProtocol); - setValue(KAFKA_SASL_MECHANISM, saslMechanism); - setValue(KAFKA_SASL_JAAS_CONFIG, saslJaasConfig); - } - - private static void configureScramAuthentication(String securityProtocol, String saslMechanism, String saslJaasConfig) { - setValue(KAFKA_SECURITY_PROTOCOL, securityProtocol); - setValue(KAFKA_SASL_MECHANISM, saslMechanism); - setValue(KAFKA_SASL_JAAS_CONFIG, saslJaasConfig); - } - - private static void configureTruststore(String truststoreLocation, String truststoreType) { - setValue(KAFKA_SSL_TRUSTSTORE_LOCATION, truststoreLocation); - setValue(KAFKA_SSL_TRUSTSTORE_TYPE, truststoreType); - } - - private static void setValue(String configKey, String configValue) { - System.setProperty(configKey, configValue); - Log.infof("%s has been set", configKey); - } -} From bb0a00259062b712a5abf17f3377c4c8022d01ca Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 8 Jan 2025 09:10:37 -0300 Subject: [PATCH 2/9] chore(image): update and rebuild image (#674) Co-authored-by: Update-a-Bot --- .baseimage | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.baseimage b/.baseimage index 1e126be4..9729d433 100644 --- a/.baseimage +++ b/.baseimage @@ -1,2 +1,2 @@ sha256:cf095e5668919ba1b4ace3888107684ad9d587b1830d3eb56973e6a54f456e67 -618c747c18f6a4ee0bed719dc862927431fcdd41df9986ab5e999b6a3e1b5d92 - +61542ca28cbd1c6abc9d2256f2b651e0912390b95a7949db03b14cc8ed5810ec - From 4c5753e43d1650e9e52218d337230175f88c0e97 Mon Sep 17 00:00:00 2001 From: Viliam Krizan Date: Wed, 8 Jan 2025 16:23:46 +0100 Subject: [PATCH 3/9] fix: load Kafka SSL config from clowder RHINENG-15124 --- src/main/resources/application.properties | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index fc1cbc52..ff81e5c1 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -30,6 +30,9 @@ kafka.bootstrap.servers=localhost:9092 # kafka.ssl.truststore.location= # kafka.ssl.truststore.type=PEM +# Enable ClowdConfigSource to load Kafka SSL configuration +feature-flags.expose-kafka-ssl-config-keys.enabled=true + # Source <= hosts mp.messaging.incoming.events.connector=smallrye-kafka mp.messaging.incoming.events.topic=platform.inventory.events From 740401398afd0466c1acd88b73a7bb99db692f96 Mon Sep 17 00:00:00 2001 From: Viliam Krizan Date: Wed, 8 Jan 2025 18:09:14 +0100 Subject: [PATCH 4/9] chore(cleanup): reduce heap After the Kafka OOM is fixed, getting back to the previou-ish values. RHINENG-15124 --- src/main/docker/Dockerfile-build.jvm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/docker/Dockerfile-build.jvm b/src/main/docker/Dockerfile-build.jvm index f30bb11f..8c969b75 100644 --- a/src/main/docker/Dockerfile-build.jvm +++ b/src/main/docker/Dockerfile-build.jvm @@ -26,7 +26,7 @@ RUN microdnf install -y openssl curl ca-certificates ${JAVA_PACKAGE} \ && chown 1001:root /deployments \ && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security -ENV JAVA_OPTIONS="-XX:+ExitOnOutOfMemoryError -Xms640m -Xmx1024m" +ENV JAVA_OPTIONS="-XX:+ExitOnOutOfMemoryError -Xms128m -Xmx512m" # Use four distinct layers so if there are application changes the library layers can be re-used COPY --from=build --chown=1001 /home/jboss/target/quarkus-app/lib/ /deployments/lib/ From ccd6b078607a03b48151786a56f0afb98c2b702a Mon Sep 17 00:00:00 2001 From: Viliam Krizan Date: Wed, 8 Jan 2025 18:40:35 +0100 Subject: [PATCH 5/9] chore(cleanup): reduce heap on deployment After the Kafka OOM is fixed, getting back to the previou-ish values. RHINENG-15124 --- .rhcicd/clowdapp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.rhcicd/clowdapp.yaml b/.rhcicd/clowdapp.yaml index 287b7265..dc3d37fd 100644 --- a/.rhcicd/clowdapp.yaml +++ b/.rhcicd/clowdapp.yaml @@ -99,7 +99,7 @@ parameters: value: "false" - name: JAVA_OPTIONS description: Additional options to JDK runtime - value: "-XX:+ExitOnOutOfMemoryError -Xms640m -Xmx1024m" + value: "-XX:+ExitOnOutOfMemoryError -Xms128m -Xmx512m" - name: CPU_LIMIT description: CPU limit value: 250m From afb48ba1cfbafe9e1002db18d975efa054718191 Mon Sep 17 00:00:00 2001 From: Update-a-Bot Date: Thu, 9 Jan 2025 00:31:26 +0000 Subject: [PATCH 6/9] chore(image): update and rebuild image --- .baseimage | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.baseimage b/.baseimage index 9729d433..3cb9424c 100644 --- a/.baseimage +++ b/.baseimage @@ -1,2 +1,2 @@ sha256:cf095e5668919ba1b4ace3888107684ad9d587b1830d3eb56973e6a54f456e67 -61542ca28cbd1c6abc9d2256f2b651e0912390b95a7949db03b14cc8ed5810ec - +165b03727fc64d107d6126ce5009c7a23cdd20939989da58c6acb0fea1683966 - From ac599ece79db26c7fc499b29456614ea7296e188 Mon Sep 17 00:00:00 2001 From: patchkez Date: Fri, 10 Jan 2025 14:56:04 +0100 Subject: [PATCH 7/9] Change CPU/MEMORY limits for clowdapp - ADR46 (#684) Co-authored-by: Fellipe Henrique --- .rhcicd/clowdapp.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.rhcicd/clowdapp.yaml b/.rhcicd/clowdapp.yaml index dc3d37fd..91b4647e 100644 --- a/.rhcicd/clowdapp.yaml +++ b/.rhcicd/clowdapp.yaml @@ -37,11 +37,11 @@ objects: image: ${IMAGE}:${IMAGE_TAG} resources: requests: - cpu: ${CPU_REQUEST} - memory: ${MEMORY_REQUEST} + cpu: ${CPU_REQUEST_ENGINE} + memory: ${MEMORY_REQUEST_ENGINE} limits: - cpu: ${CPU_LIMIT} - memory: ${MEMORY_LIMIT} + cpu: ${CPU_LIMIT_ENGINE} + memory: ${MEMORY_LIMIT_ENGINE} volumes: - name: certs emptyDir: {} @@ -100,10 +100,10 @@ parameters: - name: JAVA_OPTIONS description: Additional options to JDK runtime value: "-XX:+ExitOnOutOfMemoryError -Xms128m -Xmx512m" -- name: CPU_LIMIT +- name: CPU_LIMIT_ENGINE description: CPU limit value: 250m -- name: CPU_REQUEST +- name: CPU_REQUEST_ENGINE description: CPU request value: 125m - name: ENV_NAME @@ -117,10 +117,10 @@ parameters: value: latest - name: EXTERNAL_LOGGING_LEVEL value: INFO -- name: MEMORY_LIMIT +- name: MEMORY_LIMIT_ENGINE description: Memory limit value: 1000Mi -- name: MEMORY_REQUEST +- name: MEMORY_REQUEST_ENGINE description: Memory request value: 500Mi - name: MIN_REPLICAS From 3fde5e7fbb03d1e12aedad70fe005c0fff2f4fcc Mon Sep 17 00:00:00 2001 From: Viliam Krizan Date: Fri, 10 Jan 2025 15:20:00 +0100 Subject: [PATCH 8/9] chore(cleanup): remove unused GC env var (#682) The env var GC_CONTAINER_OPTIONS is not being used on the ubi-minimal container. I premume it was used with run-java.sh script that is no longer used for a while. Co-authored-by: Fellipe Henrique --- .rhcicd/clowdapp.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.rhcicd/clowdapp.yaml b/.rhcicd/clowdapp.yaml index 91b4647e..f5726289 100644 --- a/.rhcicd/clowdapp.yaml +++ b/.rhcicd/clowdapp.yaml @@ -77,8 +77,6 @@ objects: value: ${EXTERNAL_LOGGING_LEVEL} - name: JAVA_OPTIONS value: ${JAVA_OPTIONS} - - name: GC_CONTAINER_OPTIONS - value: "-XX:+UseG1GC" - name: QUARKUS_HTTP_PORT value: "8000" - name: QUARKUS_LOG_CLOUDWATCH_ENABLED From 41f31d87749b4bb1b95e4547ac2de3fcd994613f Mon Sep 17 00:00:00 2001 From: "red-hat-konflux[bot]" <126015336+red-hat-konflux[bot]@users.noreply.github.com> Date: Fri, 10 Jan 2025 12:41:41 -0300 Subject: [PATCH 9/9] chore(deps): update konflux references to v0.3 (#677) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: Fellipe Henrique --- .tekton/policies-engine-pull-request.yaml | 2 +- .tekton/policies-engine-push.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/policies-engine-pull-request.yaml b/.tekton/policies-engine-pull-request.yaml index f707aadf..f37602e0 100644 --- a/.tekton/policies-engine-pull-request.yaml +++ b/.tekton/policies-engine-pull-request.yaml @@ -242,7 +242,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:c3fb20564f297f8a5590db73f45910b1e6ec674dd4ef644779f95b60feca3e8b + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:2f07e7813b6f3d0cb26e41a3732ce813809963537b1926df7c24020c9867ea0b - name: kind value: task resolver: bundles diff --git a/.tekton/policies-engine-push.yaml b/.tekton/policies-engine-push.yaml index 68c782fc..f6a66e81 100644 --- a/.tekton/policies-engine-push.yaml +++ b/.tekton/policies-engine-push.yaml @@ -239,7 +239,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:c3fb20564f297f8a5590db73f45910b1e6ec674dd4ef644779f95b60feca3e8b + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.3@sha256:2f07e7813b6f3d0cb26e41a3732ce813809963537b1926df7c24020c9867ea0b - name: kind value: task resolver: bundles