Merge pull request #22508 from gsmet/2.6.1-backports-2

2.6.1 backports 2

bom/application/pom.xml

@@ -146,7 +146,7 @@
         <aws-xray.version>2.10.0</aws-xray.version>
         <azure-functions-java-library.version>1.4.2</azure-functions-java-library.version>
         <kotlin.version>1.6.10</kotlin.version>
-        <kotlin.coroutine.version>1.5.2</kotlin.coroutine.version>
+        <kotlin.coroutine.version>1.6.0</kotlin.coroutine.version>
         <dekorate.version>2.6.0</dekorate.version>
         <maven-invoker.version>3.0.1</maven-invoker.version>
         <awaitility.version>4.1.1</awaitility.version>

build-parent/pom.xml

@@ -65,7 +65,7 @@
         <!-- These 2 properties are used by CreateProjectMojo to add the Maven Wrapper -->
         <proposed-maven-version>3.8.4</proposed-maven-version>
         <maven-wrapper.version>0.7.7</maven-wrapper.version>
-        <gradle-wrapper.version>7.3.2</gradle-wrapper.version>
+        <gradle-wrapper.version>7.3.3</gradle-wrapper.version>
         <quarkus-gradle-plugin.version>${project.version}</quarkus-gradle-plugin.version>
         <quarkus-maven-plugin.version>${project.version}</quarkus-maven-plugin.version>
 

core/deployment/src/main/java/io/quarkus/deployment/configuration/ConfigMappingUtils.java

@@ -60,7 +60,8 @@ public static void generateConfigClasses(
                 reflectiveClasses
                         .produce(ReflectiveClassBuildItem.builder(mappingMetadata.getInterfaceType()).methods(true).build());
                 reflectiveClasses
-                        .produce(ReflectiveClassBuildItem.builder(mappingMetadata.getClassName()).constructors(true).build());
+                        .produce(ReflectiveClassBuildItem.builder(mappingMetadata.getClassName()).constructors(true)
+                                .methods(true).build());
 
                 for (Class<?> parent : getHierarchy(mappingMetadata.getInterfaceType())) {
                     reflectiveClasses.produce(ReflectiveClassBuildItem.builder(parent).methods(true).build());

core/deployment/src/main/java/io/quarkus/deployment/logging/LogCleanupFilterBuildItem.java

@@ -1,6 +1,7 @@
 package io.quarkus.deployment.logging;
 
 import java.util.Arrays;
+import java.util.List;
 import java.util.logging.Level;
 
 import io.quarkus.builder.item.MultiBuildItem;
@@ -17,17 +18,25 @@ public final class LogCleanupFilterBuildItem extends MultiBuildItem {
     private LogCleanupFilterElement filterElement;
 
     public LogCleanupFilterBuildItem(String loggerName, String... messageStarts) {
-        if (messageStarts.length == 0) {
-            throw new IllegalArgumentException("messageStarts cannot be null");
-        }
-        this.filterElement = new LogCleanupFilterElement(loggerName, Arrays.asList(messageStarts));
+        this(loggerName, Arrays.asList(messageStarts));
     }
 
     public LogCleanupFilterBuildItem(String loggerName, Level targetLevel, String... messageStarts) {
-        if (messageStarts.length == 0) {
-            throw new IllegalArgumentException("messageStarts cannot be null");
+        this(loggerName, targetLevel, Arrays.asList(messageStarts));
+    }
+
+    public LogCleanupFilterBuildItem(String loggerName, List<String> messageStarts) {
+        if (messageStarts.isEmpty()) {
+            throw new IllegalArgumentException("messageStarts cannot be empty");
+        }
+        this.filterElement = new LogCleanupFilterElement(loggerName, messageStarts);
+    }
+
+    public LogCleanupFilterBuildItem(String loggerName, Level targetLevel, List<String> messageStarts) {
+        if (messageStarts.isEmpty()) {
+            throw new IllegalArgumentException("messageStarts cannot be empty");
         }
-        this.filterElement = new LogCleanupFilterElement(loggerName, targetLevel, Arrays.asList(messageStarts));
+        this.filterElement = new LogCleanupFilterElement(loggerName, targetLevel, messageStarts);
     }
 
     public LogCleanupFilterElement getFilterElement() {

core/deployment/src/main/java/io/quarkus/deployment/steps/ClassTransformingBuildStep.java

@@ -292,7 +292,7 @@ private void handleRemovedResources(ClassLoadingConfig classLoadingConfig, Curat
             }
         }
         if (!removed.isEmpty()) {
-            log.warn("Could not removed configured resources from the following artifacts as they were not found in the model: "
+            log.warn("Could not remove configured resources from the following artifacts as they were not found in the model: "
                     + removed.keySet());
         }
     }

core/deployment/src/main/java/io/quarkus/deployment/steps/MainClassBuildStep.java

@@ -84,13 +84,6 @@ public class MainClassBuildStep {
     static final String LOG = "LOG";
     static final String JAVA_LIBRARY_PATH = "java.library.path";
 
-    private static final String JAVAX_NET_SSL_TRUST_STORE = "javax.net.ssl.trustStore";
-    private static final String JAVAX_NET_SSL_TRUST_STORE_TYPE = "javax.net.ssl.trustStoreType";
-    private static final String JAVAX_NET_SSL_TRUST_STORE_PROVIDER = "javax.net.ssl.trustStoreProvider";
-    private static final String JAVAX_NET_SSL_TRUST_STORE_PASSWORD = "javax.net.ssl.trustStorePassword";
-    private static final List<String> BUILD_TIME_TRUST_STORE_PROPERTIES = List.of(JAVAX_NET_SSL_TRUST_STORE,
-            JAVAX_NET_SSL_TRUST_STORE_TYPE, JAVAX_NET_SSL_TRUST_STORE_PROVIDER, JAVAX_NET_SSL_TRUST_STORE_PASSWORD);
-
     public static final String GENERATE_APP_CDS_SYSTEM_PROPERTY = "quarkus.appcds.generate";
 
     private static final FieldDescriptor STARTUP_CONTEXT_FIELD = FieldDescriptor.of(Application.APP_CLASS_NAME, STARTUP_CONTEXT,
@@ -236,22 +229,6 @@ void build(List<StaticBytecodeRecorderBuildItem> staticInitTasks,
                 .ifNonZero(mv.invokeStaticMethod(ofMethod(ImageInfo.class, "inImageRuntimeCode", boolean.class)))
                 .trueBranch();
 
-        // GraalVM uses the build-time trustStore and bakes the backing classes of the TrustStore into the the native binary,
-        // so we need to warn users trying to set the trust store related system properties that it won't have an effect
-        for (String property : BUILD_TIME_TRUST_STORE_PROPERTIES) {
-            ResultHandle trustStoreSystemProp = inGraalVMCode.invokeStaticMethod(
-                    ofMethod(System.class, "getProperty", String.class, String.class),
-                    mv.load(property));
-
-            BytecodeCreator inGraalVMCodeAndTrustStoreSet = inGraalVMCode.ifNull(trustStoreSystemProp).falseBranch();
-            inGraalVMCodeAndTrustStoreSet.invokeVirtualMethod(
-                    ofMethod(Logger.class, "warn", void.class, Object.class),
-                    inGraalVMCodeAndTrustStoreSet.readStaticField(logField.getFieldDescriptor()),
-                    inGraalVMCodeAndTrustStoreSet.load(String.format(
-                            "Setting the '%s' system property will not have any effect at runtime. Make sure to set this property at build time (for example by setting 'quarkus.native.additional-build-args=-J-D%s=someValue').",
-                            property, property)));
-        }
-
         mv.invokeStaticMethod(ofMethod(Timing.class, "mainStarted", void.class));
         startupContext = mv.readStaticField(scField.getFieldDescriptor());
 
@@ -468,7 +445,6 @@ private void writeRecordedBytecode(BytecodeRecorderImpl recorder, String fallbac
 
     /**
      * registers the generated application class for reflection, needed when launching via the Quarkus launcher
-     *
      */
     @BuildStep
     ReflectiveClassBuildItem applicationReflection() {

devtools/gradle/gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.2-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.3-all.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

docs/src/main/asciidoc/native-and-ssl.adoc

@@ -225,16 +225,28 @@ And let's build the native executable again:
 
 [WARNING]
 ====
-This behavior is new to GraalVM 19.3+.
+This behavior is new to GraalVM 21.3+.
 ====
 
-When creating a native binary, GraalVM embraces the principle of "immutable security" for the root certificates.
-This essentially means that the root certificates are fixed at image build time, based on the certificate configuration used at that build time
-(which for Quarkus means when you perform a build having `quarkus.package.type=native` set).
-This avoids shipping a `cacerts` file or requiring a system property be set in order to set up root
-certificates that are provided by the OS where the binary runs.
+GraalVM supports both build time and runtime certificate configuration.
 
-As a consequence, system properties such as `javax.net.ssl.trustStore` do not have an effect at
+=== Build time configuration
+
+The build time approach favors the principle of "immutable security" where the appropriate certificates are added at build time, and can never be changed afterward.
+This guarantees that the list of valid certificates cannot be tampered with when the application gets deployed in production.
+
+However, this comes with a few drawbacks:
+
+ * If you use the same executable in all environments, and a certificate expires, the application needs to be rebuilt, and redeployed into production with the new certificate, which is an inconvenience.
+ * Even worse, if a certificate gets revoked because of a security breach, all applications that embed this certificate need to be rebuilt and redeployed in a timely manner.
+ * This requires also to add into the application all certificates for all environments (e.g. DEV, TEST, PROD), which means that a certificate that is required for DEV but should not be used elsewhere, will make its way anyway in production.
+ * Providing all certificates at build time complicates the CI, specifically in dynamic environments such as Kubernetes where valid certificates are provided by the platform in the `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` PEM file.
+ * Lastly, this does not play well with third party software that do not provide a dedicated build for each customer environment.
+
+Creating a native executable using build time certificates essentially means that the root certificates are fixed at image build time, based on the certificate configuration used at build time (which for Quarkus means when you perform a build having `quarkus.package.type=native` set).
+This avoids shipping a `cacerts` file or requiring a system property be set in order to set up root certificates that are provided by the OS where the binary runs.
+
+In this situation, system properties such as `javax.net.ssl.trustStore` do not have an effect at
 run time, so when the defaults need to be changed, these system properties must be provided at image build time.
 The easiest way to do so is by setting `quarkus.native.additional-build-args`. For example:
 
@@ -244,11 +256,11 @@ quarkus.native.additional-build-args=-J-Djavax.net.ssl.trustStore=/tmp/mycerts,-
 ----
 
 will ensure that the certificates of `/tmp/mycerts` are baked into the native binary and used *in addition* to the default cacerts.
+The file containing the custom TrustStore does *not* (and probably should not) have to be present at runtime as its content has been baked into the native binary.
 
-[IMPORTANT]
-====
-The file containing the custom TrustStore does *not* have to be present at runtime as its content has been baked into the native binary.
-====
+=== Run time configuration
+
+Using the runtime certificate configuration, supported by GraalVM since 21.3 does not require any special or additional configuration compared to regular java programs or Quarkus in jvm mode. See the https://www.graalvm.org/reference-manual/native-image/CertificateManagement/#run-time-options[GraalVM documentation] for more information.
 
 [#working-with-containers]
 === Working with containers
@@ -258,7 +270,4 @@ as described in the previous section, it will work properly in container as well
 
 == Conclusion
 
-We make building native executable easy and, even if the SSL support in GraalVM is still requiring some serious thinking,
-it should be mostly transparent when using Quarkus.
-
-We track GraalVM progress on a regular basis so we will promptly integrate in Quarkus any improvement with respect to SSL support.
+We make building native executable using SSL easy, and provide several options to cope well with different types of security requirements.

docs/src/main/asciidoc/security-openid-connect-client.adoc

@@ -305,7 +305,7 @@ public class OidcClientResource {
         cfg.setAuthServerUrl("http://localhost:8081/auth/realms/quarkus/");
         cfg.setClientId("quarkus");
         cfg.getCredentials().setSecret("secret");
-        Uni<OidcClient> client = clients.newClient(config);
+        Uni<OidcClient> client = clients.newClient(cfg);
         // use this client to get the token
     }
 }

docs/src/main/asciidoc/writing-extensions.adoc

@@ -3110,6 +3110,7 @@ Then, at the end of your documentation, include the extensive documentation:
 
 Finally, generate the documentation and check it out.
 
+[[ecosystem-ci]]
 == Continuous testing of your extension
 
 In order to make it easy for extension authors to test their extensions daily against the latest snapshot of Quarkus, Quarkus has introduced
@@ -3127,6 +3128,8 @@ Before publishing your extension to the xref:tooling.adoc[Quarkus tooling], make
 
 * Your extension is published in Maven Central
 
+* Your extension repository is configured to use the <<ecosystem-ci, Ecosystem CI>>.
+
 Then you must create a pull request adding a `your-extension.yaml` file in the `extensions/` directory in the link:https://github.com/quarkusio/quarkus-extension-catalog[Quarkus Extension Catalog]. The YAML must have the following structure:
 
 ```yaml

extensions/hibernate-orm/runtime/src/main/java/io/quarkus/hibernate/orm/runtime/tenant/HibernateMultiTenantConnectionProvider.java

@@ -7,7 +7,6 @@
 
 import javax.enterprise.context.RequestScoped;
 import javax.enterprise.context.SessionScoped;
-import javax.enterprise.inject.Default;
 
 import org.hibernate.engine.jdbc.connections.spi.AbstractMultiTenantConnectionProvider;
 import org.hibernate.engine.jdbc.connections.spi.ConnectionProvider;
@@ -17,7 +16,6 @@
 import io.quarkus.arc.InjectableInstance;
 import io.quarkus.arc.InstanceHandle;
 import io.quarkus.arc.ManagedContext;
-import io.quarkus.hibernate.orm.PersistenceUnit.PersistenceUnitLiteral;
 import io.quarkus.hibernate.orm.runtime.PersistenceUnitUtil;
 
 /**
@@ -107,20 +105,18 @@ private static ConnectionProvider resolveConnectionProvider(String persistenceUn
      * @return Current tenant resolver.
      */
     private static InstanceHandle<TenantResolver> tenantResolver(String persistenceUnitName) {
-        InstanceHandle<TenantResolver> resolverInstance;
-        if (PersistenceUnitUtil.isDefaultPersistenceUnit(persistenceUnitName)) {
-            resolverInstance = Arc.container().instance(TenantResolver.class, Default.Literal.INSTANCE);
-        } else {
-            resolverInstance = Arc.container().instance(TenantResolver.class,
-                    new PersistenceUnitLiteral(persistenceUnitName));
-        }
-        if (!resolverInstance.isAvailable()) {
+        InjectableInstance<TenantResolver> instance = PersistenceUnitUtil
+                .legacySingleExtensionInstanceForPersistenceUnit(
+                        TenantResolver.class, persistenceUnitName);
+
+        if (instance.isUnsatisfied()) {
             throw new IllegalStateException(String.format(Locale.ROOT,
                     "No instance of %1$s was found for persistence unit %2$s. "
                             + "You need to create an implementation for this interface to allow resolving the current tenant identifier.",
                     TenantResolver.class.getSimpleName(), persistenceUnitName));
         }
-        return resolverInstance;
+
+        return instance.getHandle();
     }
 
 }

extensions/kafka-client/deployment/src/main/java/io/quarkus/kafka/client/deployment/KafkaProcessor.java

@@ -1,8 +1,10 @@
 package io.quarkus.kafka.client.deployment;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 import java.util.function.Consumer;
 import java.util.logging.Level;
@@ -79,6 +81,7 @@
 import io.quarkus.deployment.builditem.nativeimage.ReflectiveHierarchyBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.RuntimeInitializedClassBuildItem;
 import io.quarkus.deployment.builditem.nativeimage.ServiceProviderBuildItem;
+import io.quarkus.deployment.logging.LogCleanupFilterBuildItem;
 import io.quarkus.deployment.pkg.NativeConfig;
 import io.quarkus.kafka.client.runtime.KafkaBindingConverter;
 import io.quarkus.kafka.client.runtime.KafkaRecorder;
@@ -137,7 +140,21 @@ void logging(BuildProducer<LogCategoryBuildItem> log) {
         log.produce(new LogCategoryBuildItem("org.apache.kafka.clients", Level.WARNING));
         log.produce(new LogCategoryBuildItem("org.apache.kafka.common.utils", Level.WARNING));
         log.produce(new LogCategoryBuildItem("org.apache.kafka.common.metrics", Level.WARNING));
+    }
+
+    @BuildStep
+    void silenceUnwantedConfigLogs(BuildProducer<LogCleanupFilterBuildItem> logCleanupFilters) {
+        String[] ignoredConfigProperties = { "wildfly.sasl.relax-compliance", "ssl.endpoint.identification.algorithm" };
+
+        List<String> ignoredMessages = new ArrayList<>();
+        for (String ignoredConfigProperty : ignoredConfigProperties) {
+            ignoredMessages.add("The configuration '" + ignoredConfigProperty + "' was supplied but isn't a known config.");
+        }
 
+        logCleanupFilters.produce(new LogCleanupFilterBuildItem("org.apache.kafka.clients.consumer.ConsumerConfig",
+                ignoredMessages));
+        logCleanupFilters.produce(new LogCleanupFilterBuildItem("org.apache.kafka.clients.producer.ProducerConfig",
+                ignoredMessages));
     }
 
     @BuildStep

extensions/opentelemetry/opentelemetry-exporter-jaeger/runtime/pom.xml

@@ -33,6 +33,21 @@
             <artifactId>quarkus-grpc-common</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>io.opentelemetry</groupId>
+            <artifactId>opentelemetry-exporter-otlp-common</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.codehaus.mojo</groupId>
+                    <artifactId>animal-sniffer-annotations</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.checkerframework</groupId>
+                    <artifactId>checker-qual</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
         <dependency>
             <groupId>io.opentelemetry</groupId>
             <artifactId>opentelemetry-exporter-jaeger</artifactId>
@@ -47,6 +62,12 @@
                 </exclusion>
             </exclusions>
         </dependency>
+
+        <dependency>
+            <groupId>org.graalvm.nativeimage</groupId>
+            <artifactId>svm</artifactId>
+            <scope>provided</scope>
+        </dependency>
     </dependencies>
 
     <build>