Conversation
There was a problem hiding this comment.
Pull request overview
Updates the local-dev Spring-based container images to newer Spring Boot versions and adds a shared mechanism to trust Aspire/.NET development certificates (notably for Spring Boot Admin).
Changes:
- Bump Spring Boot version metadata to 3.5.10 across images.
- Add Spring Boot Admin configuration patches for Steeltoe actuator compatibility and SSL trust via a custom
ClientHttpConnector. - Introduce shared SSL trust configuration and update the build script to apply patches more robustly and copy shared SSL sources.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| uaa-server/README.md | Updates UAA image tag and documentation links. |
| spring-boot-admin/patches/steeltoe-admin-config.patch | Adds SBA WebClient customization to tolerate Steeltoe actuator index responses in AOT. |
| spring-boot-admin/patches/spring-boot-admin-ssl-config.patch | Adds SBA ClientHttpConnector bean wired to a shared X509TrustManager. |
| spring-boot-admin/patches/enable-springbootadmin.patch | Enables SBA server and expands component scanning/imports needed for SSL + Steeltoe config. |
| spring-boot-admin/patches/build.gradle.patch | Adjusts build-image environment settings (incl. native image build args). |
| spring-boot-admin/patches/application.properties.patch | Sets SBA defaults and configures SSL package logging. |
| spring-boot-admin/metadata/SPRING_BOOT_VERSION | Bumps Spring Boot version metadata to 3.5.10. |
| spring-boot-admin/metadata/IMAGE_VERSION | Bumps SBA image version metadata. |
| spring-boot-admin/README.md | Updates SBA run instructions/tag. |
| shared/ssl-config/SslTrustConfiguration.java | Adds shared trust manager that loads dev certs from standard locations/env vars. |
| eureka-server/patches/application.properties.patch | Adds Eureka properties and enables SSL package logging. |
| eureka-server/metadata/SPRING_BOOT_VERSION | Bumps Spring Boot version metadata to 3.5.10. |
| eureka-server/metadata/IMAGE_REVISION | Introduces image revision metadata. |
| eureka-server/README.md | Updates Eureka run instructions/tag. |
| config-server/patches/enableconfigserver.patch | Updates Config Server bootstrap (enables config server/discovery + logs package info). |
| config-server/patches/application.properties.patch | Adds Config Server properties and enables SSL package logging. |
| config-server/metadata/SPRING_BOOT_VERSION | Bumps Spring Boot version metadata to 3.5.10. |
| config-server/metadata/IMAGE_VERSION | Bumps Config Server image version metadata. |
| config-server/metadata/IMAGE_REVISION | Changes revision metadata content. |
| config-server/README.md | Updates Config Server run instructions/tags. |
| build.ps1 | Enhances patch application behavior and copies shared SSL config into generated projects. |
| AGENTS.md | Adds agent guidance for patch handling/build workflow. |
| .gitattributes | Enforces LF endings for .patch files. |
Comments suppressed due to low confidence (1)
config-server/patches/enableconfigserver.patch:24
- This patch appears to truncate
ConfigServer.javaand does not include the closing braces for themainmethod and class. When applied, it will likely produce invalid Java and fail compilation. Please update the patch so the resulting file still ends with the appropriate}braces (and include the necessary context lines sopatchcan apply cleanly).
public static void main(String[] args) {
+ Package pkg = EnableConfigServer.class.getPackage();
+ logger.info("{} {} by {}", pkg.getImplementationTitle(), pkg.getImplementationVersion(), pkg.getImplementationVendor());
SpringApplication.run(ConfigServer.class, args);
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
To run the UAA server image built for this pull request: docker run --rm -d --pull=always -p 8080:8080 --name uaa-pr steeltoe.azurecr.io/uaa-server:pr-52 |
|
To run the Eureka server image built for this pull request: docker run --rm -d --pull=always -p 8761:8761 --name eureka-pr steeltoe.azurecr.io/eureka-server:pr-52 |
|
To run the Spring Cloud Config Server image built for this pull request: docker run --rm -d --pull=always -p 8888:8888 --name config-pr steeltoe.azurecr.io/config-server:pr-52 |
|
To run the Spring Boot Admin server image built for this pull request: docker run --rm -d --pull=always -p 9099:9099 --name sba-pr steeltoe.azurecr.io/spring-boot-admin:pr-52 |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 27 out of 27 changed files in this pull request and generated 8 comments.
Comments suppressed due to low confidence (1)
config-server/patches/application.properties.patch:15
- This logging category likely won't affect the shared trust configuration at runtime.
build.ps1copiesshared/ssl-config/SslTrustConfiguration.javainto the app's base package and rewrites its package declaration toio.steeltoe.docker.<serverName>(build.ps1:300-315), so the logger name won’t be underio.steeltoe.docker.ssl. Consider switching this tologging.level.io.steeltoe.docker=INFOor the concrete app package so the SSL trust logs can actually be controlled.
+auth.enabled=false
+logging.level.io.steeltoe.docker.ssl=INFO
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Log dependencies requested in calls to start.spring.io - Enhance patch handling to catch more failure scenarios - Use eol=lf for .patch files - fix enableconfigserver.patch
- add custom deserialization for aot/native-compiled SBA to avoid breakage over 'type' property in Steeltoe responses fixup metadata skip self-replication in Eureka
* Update eureka-server/patches/application.properties.patch * Fix line count in patch * Update build.ps1 to trim/join IMAGE_REVISION and check for non-empty * Use cryptographic signature verification in SslTrustConfiguration --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: TimHess <3947063+TimHess@users.noreply.github.com>
- Fix logging.level namespace to match actual package after build-time rewriting (io.steeltoe.docker instead of io.steeltoe.docker.ssl) - Correct AGENTS.md patch documentation for unified diff hunk headers
TimHess
changed the title
|
|
||
| +@EnableAdminServer | ||
| +@Import(SteeltoeAdminConfiguration.class) | ||
| @SpringBootApplication |
There was a problem hiding this comment.
Can we keep this file as similar as possible to the original version, or does the order of @-lines matter? Also, regarding the added blank lines.
There was a problem hiding this comment.
Changing the order was a troubleshooting step when something was going wrong, but I don't think it had an impact either way and I just didn't revert the change. The rest of the changes were to appease patch, presumably due to upstream changes on the initializr. I'll put it back as close as I can.
There was a problem hiding this comment.
@SpringBootApplication and @EnableAdminServer are still swapped.
| + environment = [ | ||
| + "BP_SPRING_CLOUD_BINDINGS_DISABLED": "true" | ||
| + "BP_SPRING_CLOUD_BINDINGS_DISABLED": "true", | ||
| + "BP_NATIVE_IMAGE_BUILD_ARGUMENTS": "-H:+UnlockExperimentalVMOptions" |
There was a problem hiding this comment.
According to https://answers.ycrash.io/question/what-is-unlock-experimental-vm-options--xxunlockexperimentalvmoptions?q=702:
The -XX:+UnlockExperimentalVMOptions flag unlocks experimental JVM features. These features may be unstable and are therefore not available by default, so this flag is required to make them available.
Using experimental features enabled by this flag is not encouraged in a production system. They may crash or cause unexpected behaviour. Also the JVM vendor will not provide support for experimental features.
Do we really need this?
There was a problem hiding this comment.
I added UnlockExperimentalVMOptions to avoid this build log entry:
[creator] 1 experimental option(s) unlocked:
[creator] - '-H:Name' (alternative API option(s): -o io.steeltoe.docker.springbootadmin.SpringBootAdmin; origin(s): command line)
We could remove it and just ignore the warning. Here's an explanation of what that does:
The -H:Name is being passed by the Paketo native-image buildpack itself, not by us. When it builds the native image, it automatically sets -H:Name=/layers/.../io.steeltoe.docker.springbootadmin.SpringBootAdmin based on the Spring Boot main class. We can't easily override this - it's internal to the buildpack. The UnlockExperimentalVMOptions is the correct workaround until Paketo updates their buildpack to use the non-experimental -o syntax.
There was a problem hiding this comment.
I think it would be safer not to enable experimental features unless they negatively affect our usage beyond the warning.
config-server/README.md
Outdated
|
|
||
| ```shell | ||
| docker run --publish 8888:8888 steeltoe.azurecr.io/config-server | ||
| docker run --publish 8888:8888 steeltoe.azurecr.io/config-server:4 |
There was a problem hiding this comment.
Why were version numbers added in this and other README files?
There was a problem hiding this comment.
Previously UAA was specifying the latest version number tag, but that was out of date... I updated all of them to use the latest version number, but it would be lower maintenance to just remove the tag and rely on latest
There was a problem hiding this comment.
The README for Config Server still has a version number.
| + * <li>{@code SSL_CERT_FILE} environment variable (single certificate file)</li> | ||
| + * </ul> | ||
| + * | ||
| + * <p>Supported certificate formats: .pem, .crt, .cer |
There was a problem hiding this comment.
Do these <p> tags need a companion closing tag?
There was a problem hiding this comment.
Debatable whether it matters at the moment, but I'll close them so we're better prepped for the next iteration of building these images
There was a problem hiding this comment.
I would expect the list to be part of the paragraph:
- drop tags from readmes - remove hardcoded aspire cert paths, fix env dir list parsing - fix broken-again link - sync agents.md
| + environment = [ | ||
| + "BP_SPRING_CLOUD_BINDINGS_DISABLED": "true" | ||
| + "BP_SPRING_CLOUD_BINDINGS_DISABLED": "true", | ||
| + "BP_JVM_CDS_ENABLED": "true" |
There was a problem hiding this comment.
According to https://github.com/paketo-buildpacks/spring-boot, BP_JVM_CDS_ENABLED is deprecated in favor of BPL_JVM_AOTCACHE_ENABLED.
There was a problem hiding this comment.
Should this be added to SBA as well?
There was a problem hiding this comment.
These flags don't apply to native-compiled apps. I'll go back and try SBA without native comp and with these flags and see if that gets us out of needing the custom deserializer
There was a problem hiding this comment.
Should this be added to SBA as well?
This question led me to #58. It wouldn't do anything for a native image, but is probably ultimately a better solution for us as doesn't require most of the custom code that's currently in this PR
|
|
||
| +@EnableAdminServer | ||
| +@Import(SteeltoeAdminConfiguration.class) | ||
| @SpringBootApplication |
There was a problem hiding this comment.
@SpringBootApplication and @EnableAdminServer are still swapped.
| + environment = [ | ||
| + "BP_SPRING_CLOUD_BINDINGS_DISABLED": "true" | ||
| + "BP_SPRING_CLOUD_BINDINGS_DISABLED": "true", | ||
| + "BP_NATIVE_IMAGE_BUILD_ARGUMENTS": "-H:+UnlockExperimentalVMOptions" |
There was a problem hiding this comment.
I think it would be safer not to enable experimental features unless they negatively affect our usage beyond the warning.
config-server/README.md
Outdated
|
|
||
| ```shell | ||
| docker run --publish 8888:8888 steeltoe.azurecr.io/config-server | ||
| docker run --publish 8888:8888 steeltoe.azurecr.io/config-server:4 |
There was a problem hiding this comment.
The README for Config Server still has a version number.
| + * <li>{@code SSL_CERT_FILE} environment variable (single certificate file)</li> | ||
| + * </ul> | ||
| + * | ||
| + * <p>Supported certificate formats: .pem, .crt, .cer |
There was a problem hiding this comment.
I would expect the list to be part of the paragraph:
| + if (trustManagers == null || trustManagers.length == 0 || !(trustManagers[0] instanceof X509TrustManager)) { | ||
| + throw new IllegalStateException("No X509TrustManager available from default TrustManagerFactory"); | ||
| + } | ||
| + X509TrustManager defaultTrustManager = (X509TrustManager) trustManagers[0]; |
There was a problem hiding this comment.
Sounds like we should throw for multiple. Better to fail than to silently continue without anyone noticing. If the exception ever pops up, we'll have to find a better way.
- remove last tag from readme - un-reorder lines for sba
Reduces the need for #40