Even though we use `ubi8-minimal` as the parent of our container, it
still has many RPMs installed that aren't necessary to run the Keycloak
server. Also, since the JDK RPM (that we install on top of
`ubi8-minimal`) is designed for general use, it pulls in more dependency
RPMs than it strictly needs to, like cups and avahi. Keycloak will never
need to access a printer itself!
Trimming down these excess RPMs will improve our CVE statistics with
automated scanners, and therefore let us perform fewer CVE rebuilds.
`ubi8-null.sh` uses the low-level `rpm` command to identify and forcibly
remove dependencies and operating system files that are not required to
boot our Quarkus-based server. This includes `microdnf` and `rpm`
itself! I have preserved bash however, so it's still possible to debug
the container from a shell.
I've created an initial set of allow/disallow lists, that seems to pass
a smoke test (server boots, admin console works). This leaves 37
packages installed, with 96 removed relative to `ubi8-minimal`. We could
go more minimal than this, or less minimal if required. Trial and error
is required.
Closes#16902
* Remove Red Hat Single Sign-On product profile from upstream
Closes#14916
* review suggestions: Remove Red Hat Single Sign-On product profile from upstream
Closes#14916
Co-authored-by: Peter Skopek <pskopek@redhat.com>
Inline profile checks for enabled admin-console to avoid issues during
static initialization with quarkus.
Potentially Re-enable admin-api feature if admin-console is enabled
via the admin/admin2 feature flag.
Add legacy admin console as deprecated feature flag
Throw exception if admin-api feature is disabled but admin-console is enabled
Adapt ProfileTest
Consider adminConsoleEnabled flag in QuarkusWelcomeResource
Fix check for Admin-Console / Admin-API feature dependency.
Add new features to approved help output files
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
databases that are not using an official liquibase type in Database.java could not be seeded anymore because
the liquibase types we use in model-jpa were not indexed and loaded during the build anymore.
Introduces highly needed tests for other databases than postgres, because postgres has an official liquibase databasetype in its list
in database.java and as such differs from nearly all other vendors.
Closes#13389
* Unsupported options only shown when using help-all
* reworked impl based on comment in #13284
* Also fixes minor things of #13284 as unused imports
Closes#13283
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
also: fix kc.bat to not use autobuild in devmode anymore, fix containers.adoc to not use auto_build naming, fix build command cli help as it is not required anymore to run it beforehand.