Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[INITIATIVE] Fabric8 Kubernetes Client 7.0.0 #5778

Open
manusa opened this issue Mar 5, 2024 · 8 comments
Open

[INITIATIVE] Fabric8 Kubernetes Client 7.0.0 #5778

manusa opened this issue Mar 5, 2024 · 8 comments
Milestone

Comments

@jorsol
Copy link
Contributor

jorsol commented Jun 25, 2024

Just one small comment: Bump Java requirement to at least 11, we are in 2024, Java 8 was released 10 years ago, and there are 3 LTS released since Java 8 (11, 17, and 21), so there is no point in supporting Java 8 anymore (unless there is some kind of paid support 😉).

A major version release like 7.0.0 🏷️ is a perfect time to do this kind of change.

I would be more aggressive and bump to Java 17 🚀 , but that is just my personal preference.

@manusa
Copy link
Member Author

manusa commented Jun 26, 2024

Just one small comment: Bump Java requirement to at least 11, we are in 2024, Java 8 was released 10 years ago, and there are 3 LTS released since Java 8 (11, 17, and 21), so there is no point in supporting Java 8 anymore (unless there is some kind of paid support 😉).

Hi Jorge,
Sorry, this issue is still under construction. You can check a full list of features and changes for 7.0.0 at https://github.com/marcnuri-work/fabric8io-kubernetes-client-issues-5778
(Java 11 as baseline is one of them). If you feel there's anything else missing or were expecting anything else for this major version, please say so.

That said, I wouldn't fully agree with you regarding your statement and this project (and for other libraries in general). It's precisely this "there is some kind of paid support" involved in some of the downstream usage of this project and other libraries that make/force these kind of projects the last to update their Java baseline. Apparently Spring 5 (Boot 2) paid support can be at least extended to 2025 🤦.

The motivation in this case is that is not sustainable any more to keep up with Java 8 (at least not worth the effort). However, this means that we'll probably get an increased amount of requests for patch releases for version 6 (which will be the last one with Java 8 support). I do hope I'm wrong here and that this is not the case but only time will tell.

@manusa manusa mentioned this issue Jun 26, 2024
8 tasks
@jorsol
Copy link
Contributor

jorsol commented Jun 26, 2024

That said, I wouldn't fully agree with you regarding your statement and this project (and for other libraries in general). It's precisely this "there is some kind of paid support" involved in some of the downstream usage of this project and other libraries that make/force these kind of projects the last to update their Java baseline. Apparently Spring 5 (Boot 2) paid support can be at least extended to 2025 🤦.

Well, I didn't explain myself correctly, and haven't mentioned downstream usage, I was referring to paid support to you (or the fabric8 team) not to paid support to "other" projects 😉, and even then, the commercial support should be just for the 6.x branch of KC... the 7.x branch should set the baseline to at least Java 11 without a doubt.

I fully agree that this project (and for other libraries in general), shouldn't be tied to other projects (especially if those other projects are in commercial support), Oracle will have extended support for Java 8 until 31 Dec 2030 (some vendors even longer than that 🤯), it doesn't make any sense that libraries get stuck just because of that.

The motivation in this case is that is not sustainable any more to keep up with Java 8 (at least not worth the effort). However, this means that we'll probably get an increased amount of requests for patch releases for version 6 (which will be the last one with Java 8 support). I do hope I'm wrong here and that this is not the case but only time will tell.

As mentioned, version 6.x should enter a kind of paid support maintenance, unless there is a critical security issue, there is no point in maintaining older versions, if someone requests for instance support for a newer version of K8s in the 6.x branch, that should be paid support.

I do know that this kind of project makes it hard to provide commercial support, so, in case that is not possible, just provide a best-effort (community-driven) patch release for version 6.

Hope I have cleared the misunderstanding. 😅

@manusa
Copy link
Member Author

manusa commented Jun 26, 2024

the commercial best-effort support should be just for the 6.x branch of KC... the 7.x branch should set the baseline to at least Java 11 without a doubt.

Just in case it's not clear, this is what's going to happen exactly :).

I did understand your points, however, I think/feel I didn't explain myself correctly.

For me it's just a matter of tradeoffs. And this project is quite complex in this regard.
On the one hand you have Kubernetes that keeps evolving at a "fast" pace with releases every 6 months. On the other you have dependent projects, libraries, and frameworks that get stuck on a given version of this library.
For me the goal is to keep things as stable as possible and as cross-compatible as possible so that there's no need to maintain multiple branches (major versions) of the project (which would likely be impossible with the amount of resources we have).
Keeping the lowest possible java baseline while things stay simple enough is one of those tradeoffs.
I suppose folks maintaining other popular libraries and tools such as JUnit face similar conundrums.

@jorsol
Copy link
Contributor

jorsol commented Jun 26, 2024

For me it's just a matter of tradeoffs. And this project is quite complex in this regard. On the one hand you have Kubernetes that keeps evolving at a "fast" pace with releases every 6 months. On the other you have dependent projects, libraries, and frameworks that get stuck on a given version of this library. For me the goal is to keep things as stable as possible and as cross-compatible as possible so that there's no need to maintain multiple branches (major versions) of the project (which would likely be impossible with the amount of resources we have). Keeping the lowest possible java baseline while things stay simple enough is one of those tradeoffs. I suppose folks maintaining other popular libraries and tools such as JUnit face similar conundrums.

I agree, there will be always tradeoffs, probably the most important thing is to be as stable and cross-compatible as possible, if one of the tradeoffs is to drop support for an older Java version to keep things stable and maintainable, then is a very welcome tradeoff.

@manusa manusa changed the title Fabric8 Kubernetes Client 7.0.0 [INITIATIVE] Fabric8 Kubernetes Client 7.0.0 Jul 12, 2024
roczei added a commit to roczei/spark that referenced this issue Aug 23, 2024
…`esdk-obs-java` to 3.24.3

### What changes were proposed in this pull request?

This PR aims to upgrade `okhttp` to 4.12.0, `okio` to 3.9.0 and `esdk-obs-java` to 3.24.3.

### Why are the changes needed?

okhttp depends on okio which has to be upgraded as well.
The new okhttp version fixes the following vulnerabilities:

1)

CVE-2023-0833 - A flaw was found in Red Hat's AMQ-Streams,
which ships a version of the OKHttp component with an
information disclosure flaw via an exception triggered
by a header containing an illegal value. This issue could allow
an authenticated attacker to access information outside of their
regular permissions.

CVSSv3 Score:- 5.5(Medium)

https://nvd.nist.gov/vuln/detail/CVE-2023-0833

2)

CVE-2021-0341 - In verifyHostName of OkHostnameVerifier.java,
there is a possible way to accept a certificate for the wrong
domain due to improperly used crypto. This could lead to remote
information disclosure with no additional execution privileges
needed. User interaction is not needed for exploitation.

CVSSv3 Score:- 7.5(High)

https://nvd.nist.gov/vuln/detail/CVE-2021-0341
square/okhttp#6724

There are two places in the Spark repository where the okhttp dependency comes
in as transitive dependency:

1)

[INFO] +- org.apache.hadoop:hadoop-cloud-storage:jar:3.4.0:compile
[INFO] |  +- org.apache.hadoop:hadoop-annotations:jar:3.4.0:compile
[INFO] |  +- org.apache.hadoop:hadoop-aliyun:jar:3.4.0:compile
[INFO] |  |  +- com.aliyun.oss:aliyun-sdk-oss:jar:3.13.2:compile
[INFO] |  |  |  +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] |  |  |  +- com.aliyun:aliyun-java-sdk-core:jar:4.5.10:compile
[INFO] |  |  |  |  +- org.ini4j:ini4j:jar:0.5.4:compile
[INFO] |  |  |  |  +- io.opentracing:opentracing-api:jar:0.33.0:compile
[INFO] |  |  |  |  \- io.opentracing:opentracing-util:jar:0.33.0:compile
[INFO] |  |  |  |     \- io.opentracing:opentracing-noop:jar:0.33.0:compile
[INFO] |  |  |  +- com.aliyun:aliyun-java-sdk-ram:jar:3.1.0:compile
[INFO] |  |  |  \- com.aliyun:aliyun-java-sdk-kms:jar:2.11.0:compile
[INFO] |  |  \- org.codehaus.jettison:jettison:jar:1.5.4:compile
[INFO] |  +- org.apache.hadoop:hadoop-azure-datalake:jar:3.4.0:compile
[INFO] |  |  \- com.microsoft.azure:azure-data-lake-store-sdk:jar:2.3.9:compile
[INFO] |  \- org.apache.hadoop:hadoop-huaweicloud:jar:3.4.0:compile
[INFO] |     \- com.huaweicloud:esdk-obs-java:jar:3.20.4.2:compile
[INFO] |        +- com.jamesmurty.utils:java-xmlbuilder:jar:1.2:compile
[INFO] |        +- com.squareup.okhttp3:okhttp:jar:3.14.2:compile
[INFO] |        \- com.squareup.okio:okio:jar:1.17.6:compile

The Hadoop team has attempted to remove okhttp from their codebase:

remove okhttp usage: https://issues.apache.org/jira/browse/HADOOP-18890

Unfortunately the hadoop-huaweicloud dependency is still there which
pulls in the vulnerable okhttp 3.x version.

https://github.com/apache/hadoop/blob/trunk/hadoop-cloud-storage-project/hadoop-cloud-storage/pom.xml#L137C19-L137C37

Proposed solution for this:

com.huaweicloud:esdk-obs-java:jar:3.20.4.2 is vulnerable due to
okhttp 3.x (CVE-2023-0833, CVE-2021-0341), it has to be upgraded to 3.24.3
which depends on okhttp 4.12.0

2)

[INFO] +- org.apache.spark:spark-kubernetes_2.13:jar:4.0.0-SNAPSHOT:compile
[INFO] |  +- io.fabric8:kubernetes-httpclient-okhttp:jar:6.13.3:compile
[INFO] |  |  +- io.fabric8:kubernetes-client-api:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-core:jar:6.13.3:compile
[INFO] |  |  |  |  \- io.fabric8:kubernetes-model-common:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-gatewayapi:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-resource:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-rbac:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-admissionregistration:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-apps:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-autoscaling:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-apiextensions:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-batch:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-certificates:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-coordination:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-discovery:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-events:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-extensions:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-flowcontrol:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-networking:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-metrics:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-policy:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-scheduling:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-storageclass:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-node:jar:6.13.3:compile
[INFO] |  |  |  \- org.snakeyaml:snakeyaml-engine:jar:2.7:compile
[INFO] |  |  +- com.squareup.okhttp3:okhttp:jar:3.12.12:compile
[INFO] |  |  |  \- com.squareup.okio:okio:jar:1.17.6:compile
[INFO] |  |  \- com.squareup.okhttp3:logging-interceptor:jar:3.12.12:compile

kubernet-client maintainers have decided to update okhttp from 3.x to 4.x in their upcoming version 7:
fabric8io/kubernetes-client#5778

My proposed solution based on the above finding:

Exclude the 3.x version and switch to use okhttp 4.x. Source:
https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesClientWithIPv6Clusters.md

It is binary backwards compatible with okhttp 3.x. More details are here:

https://square.github.io/okhttp/upgrading_to_okhttp_4/

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Pass the CIs.

### Was this patch authored or co-authored using generative AI tooling?

No.
@martinwunderlich-celonis

Hello all, I am wondering what the expected release date for version 7.0.0 currently is? We'd like to upgrade soon to get the new kubernetes client and get rid of the bouncy-castle dependency. Thanks!

@manusa
Copy link
Member Author

manusa commented Nov 11, 2024

We've made a lot of progress and we should be able to release in a couple of weeks.
In the meantime, you should be able to try the snapshots and report any bugs that might have come up while implementing the new features and after the refactoring efforts for the current ones.
If you're on the latest 6.13 release, the upgrade effort should be minimal.
Please, also check the Migration Guide and report anything that might be missing.

@martinwunderlich-celonis

@manusa Thanks a lot for the quick feedback. I have already tested with a local snapshot build and it all works fine. We haven't discovered any bugs and are looking forward very much to the release. :)

roczei added a commit to roczei/spark that referenced this issue Nov 15, 2024
…`esdk-obs-java` to 3.24.3

### What changes were proposed in this pull request?

This PR aims to upgrade `okhttp` to 4.12.0, `okio` to 3.9.0 and `esdk-obs-java` to 3.24.3.

### Why are the changes needed?

okhttp depends on okio which has to be upgraded as well.
The new okhttp version fixes the following vulnerabilities:

1)

CVE-2023-0833 - A flaw was found in Red Hat's AMQ-Streams,
which ships a version of the OKHttp component with an
information disclosure flaw via an exception triggered
by a header containing an illegal value. This issue could allow
an authenticated attacker to access information outside of their
regular permissions.

CVSSv3 Score:- 5.5(Medium)

https://nvd.nist.gov/vuln/detail/CVE-2023-0833

2)

CVE-2021-0341 - In verifyHostName of OkHostnameVerifier.java,
there is a possible way to accept a certificate for the wrong
domain due to improperly used crypto. This could lead to remote
information disclosure with no additional execution privileges
needed. User interaction is not needed for exploitation.

CVSSv3 Score:- 7.5(High)

https://nvd.nist.gov/vuln/detail/CVE-2021-0341
square/okhttp#6724

There are two places in the Spark repository where the okhttp dependency comes
in as transitive dependency:

1)

[INFO] +- org.apache.hadoop:hadoop-cloud-storage:jar:3.4.0:compile
[INFO] |  +- org.apache.hadoop:hadoop-annotations:jar:3.4.0:compile
[INFO] |  +- org.apache.hadoop:hadoop-aliyun:jar:3.4.0:compile
[INFO] |  |  +- com.aliyun.oss:aliyun-sdk-oss:jar:3.13.2:compile
[INFO] |  |  |  +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] |  |  |  +- com.aliyun:aliyun-java-sdk-core:jar:4.5.10:compile
[INFO] |  |  |  |  +- org.ini4j:ini4j:jar:0.5.4:compile
[INFO] |  |  |  |  +- io.opentracing:opentracing-api:jar:0.33.0:compile
[INFO] |  |  |  |  \- io.opentracing:opentracing-util:jar:0.33.0:compile
[INFO] |  |  |  |     \- io.opentracing:opentracing-noop:jar:0.33.0:compile
[INFO] |  |  |  +- com.aliyun:aliyun-java-sdk-ram:jar:3.1.0:compile
[INFO] |  |  |  \- com.aliyun:aliyun-java-sdk-kms:jar:2.11.0:compile
[INFO] |  |  \- org.codehaus.jettison:jettison:jar:1.5.4:compile
[INFO] |  +- org.apache.hadoop:hadoop-azure-datalake:jar:3.4.0:compile
[INFO] |  |  \- com.microsoft.azure:azure-data-lake-store-sdk:jar:2.3.9:compile
[INFO] |  \- org.apache.hadoop:hadoop-huaweicloud:jar:3.4.0:compile
[INFO] |     \- com.huaweicloud:esdk-obs-java:jar:3.20.4.2:compile
[INFO] |        +- com.jamesmurty.utils:java-xmlbuilder:jar:1.2:compile
[INFO] |        +- com.squareup.okhttp3:okhttp:jar:3.14.2:compile
[INFO] |        \- com.squareup.okio:okio:jar:1.17.6:compile

The Hadoop team has attempted to remove okhttp from their codebase:

remove okhttp usage: https://issues.apache.org/jira/browse/HADOOP-18890

Unfortunately the hadoop-huaweicloud dependency is still there which
pulls in the vulnerable okhttp 3.x version.

https://github.com/apache/hadoop/blob/trunk/hadoop-cloud-storage-project/hadoop-cloud-storage/pom.xml#L137C19-L137C37

Proposed solution for this:

com.huaweicloud:esdk-obs-java:jar:3.20.4.2 is vulnerable due to
okhttp 3.x (CVE-2023-0833, CVE-2021-0341), it has to be upgraded to 3.24.3
which depends on okhttp 4.12.0

2)

[INFO] +- org.apache.spark:spark-kubernetes_2.13:jar:4.0.0-SNAPSHOT:compile
[INFO] |  +- io.fabric8:kubernetes-httpclient-okhttp:jar:6.13.3:compile
[INFO] |  |  +- io.fabric8:kubernetes-client-api:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-core:jar:6.13.3:compile
[INFO] |  |  |  |  \- io.fabric8:kubernetes-model-common:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-gatewayapi:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-resource:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-rbac:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-admissionregistration:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-apps:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-autoscaling:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-apiextensions:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-batch:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-certificates:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-coordination:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-discovery:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-events:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-extensions:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-flowcontrol:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-networking:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-metrics:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-policy:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-scheduling:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-storageclass:jar:6.13.3:compile
[INFO] |  |  |  +- io.fabric8:kubernetes-model-node:jar:6.13.3:compile
[INFO] |  |  |  \- org.snakeyaml:snakeyaml-engine:jar:2.7:compile
[INFO] |  |  +- com.squareup.okhttp3:okhttp:jar:3.12.12:compile
[INFO] |  |  |  \- com.squareup.okio:okio:jar:1.17.6:compile
[INFO] |  |  \- com.squareup.okhttp3:logging-interceptor:jar:3.12.12:compile

kubernet-client maintainers have decided to update okhttp from 3.x to 4.x in their upcoming version 7:
fabric8io/kubernetes-client#5778

My proposed solution based on the above finding:

Exclude the 3.x version and switch to use okhttp 4.x. Source:
https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesClientWithIPv6Clusters.md

It is binary backwards compatible with okhttp 3.x. More details are here:

https://square.github.io/okhttp/upgrading_to_okhttp_4/

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Pass the CIs.

### Was this patch authored or co-authored using generative AI tooling?

No.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants