Switch the operator build to a shaded jar

jfaltermeier · jfaltermeier · commit c92ea4b41fe2 · 2026-04-15T11:18:00.000Z
* package the default operator with maven-shade-plugin so that
META-INF/services files are merged correctly
* deploy theia-cloud-base before theia-cloud-crds so the self-signed CA
issuer exists when the conversion webhook certificate is created
* add cert-manager installation step to the OpenShift setup docs
* use K8SANNOTATION bandwidth limiter instead of WONDERSHAPER to avoid
NET_ADMIN capability requirement on OpenShift
* document how to push custom images to the CRC internal registry,
including namespace/ImageStream creation and CA trust setup
* add commented-out image override examples to theia_cloud.tf
diff --git a/dockerfiles/operator/Dockerfile b/dockerfiles/operator/Dockerfile
@@ -17,7 +17,7 @@ RUN mkdir /templates
 WORKDIR /log-config
 COPY java/operator/org.eclipse.theia.cloud.defaultoperator/log4j2.xml .
 WORKDIR /operator
-COPY --from=builder /operator/operator/org.eclipse.theia.cloud.defaultoperator/target/defaultoperator-1.2.0-jar-with-dependencies.jar .
+COPY --from=builder /operator/operator/org.eclipse.theia.cloud.defaultoperator/target/defaultoperator-1.2.0.jar .
 # to get more debug information from the kubernetes client itself, add -Dorg.slf4j.simpleLogger.defaultLogLevel=DEBUG below
-ENTRYPOINT [ "java", "-Dlog4j2.configurationFile=/log-config/log4j2.xml", "-jar", "./defaultoperator-1.2.0-jar-with-dependencies.jar" ]
+ENTRYPOINT [ "java", "-Dlog4j2.configurationFile=/log-config/log4j2.xml", "-jar", "./defaultoperator-1.2.0.jar" ]
 CMD [ "" ]
diff --git a/java/common/maven-conf/pom.xml b/java/common/maven-conf/pom.xml
@@ -18,7 +18,7 @@
         <quarkus.platform.group-id>io.quarkus.platform</quarkus.platform.group-id>
         <guice.version>7.0.0</guice.version>
         <log4j.version>2.25.1</log4j.version>
-        <maven-assembly-plugin.version>3.7.1</maven-assembly-plugin.version>
+        <maven-shade-plugin.version>3.6.0</maven-shade-plugin.version>
         <maven-compiler-plugin.version>3.14.0</maven-compiler-plugin.version>
         <surefire-plugin.version>3.5.3</surefire-plugin.version>
         <google.artifactregistry-maven-wagon-version>2.2.5</google.artifactregistry-maven-wagon-version>
diff --git a/java/operator/org.eclipse.theia.cloud.defaultoperator/pom.xml b/java/operator/org.eclipse.theia.cloud.defaultoperator/pom.xml
@@ -88,26 +88,36 @@
             </plugin>
 
             <plugin>
-                <artifactId>maven-assembly-plugin</artifactId>
-                <version>${maven-assembly-plugin.version}</version>
-                <configuration>
-                    <archive>
-                        <manifest>
-                            <mainClass>
-                                org.eclipse.theia.cloud.defaultoperator.DefaultTheiaCloudOperatorLauncher</mainClass>
-                        </manifest>
-                    </archive>
-                    <descriptorRefs>
-                        <descriptorRef>jar-with-dependencies</descriptorRef>
-                    </descriptorRefs>
-                </configuration>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>${maven-shade-plugin.version}</version>
                 <executions>
                     <execution>
-                        <id>make-assembly</id>
                         <phase>package</phase>
                         <goals>
-                            <goal>single</goal>
+                            <goal>shade</goal>
                         </goals>
+                        <configuration>
+                            <transformers>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                                    <mainClass>org.eclipse.theia.cloud.defaultoperator.DefaultTheiaCloudOperatorLauncher</mainClass>
+                                </transformer>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ApacheLicenseResourceTransformer"/>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ApacheNoticeResourceTransformer"/>
+                            </transformers>
+                            <filters>
+                                <filter>
+                                    <artifact>*:*</artifact>
+                                    <excludes>
+                                        <exclude>META-INF/*.SF</exclude>
+                                        <exclude>META-INF/*.DSA</exclude>
+                                        <exclude>META-INF/*.RSA</exclude>
+                                    </excludes>
+                                </filter>
+                            </filters>
+                            <createDependencyReducedPom>false</createDependencyReducedPom>
+                        </configuration>
                     </execution>
                 </executions>
             </plugin>
diff --git a/terraform/test-configurations/4-01_openshift_monitor/.terraform.lock.hcl b/terraform/test-configurations/4-01_openshift_monitor/.terraform.lock.hcl
diff --git a/terraform/test-configurations/4-01_openshift_monitor/theia_cloud.tf b/terraform/test-configurations/4-01_openshift_monitor/theia_cloud.tf
@@ -14,16 +14,7 @@ provider "helm" {
   }
 }
 
-resource "helm_release" "theia-cloud-crds" {
-  name             = "theia-cloud-crds"
-  chart            = "../../../../theia-cloud-helm/charts/theia-cloud-crds"
-  namespace        = "theia-cloud"
-  create_namespace = true
-}
-
 resource "helm_release" "theia-cloud-base" {
-  depends_on = [helm_release.theia-cloud-crds]
-
   name             = "theia-cloud-base"
   chart            = "../../../../theia-cloud-helm/charts/theia-cloud-base"
   namespace        = "theia-cloud"
@@ -34,20 +25,25 @@ resource "helm_release" "theia-cloud-base" {
       name  = "operator.cloudProvider"
       value = "OPENSHIFT"
     },
-    {
-      name  = "issuerca.enable"
-      value = "false"
-    },
     {
       name  = "issuerprod.enable"
       value = "false"
     }
   ]
 }
 
-resource "helm_release" "theia-cloud" {
+resource "helm_release" "theia-cloud-crds" {
   depends_on = [helm_release.theia-cloud-base]
 
+  name             = "theia-cloud-crds"
+  chart            = "../../../../theia-cloud-helm/charts/theia-cloud-crds"
+  namespace        = "theia-cloud"
+  create_namespace = true
+}
+
+resource "helm_release" "theia-cloud" {
+  depends_on = [helm_release.theia-cloud-crds]
+
   name             = "theia-cloud"
   chart            = "../../../../theia-cloud-helm/charts/theia-cloud"
   namespace        = "theia-cloud"
@@ -65,6 +61,31 @@ resource "helm_release" "theia-cloud" {
     {
       name  = "operator.cloudProvider"
       value = "OPENSHIFT"
-    }
+    },
+    # Uncomment to use locally built images (see openshift.md)
+    # {
+    #   name  = "operator.image"
+    #   value = "image-registry.openshift-image-registry.svc:5000/theia-cloud/theia-cloud-operator:dev"
+    # },
+    # {
+    #   name  = "operator.imagePullPolicy"
+    #   value = "Always"
+    # },
+    # {
+    #   name  = "service.image"
+    #   value = "image-registry.openshift-image-registry.svc:5000/theia-cloud/theia-cloud-service:dev"
+    # },
+    # {
+    #   name  = "service.imagePullPolicy"
+    #   value = "Always"
+    # },
+    # {
+    #   name  = "landingPage.image"
+    #   value = "image-registry.openshift-image-registry.svc:5000/theia-cloud/theia-cloud-landing-page:dev"
+    # },
+    # {
+    #   name  = "landingPage.imagePullPolicy"
+    #   value = "Always"
+    # },
   ]
 }
diff --git a/terraform/test-configurations/openshift.md b/terraform/test-configurations/openshift.md
@@ -50,6 +50,123 @@ oc get routes -A   # should show OpenShift console routes
 # OpenShift Local uses: apps-crc.testing
 ```
 
+## Building and Pushing Custom Images
+
+When developing locally, you can build custom Theia Cloud images and push them to the CRC internal image registry. This avoids the need for an external registry.
+
+### Registry Overview
+
+OpenShift Local ships with an internal image registry. It is exposed externally via a Route at `default-route-openshift-image-registry.apps-crc.testing` (uses a self-signed certificate). Inside the cluster, pods pull from `image-registry.openshift-image-registry.svc:5000`.
+
+There are two addresses to keep in mind:
+
+| Address | Usage |
+| ------- | ----- |
+| `default-route-openshift-image-registry.apps-crc.testing` | External, used to push images from the host |
+| `image-registry.openshift-image-registry.svc:5000` | Internal, used by pods to pull images |
+
+### Logging in to the Registry
+
+The registry uses the CRC self-signed CA, so docker/podman needs to trust it or skip verification.
+
+With podman:
+
+```bash
+oc login -u kubeadmin https://api.crc.testing:6443
+podman login --tls-verify=false -u kubeadmin -p $(oc whoami -t) default-route-openshift-image-registry.apps-crc.testing
+```
+
+With docker, you need to trust the CRC CA certificate. The `insecure-registries` daemon option alone is not sufficient because Docker's OAuth token exchange still verifies TLS. Extract the CRC CA and install it as a system-trusted certificate:
+
+```bash
+# Extract the CRC ingress CA certificate
+oc extract secret/router-ca --keys=tls.crt -n openshift-ingress-operator --confirm
+sudo cp tls.crt /usr/local/share/ca-certificates/crc-ingress-ca.crt
+sudo update-ca-certificates
+sudo systemctl restart docker
+```
+
+Then log in:
+
+```bash
+docker login -u kubeadmin -p $(oc whoami -t) default-route-openshift-image-registry.apps-crc.testing
+```
+
+### Building and Pushing Images
+
+Make sure you have logged in to the registry first (see [Logging in to the Registry](#logging-in-to-the-registry)).
+
+The OpenShift internal registry requires the target namespace and ImageStreams to exist before you can push images. Create them if they do not exist yet:
+
+```bash
+oc new-project theia-cloud || true
+oc create imagestream theia-cloud-operator -n theia-cloud
+oc create imagestream theia-cloud-service -n theia-cloud
+oc create imagestream theia-cloud-landing-page -n theia-cloud
+```
+
+All docker builds run from the `theia-cloud` repository root. The tag format is `default-route-openshift-image-registry.apps-crc.testing/<namespace>/<image>:<tag>`. Use the `theia-cloud` namespace to match the Helm deployment.
+
+| Component    | Dockerfile                            | Build context | Helm value to override |
+| ------------ | ------------------------------------- | ------------- | ---------------------- |
+| Operator     | `dockerfiles/operator/Dockerfile`     | repo root (`.`) | `operator.image`     |
+| Service      | `dockerfiles/service/Dockerfile`      | repo root (`.`) | `service.image`      |
+| Landing Page | `dockerfiles/landing-page/Dockerfile` | repo root (`.`) | `landingPage.image`  |
+
+All commands below assume you are in the `theia-cloud` repository root.
+
+Operator:
+
+```bash
+EXT_REG=default-route-openshift-image-registry.apps-crc.testing
+
+docker build -f dockerfiles/operator/Dockerfile -t $EXT_REG/theia-cloud/theia-cloud-operator:dev .
+docker push $EXT_REG/theia-cloud/theia-cloud-operator:dev
+```
+
+Service:
+
+```bash
+docker build -f dockerfiles/service/Dockerfile -t $EXT_REG/theia-cloud/theia-cloud-service:dev .
+docker push $EXT_REG/theia-cloud/theia-cloud-service:dev
+```
+
+Landing Page:
+
+```bash
+docker build -f dockerfiles/landing-page/Dockerfile -t $EXT_REG/theia-cloud/theia-cloud-landing-page:dev .
+docker push $EXT_REG/theia-cloud/theia-cloud-landing-page:dev
+```
+
+### Overriding Images in the Helm Deployment
+
+When deploying via terraform (`4-01_openshift_monitor/theia_cloud.tf`), add `set` blocks to override the image. Inside the cluster, use the internal registry address (not the external route):
+
+```hcl
+{
+  name  = "operator.image"
+  value = "image-registry.openshift-image-registry.svc:5000/theia-cloud/theia-cloud-operator:dev"
+},
+{
+  name  = "operator.imagePullPolicy"
+  value = "Always"
+}
+```
+
+Set `imagePullPolicy` to `Always` during development so that new pushes with the same tag are picked up.
+
+See the commented-out examples in `4-01_openshift_monitor/theia_cloud.tf` for all three images.
+
+### Verifying the Image Was Pushed
+
+```bash
+# List images in the theia-cloud namespace
+oc get imagestreams -n theia-cloud
+
+# Check a specific image
+oc get imagestreamtag -n theia-cloud theia-cloud-operator:dev
+```
+
 ## Key Differences from Minikube
 
 * No external DNS needed, OpenShift Local configures a local DNS resolver, routes are accessible from the host at `*.apps-crc.testing`
@@ -93,17 +210,26 @@ The configuration accepts the following variables:
 
 ## Step 4-01, Deploy Theia Cloud on OpenShift
 
+Install cert-manager before deploying Theia Cloud. The CRDs chart uses cert-manager to generate the conversion webhook certificate. Wait for the cert-manager pods to be ready before proceeding.
+
+```bash
+oc apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml
+oc rollout status deployment/cert-manager-webhook -n cert-manager --timeout=120s
+```
+
+Then deploy Theia Cloud:
+
 ```bash
 cd terraform/test-configurations/4-01_openshift_monitor
 
 terraform init
 terraform apply
 ```
 
-This installs:
+This installs (in order):
 
-* `theia-cloud-crds`, Custom Resource Definitions
-* `theia-cloud-base`, base RBAC and cluster roles
+* `theia-cloud-base`, RBAC, cluster roles, and cert-manager issuers
+* `theia-cloud-crds`, Custom Resource Definitions and conversion webhook
 * `theia-cloud`, operator, landing page, and service with OpenShift route configuration
 
 ## Verification
diff --git a/terraform/values/valuesOpenShiftMonitor.yaml b/terraform/values/valuesOpenShiftMonitor.yaml
@@ -39,7 +39,7 @@ service:
 
 operator:
   eagerStart: false
-  bandwidthLimiter: "WONDERSHAPER"
+  bandwidthLimiter: "K8SANNOTATION"
   sessionsPerUser: "3"
 
 ingress:
