Remove support for JMX over JMXMP (#618)

Remove support for JMX over JMXMP as it is insecure

Author: thegridman

.github/workflows/compatibility-tests.yaml

@@ -40,11 +40,9 @@ jobs:
         - 3.2.11
         - 3.2.10
         - 3.2.9
-#        - 3.2.8
         - 3.2.7
         - 3.2.6
         - 3.2.5
-        - 3.1.5
         include:
         - compatibilityVersion: 3.2.11
           coherence-image: "ghcr.io/oracle/coherence-ce:22.06.3"
@@ -58,10 +56,6 @@ jobs:
           coherence-image: "ghcr.io/oracle/coherence-ce:22.06.3"
           compatibilitySelector: control-plane=coherence
           k8s: kindest/node:v1.24.12@sha256:1e12918b8bc3d4253bc08f640a231bb0d3b2c5a9b28aa3f2ca1aee93e1e8db16
-#        - compatibilityVersion: 3.2.8
-#          coherence-image: "ghcr.io/oracle/coherence-ce:22.06.3"
-#          compatibilitySelector: control-plane=coherence
-#          k8s: kindest/node:v1.24.12@sha256:1e12918b8bc3d4253bc08f640a231bb0d3b2c5a9b28aa3f2ca1aee93e1e8db16
         - compatibilityVersion: 3.2.7
           coherence-image: "ghcr.io/oracle/coherence-ce:22.06.3"
           compatibilitySelector: control-plane=coherence
@@ -74,10 +68,6 @@ jobs:
           coherence-image: "ghcr.io/oracle/coherence-ce:22.06.3"
           compatibilitySelector: control-plane=coherence
           k8s: kindest/node:v1.24.12@sha256:1e12918b8bc3d4253bc08f640a231bb0d3b2c5a9b28aa3f2ca1aee93e1e8db16
-        - compatibilityVersion: 3.1.5
-          coherence-image: "ghcr.io/oracle/coherence-ce:21.12.4"
-          compatibilitySelector: control-plane=coherence
-          k8s: kindest/node:v1.21.14@sha256:27ef72ea623ee879a25fe6f9982690a3e370c68286f4356bf643467c552a3888
 
     steps:
     - uses: actions/checkout@v3

api/v1/coherence_types.go

@@ -631,11 +631,6 @@ type JVMSpec struct {
 	// Configure the JVM memory options.
 	// +optional
 	Memory *JvmMemorySpec `json:"memory,omitempty"`
-	// Configure JMX using JMXMP.
-	// Note: This should only be used in development as JMXMP does not have support for encrypted connections via TLS.
-	// Use in production should ideally put the JMXMP port behind some sort of TLS enabled ingress or network policy.
-	// +optional
-	Jmxmp *JvmJmxmpSpec `json:"jmxmp,omitempty"`
 	// A flag indicating whether to automatically add the default classpath for images
 	// created by the JIB tool https://github.com/GoogleContainerTools/jib
 	// If true then the /app/lib/* /app/classes and /app/resources
@@ -673,10 +668,6 @@ func (in *JVMSpec) UpdatePodTemplate(podTemplate *corev1.PodTemplateSpec) {
 			c.Env = append(c.Env, in.Memory.CreateEnvVars()...)
 		}
 
-		if in.Jmxmp != nil {
-			c.Env = append(c.Env, in.Jmxmp.CreateEnvVars()...)
-		}
-
 		if in.Gc != nil {
 			gc = in.Gc
 		}
@@ -1730,31 +1721,6 @@ func (in *JvmOutOfMemorySpec) CreateEnvVars() []corev1.EnvVar {
 	return envVars
 }
 
-// ----- JvmJmxmpSpec struct -------------------------------------------------------
-
-// JvmJmxmpSpec is options for configuring JMX using JMXMP.
-// +k8s:openapi-gen=true
-type JvmJmxmpSpec struct {
-	// If set to true the JMXMP support will be enabled.
-	// Default is false
-	// +optional
-	Enabled *bool `json:"enabled,omitempty"`
-	// The port tht the JMXMP MBeanServer should bind to.
-	// If not set the default port is 9099
-	// +optional
-	Port *int32 `json:"port,omitempty"`
-}
-
-// CreateEnvVars creates any required environment variables for the Coherence container
-func (in *JvmJmxmpSpec) CreateEnvVars() []corev1.EnvVar {
-	enabled := in != nil && in.Enabled != nil && *in.Enabled
-
-	envVars := []corev1.EnvVar{{Name: EnvVarJvmJmxmpEnabled, Value: strconv.FormatBool(enabled)}}
-	envVars = append(envVars, corev1.EnvVar{Name: EnvVarJvmJmxmpPort, Value: Int32PtrToStringWithDefault(in.Port, DefaultJmxmpPort)})
-
-	return envVars
-}
-
 // ----- PortSpecWithSSL struct ----------------------------------------------------
 
 // PortSpecWithSSL defines a port with SSL settings for a Coherence component

api/v1/constants.go

@@ -138,8 +138,6 @@ const (
 	DefaultManagementPort int32 = 30000
 	// DefaultMetricsPort is the default Coherence metrics port
 	DefaultMetricsPort int32 = 9612
-	// DefaultJmxmpPort is the default JMX over JMXMP port
-	DefaultJmxmpPort int32 = 9099
 	// DefaultHealthPort is the default health port
 	DefaultHealthPort int32 = 6676
 	// DefaultUnicastPort is the default Coherence unicast port
@@ -247,8 +245,6 @@ const (
 	EnvVarJvmMemoryNativeTracking     = "JVM_NATIVE_MEMORY_TRACKING"
 	EnvVarJvmOomExit                  = "JVM_OOM_EXIT"
 	EnvVarJvmOomHeapDump              = "JVM_OOM_HEAP_DUMP"
-	EnvVarJvmJmxmpEnabled             = "JVM_JMXMP_ENABLED"
-	EnvVarJvmJmxmpPort                = "JVM_JMXMP_PORT"
 	EnvVarSpringBootFatJar            = "COH_SPRING_BOOT_FAT_JAR"
 	EnvVarCnbpEnabled                 = "COH_CNBP_ENABLED"
 	EnvVarCnbpLauncher                = "COH_CNBP_LAUNCHER"

api/v1/create_job_jvmspec_test.go

@@ -440,67 +440,3 @@ func TestCreateJobWithJvmSpecWithHeapDumpOnOomFalse(t *testing.T) {
 	// assert that the Job is as expected
 	assertJobCreation(t, deployment, jobExpected)
 }
-
-func TestCreateJobWithJvmSpecWithJmxmpEnabledTrue(t *testing.T) {
-
-	spec := coh.CoherenceResourceSpec{
-		JVM: &coh.JVMSpec{
-			Jmxmp: &coh.JvmJmxmpSpec{
-				Enabled: boolPtr(true),
-			},
-		},
-	}
-
-	// Create the test deployment
-	deployment := createTestCoherenceJob(spec)
-	// Create expected Job
-	jobExpected := createMinimalExpectedJob(deployment)
-	addEnvVarsToJob(jobExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_ENABLED", Value: "true"})
-	addEnvVarsToJob(jobExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_PORT", Value: "9099"})
-
-	// assert that the Job is as expected
-	assertJobCreation(t, deployment, jobExpected)
-}
-
-func TestCreateJobWithJvmSpecWithJmxmpEnabledFalse(t *testing.T) {
-
-	spec := coh.CoherenceResourceSpec{
-		JVM: &coh.JVMSpec{
-			Jmxmp: &coh.JvmJmxmpSpec{
-				Enabled: boolPtr(false),
-			},
-		},
-	}
-
-	// Create the test deployment
-	deployment := createTestCoherenceJob(spec)
-	// Create expected Job
-	jobExpected := createMinimalExpectedJob(deployment)
-	addEnvVarsToJob(jobExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_ENABLED", Value: "false"})
-	addEnvVarsToJob(jobExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_PORT", Value: "9099"})
-
-	// assert that the Job is as expected
-	assertJobCreation(t, deployment, jobExpected)
-}
-
-func TestCreateJobWithJvmSpecWithJmxmpEnabledWithPort(t *testing.T) {
-
-	spec := coh.CoherenceResourceSpec{
-		JVM: &coh.JVMSpec{
-			Jmxmp: &coh.JvmJmxmpSpec{
-				Enabled: boolPtr(true),
-				Port:    int32Ptr(1234),
-			},
-		},
-	}
-
-	// Create the test deployment
-	deployment := createTestCoherenceJob(spec)
-	// Create expected Job
-	jobExpected := createMinimalExpectedJob(deployment)
-	addEnvVarsToJob(jobExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_ENABLED", Value: "true"})
-	addEnvVarsToJob(jobExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_PORT", Value: "1234"})
-
-	// assert that the Job is as expected
-	assertJobCreation(t, deployment, jobExpected)
-}

api/v1/create_statefulset_jvmspec_test.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2023, Oracle and/or its affiliates.
  * Licensed under the Universal Permissive License v 1.0 as shown at
  * http://oss.oracle.com/licenses/upl.
  */
@@ -440,67 +440,3 @@ func TestCreateStatefulSetWithJvmSpecWithHeapDumpOnOomFalse(t *testing.T) {
 	// assert that the StatefulSet is as expected
 	assertStatefulSetCreation(t, deployment, stsExpected)
 }
-
-func TestCreateStatefulSetWithJvmSpecWithJmxmpEnabledTrue(t *testing.T) {
-
-	spec := coh.CoherenceResourceSpec{
-		JVM: &coh.JVMSpec{
-			Jmxmp: &coh.JvmJmxmpSpec{
-				Enabled: boolPtr(true),
-			},
-		},
-	}
-
-	// Create the test deployment
-	deployment := createTestDeployment(spec)
-	// Create expected StatefulSet
-	stsExpected := createMinimalExpectedStatefulSet(deployment)
-	addEnvVars(stsExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_ENABLED", Value: "true"})
-	addEnvVars(stsExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_PORT", Value: "9099"})
-
-	// assert that the StatefulSet is as expected
-	assertStatefulSetCreation(t, deployment, stsExpected)
-}
-
-func TestCreateStatefulSetWithJvmSpecWithJmxmpEnabledFalse(t *testing.T) {
-
-	spec := coh.CoherenceResourceSpec{
-		JVM: &coh.JVMSpec{
-			Jmxmp: &coh.JvmJmxmpSpec{
-				Enabled: boolPtr(false),
-			},
-		},
-	}
-
-	// Create the test deployment
-	deployment := createTestDeployment(spec)
-	// Create expected StatefulSet
-	stsExpected := createMinimalExpectedStatefulSet(deployment)
-	addEnvVars(stsExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_ENABLED", Value: "false"})
-	addEnvVars(stsExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_PORT", Value: "9099"})
-
-	// assert that the StatefulSet is as expected
-	assertStatefulSetCreation(t, deployment, stsExpected)
-}
-
-func TestCreateStatefulSetWithJvmSpecWithJmxmpEnabledWithPort(t *testing.T) {
-
-	spec := coh.CoherenceResourceSpec{
-		JVM: &coh.JVMSpec{
-			Jmxmp: &coh.JvmJmxmpSpec{
-				Enabled: boolPtr(true),
-				Port:    int32Ptr(1234),
-			},
-		},
-	}
-
-	// Create the test deployment
-	deployment := createTestDeployment(spec)
-	// Create expected StatefulSet
-	stsExpected := createMinimalExpectedStatefulSet(deployment)
-	addEnvVars(stsExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_ENABLED", Value: "true"})
-	addEnvVars(stsExpected, coh.ContainerNameCoherence, corev1.EnvVar{Name: "JVM_JMXMP_PORT", Value: "1234"})
-
-	// assert that the StatefulSet is as expected
-	assertStatefulSetCreation(t, deployment, stsExpected)
-}

api/v1/zz_generated.deepcopy.go

@@ -38,7 +38,6 @@ TIP: This document was generated from comments in the Go structs in the pkg/api/
 * <<JVMSpec,JVMSpec>>
 * <<JvmDebugSpec,JvmDebugSpec>>
 * <<JvmGarbageCollectorSpec,JvmGarbageCollectorSpec>>
-* <<JvmJmxmpSpec,JvmJmxmpSpec>>
 * <<JvmMemorySpec,JvmMemorySpec>>
 * <<JvmOutOfMemorySpec,JvmOutOfMemorySpec>>
 * <<LocalObjectReference,LocalObjectReference>>
@@ -328,7 +327,6 @@ m| useContainerLimits | If set to true Adds the  -XX:+UseContainerSupport JVM op
 m| gc | Set JVM garbage collector options. m| &#42;<<JvmGarbageCollectorSpec,JvmGarbageCollectorSpec>> | false
 m| diagnosticsVolume | DiagnosticsVolume is the volume to write JVM diagnostic information to, for example heap dumps, JFRs etc. m| &#42;https://{k8s-doc-link}/#volume-v1-core | false
 m| memory | Configure the JVM memory options. m| &#42;<<JvmMemorySpec,JvmMemorySpec>> | false
-m| jmxmp | Configure JMX using JMXMP. Note: This should only be used in development as JMXMP does not have support for encrypted connections via TLS. Use in production should ideally put the JMXMP port behind some sort of TLS enabled ingress or network policy. m| &#42;<<JvmJmxmpSpec,JvmJmxmpSpec>> | false
 m| useJibClasspath | A flag indicating whether to automatically add the default classpath for images created by the JIB tool https://github.com/GoogleContainerTools/jib If true then the /app/lib/* /app/classes and /app/resources entries are added to the JVM classpath. The default value fif not specified is true. m| &#42;bool | false
 |===
 
@@ -363,19 +361,6 @@ m| logging | Enable the following GC logging args  -verbose:gc -XX:+PrintGCDetai
 
 <<Table of Contents,Back to TOC>>
 
-=== JvmJmxmpSpec
-
-JvmJmxmpSpec is options for configuring JMX using JMXMP.
-
-[cols="1,10,1,1"options="header"]
-|===
-| Field | Description | Type | Required
-m| enabled | If set to true the JMXMP support will be enabled. Default is false m| &#42;bool | false
-m| port | The port tht the JMXMP MBeanServer should bind to. If not set the default port is 9099 m| &#42;int32 | false
-|===
-
-<<Table of Contents,Back to TOC>>
-
 === JvmMemorySpec
 
 JvmMemorySpec is options for managing the JVM memory.

docs/about/04_coherence_spec.adoc

@@ -62,13 +62,6 @@ Configuring the heap size and other memory settings.
 Using debugger settings.
 --
 
-[CARD]
-.JMX
-[link=docs/jvm/080_jmx.adoc]
---
-Using JMX.
---
-
 [CARD]
 .Use Container Limits
 [link=docs/jvm/090_container_limits.adoc]