Merge branch 'master' into issue-2357-upgrade-k8s-1.35

Author: commjoen

.github/scripts/.bash_history

@@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb
 git rebase -i main
 git rebase -i master
 git stash
-export tempPassword="OeyxzcLdUbln0KxnhlQaT2wQKfpJpV/A7/ach+erH4M="
+export tempPassword="mVskm4vj9tBf4BqqQEyPaFtTAFJ+K9csVbQkwF3Kj04="
 mvn run tempPassword
 k6
 npx k6

.github/scripts/docker-create.sh

@@ -64,8 +64,7 @@ Heroku_publish_demo() {
     heroku container:login
     echo "heroku deployment to demo"
     cd ../..
-    # heroku container:push --recursive --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
-    heroku container:push --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
+    heroku container:push web --arg argBasedVersion=${tag} --app arcane-scrubland-42646
     heroku container:release web --app arcane-scrubland-42646
     # heroku container:push --recursive --arg argBasedVersion=${tag}heroku,CTF_ENABLED=true,HINTS_ENABLED=false --app wrongsecrets-ctf
     # heroku container:release web --app wrongsecrets-ctf

Dockerfile

@@ -1,7 +1,7 @@
 FROM bellsoft/liberica-openjre-debian:25-cds AS builder
 WORKDIR /builder
 
-ARG argBasedVersion="1.13.1-alpha5"
+ARG argBasedVersion="1.13.1-alpha6"
 
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar
 RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted
@@ -59,7 +59,7 @@ RUN mkdir -p /var/run/secrets/kubernetes.io/serviceaccount && \
     chmod 600 /var/run/secrets/kubernetes.io/serviceaccount/token
 
 # Create a dynamic archive
-RUN java --add-modules=jdk.unsupported -XX:ArchiveClassesAtExit=application.jsa -Dspring.context.exit=onRefresh -jar application.jar
+RUN java -XX:ArchiveClassesAtExit=application.jsa -Dspring.context.exit=onRefresh -jar application.jar
 
 # Clean up the mocked token
 RUN rm -rf /var/run/secrets/kubernetes.io
@@ -71,5 +71,4 @@ RUN rm -rf /var/run/secrets/kubernetes.io
 RUN adduser -u 2000 -D wrongsecrets
 USER wrongsecrets
 
-CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} application.jar
-# CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar
+CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha5-no-vault
-ARG argBasedVersion="1.13.1-alpha5-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha6-no-vault
+ARG argBasedVersion="1.13.1-alpha6-no-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true
@@ -21,6 +21,7 @@ ENV K8S_ENV=Heroku(Docker)
 ENV canarytokenURLs=$CANARY_URLS
 ENV ctf_enabled=$CTF_ENABLED
 ENV ctf_key=$CTF_KEY
+ENV SPRING_PROFILES_ACTIVE=without-vault
 ENV hints_enabled=$HINTS_ENABLED
 ENV challengedockermtpath="/var/helpers"
 ENV keepasspath="/var/helpers/alibabacreds.kdbx"
@@ -36,8 +37,9 @@ ENV default_aws_value_challenge_10=$CHALLENGE_10_VALUE
 ENV default_aws_value_challenge_11=$CHALLENGE_11_VALUE
 ENV BASTIONHOSTPATH="/home/wrongsecrets/.ssh"
 ENV PROJECTSPECPATH="/var/helpers/project-specification.mdc"
+ENV funnybunny="This is a funny bunny"
 COPY .github/scripts/ /var/helpers
 COPY src/test/resources/alibabacreds.kdbx /var/helpers
 COPY src/test/resources/RSAprivatekey.pem /var/helpers
 COPY .ssh/ /home/wrongsecrets/.ssh/
-CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D  application.jar
+CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=without-vault -Dserver.port=${PORT} -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} application.jar

aws/k8s/secret-challenge-vault-deployment.yml

@@ -58,7 +58,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha5-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha6-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -61,7 +61,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha5-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha6-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]

docs/SPRING_BOOT_4_ADOPTION_CHECKLIST.md

@@ -21,24 +21,24 @@ This checklist is tailored to the current `wrongsecrets` codebase (Spring Boot `
 
 ### 1) Standardize HTTP error responses with `ProblemDetail`
 
-- [ ] Add a global `@RestControllerAdvice` for API endpoints that returns `ProblemDetail`.
-- [ ] Keep MVC HTML error handling as-is for Thymeleaf pages; only modernize JSON API errors.
-- [ ] Add tests that assert RFC 9457-style payload fields (`type`, `title`, `status`, `detail`, `instance`).
+- [x] Add a global `@RestControllerAdvice` for API endpoints that returns `ProblemDetail`.
+- [x] Keep MVC HTML error handling as-is for Thymeleaf pages; only modernize JSON API errors.
+- [x] Add tests that assert RFC 9457-style payload fields (`type`, `title`, `status`, `detail`, `instance`).
 
 **Why now:** Reduces custom exception payload drift and improves API consistency.
 
 ### 2) Replace new `RestTemplate` usage with `RestClient`
 
-- [ ] Stop introducing any new `RestTemplate` usage.
-- [ ] Migrate existing bean in `WrongSecretsApplication` from `RestTemplate` to `RestClient.Builder`.
-- [ ] Migrate call sites incrementally (start with `SlackNotificationService`).
-- [ ] Add timeout and retry policy explicitly for outbound calls.
+- [x] Stop introducing any new `RestTemplate` usage.
+- [x] Migrate existing bean in `WrongSecretsApplication` from `RestTemplate` to `RestClient.Builder`.
+- [x] Migrate call sites incrementally (start with `SlackNotificationService`).
+- [x] Add timeout and retry policy explicitly for outbound calls.
 
 **Current state:** `RestTemplate` bean and usage exist and can be migrated safely in phases.
 
 ### 3) Add/verify deprecation gate in CI
 
-- [ ] Run compile with deprecation warnings enabled in CI (`-Xlint:deprecation`).
+- [x] Run compile with deprecation warnings enabled in CI (`-Xlint:deprecation`).
 - [ ] Fail build on newly introduced deprecations (can be soft-fail initially).
 - [ ] Track remaining suppressions/deprecations as explicit TODOs.
 
@@ -139,8 +139,8 @@ This checklist is tailored to the current `wrongsecrets` codebase (Spring Boot `
 
 ## Definition of done for Boot 4 adoption
 
-- [ ] No new `RestTemplate` code introduced.
-- [ ] API errors are standardized on `ProblemDetail`.
-- [ ] Deprecation warnings are tracked and controlled in CI.
+- [x] No new `RestTemplate` code introduced.
+- [x] API errors are standardized on `ProblemDetail`.
+- [x] Deprecation warnings are tracked and controlled in CI.
 - [ ] Observability baseline (metrics, traces, log correlation) is active in non-local profiles.
 - [ ] Migration choices and rollout decisions are documented in `docs/`.

docs/VERSION_MANAGEMENT.md

@@ -12,9 +12,9 @@ The project maintains version consistency between:
 ## Version Schema
 
 ```
-pom.xml version:        1.13.1-alpha5-SNAPSHOT
-Dockerfile version:     1.13.1-alpha5
-Dockerfile.web version: 1.13.1-alpha5-no-vault
+pom.xml version:        1.13.1-alpha6-SNAPSHOT
+Dockerfile version:     1.13.1-alpha6
+Dockerfile.web version: 1.13.1-alpha6-no-vault
 ```
 
 ## Automated Solutions

fly.toml

@@ -8,7 +8,7 @@ app = "wrongsecrets"
 primary_region = "ams"
 
 [build]
-  image = "docker.io/jeroenwillemsen/wrongsecrets:1.13.1-alpha5-no-vault"
+  image = "docker.io/jeroenwillemsen/wrongsecrets:1.13.1-alpha6-no-vault"
 
 [env]
   K8S_ENV = "Fly(Docker)"

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -58,7 +58,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha5-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha6-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]