Specifying additional CA certificate bindings in the Spring Boot Gradle plugin

Question

Is it possible to show some examples of how to specify additional CA certificate bindings in the Spring Boot Gradle plugin?

I have tried the following:

bootBuildImage {
  bindings = [ "${project.projectDir}/bindings/ca-certificates:/platform/bindings/ca-certificates" ]
}

And

bootBuildImage {
    bindings = ['./bindings/ca-certificates:/platform/bindings/ca-certificates']
}

The error I get is:

2023-01-09T16:28:11.799+0800 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] 
Execution failed for task ':ProjectA:bootBuildImage'.
> Docker API call to 'localhost/v1.24/containers/create' failed with status code 500 "Internal Server Error"

If I remove the bindings lines above the error is gone, but I hit another error with the TLS certificate which is expected because I am behind a corporate web proxy that replaces the certificate of the website with its own which is internal to our company.

The Docker version I uses is 4.8.2 (Docker 20.10.14). Spring Boot version is 3.0.1. GraalVM plugin is org.graalvm.buildtools.native 0.9.19.

Answer 1

There's no example for setting bindings in the Spring Boot Build Tool docs (at the time I write this), but setting bindings is done in the same place.

In addition, each binding in the list you specify is passed through to Docker, so the actual value should be set just like what you would pass to pack build --volume or docker run -v command. The Paketo Docs provide an example using pack build.

Putting this all together, this should work:

tasks.named("bootBuildImage") {
    bindings = ["${project.projectDir}/ca-certficates/binding:/platform/bindings/ca-certificates"]
}

A few notes:

1. This will only add the binding during build time, so the CA certificates are only added during the build of the image. You would need to docker run --volume "$(pwd)/ca-certficates/binding:/platform/bindings/ca-certificates" ... (or equivalent for your orchestrator of choice) and pass the a CA certificate bindings in at run time as well. Alternatively, you can set BP_EMBED_CERTS=true at build time and it will embed your CA certificates into the container image so you don't need to include them at runtime.

2. If you are specifying a custom buildpack order, you need to ensure the paketo-buildpacks/ca-certificates buildpack runs before your JVM provider buildpack. Otherwise, the JVM provider won't have access to your CA certificates and won't be able to load them into the JVM. This often happens if you are using an alternative JVM provider, instead of the Paketo default Bellsoft Liberica.

3. The above assumes you are not setting SERVICE_BINDING_ROOT at build time. This environment variable changes the location inside the container where the buildpack can expect your bindings. The default is /platform/bindings/... which is why I'm using that path above. The Paketo docs set SERVICE_BINDING_ROOT=/bindings and then use the path /bindings/ca-certificates. You can do this, there is no real advantage. One way the path is slightly longer, one way you have to enter an extra env variable. Totally your preference, you just need to make sure you're consistent.