java-microprofile stack exposes "http" port to k8s, preventing usage of security-related features in Liberty

[nastacio]

Describe the bug The app-deploy.yaml file for the java-microprofile stack lists port 9080 (unencrypted) as the port to be exposed to the cluster. Many of the liberty features (such as restconnector) refuse connection on that port.

To Reproduce Steps to reproduce the behavior:

1. Create a new java-microprofile application with appsody init java-microprofile
2. Add the <feature>restConnector-2.0</feature> to server.xml
3. Try and one of the URLs in this tutorial: https://openliberty.io/blog/2019/09/13/testing-database-connections-REST-APIs.html
4. Liberty returns an error because it does not accept those requests on an http port.

Expected behavior The appsody stack should not block functionality that is available on Liberty.

Actual behaviour java-microprofile applications cannot benefit from most security-related features available in Open Liberty. I have not tried it yet, but pretty sure OAuth support also requires https support.

Environment Details (please complete the following information):

• OS: N/A
• Browser N/A

If applicable please specify:

• CLI version: appsody 0.5.2
• Stack you are using (including the version): java-microprofile 0.2.21

Screenshots N/A

Additional context I tried editing all references to ports 9080 to 9443 in the app-deploy.yaml, but then the pod would not come up because, apparently, the readiness probe could not use secure connections to talk to the server.

[nastacio]

cc @arthurdm

[arthurdm]

@nastacio - in app-deploy.yaml it should just be service.port that you need to edit. Did you make the corresponding port changes in your server.xml?

[nastacio]

@arthurdm that worked! I guess this issue can be used to fix either documentation or, in my opinion preferably, change the standard listening port to https, since the usage of http blocks the usage of many Open Liberty server features.

cc @BarDweller and @ebullient for similar consideration in the new spring-boot-liberty stack.

[ebullient]

Spring Boot uses http for actuator endpoints, which do not require authentication (or https) with Spring Boot 2 out-of-the-box. I think there is a trade-off re: if/when https is required (e.g. if it is managed by the mesh)

[scottkurz]

Assuming this issue must be present for the new java-openliberty stack too.

[awisniew90]

Hit the same problem in the OL stack. Just changing the port from 9080 to 9443 wasn't enough to fix the problem this time around. @arthurdm suggested also adding: route: termination: passthrough to app-deploy.yaml. That worked.