Skip to content

MINOR: Fix JDK version, architecture parameters and SSL certificate verification in system tes#1907

Merged
Manikumar Reddy (omkreddy) merged 3 commits into
4.2from
jdk-25-fix-ssl-fix
Feb 13, 2026
Merged

MINOR: Fix JDK version, architecture parameters and SSL certificate verification in system tes#1907
Manikumar Reddy (omkreddy) merged 3 commits into
4.2from
jdk-25-fix-ssl-fix

Conversation

@tirthooo7

@tirthooo7 Tirth (tirthooo7) commented Feb 13, 2026

Copy link
Copy Markdown

Cherry pick
apache#21394
apache#21431

System Test Branch builder for 4.2 failing with this
https://semaphore.ci.confluent.io/jobs/859f45d1-43dd-4fbc-8e38-b12a8c0f7855#L2995
'https://github.com/confluentinc/kibosh.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

similar fix we did in trunk : apache#21431

… provisioning (apache#21431)

Update CA certificates on Ubuntu 14.04 Vagrant workers to fix SSL
certificate  verification failures when cloning the kibosh repository
during system test setup.

### Problem

Starting around February 7-9, 2026, system tests using Vagrant workers
began  failing during worker provisioning with the following error:

```
fatal: unable to access 'https://github.com/confluentinc/kibosh.git/':
server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none
```

**Root Cause:** The Vagrant workers use Ubuntu 14.04 (Trusty), which
reached
end-of-life in April 2019. The CA certificate bundle on these workers is
outdated
and does not include the certificate authorities needed to verify
GitHub's current
SSL certificate chain. GitHub (or their CA provider) rotated
certificates, causing
the verification to fail on systems with older CA bundles.

### Solution

Refresh the CA certificate store during worker provisioning by:
1. Installing/updating the `ca-certificates` package
2. Running `update-ca-certificates --fresh` to rebuild the certificate
store

This ensures workers have an updated certificate store that can verify
GitHub's  SSL certificate chain.

Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>
…ker provisioning (apache#21394)

Fixes bugs where `--jdk-version` and `--jdk-arch` parameters were
ignored during system test worker provisioning, and refactors
`vagrant/base.sh` to support flexible JDK versions without code changes.

---

The Vagrant provisioning script (`vagrant/base.sh`) had two bugs that
caused JDK version parameters to be ignored:

| Bug | Problem |
|-----|---------|
| **#1: `--jdk-version` ignored** | `JDK_FULL` was hardcoded to
`17-linux-x64`, so passing `--jdk-version 25` still downloaded JDK 17 |
| **#2: `--jdk-arch` ignored** | Architecture parameter was passed but
never used in the S3 download URL |

---

- Validate `JDK_MAJOR` and `JDK_ARCH` input parameters with regex
- Dynamically construct `JDK_FULL` from `JDK_MAJOR` and `JDK_ARCH`
- Update S3 path to use `/jdk/` subdirectory
- Add logging for debugging

---

| Change | Description |
|--------|-------------|
| **Input validation** | Added regex validation for `JDK_MAJOR` and
`JDK_ARCH` with sensible defaults |
| **Dynamic construction** | `JDK_FULL` is now constructed from
`JDK_MAJOR` and `JDK_ARCH` if not explicitly provided |
| **Updated S3 path** | Changed URL from
`/kafka-packages/jdk-{version}.tar.gz` to
`/kafka-packages/jdk/jdk-{version}.tar.gz` |
| **Logging** | Added debug output for JDK configuration |
| **Backward compatibility** | Vagrantfile can still pass `JDK_FULL`
directly; the script validates and uses it if valid |

---

```
s3://kafka-packages/jdk-{version}.tar.gz
```

```
s3://kafka-packages/jdk/jdk-{version}.tar.gz
```

| File | Version | Architecture |
|------|---------|--------------|
| `jdk-7u80-linux-x64.tar.gz` | 7u80 | x64 |
| `jdk-8u144-linux-x64.tar.gz` | 8u144 | x64 |
| `jdk-8u161-linux-x64.tar.gz` | 8u161 | x64 |
| `jdk-8u171-linux-x64.tar.gz` | 8u171 | x64 |
| `jdk-8u191-linux-x64.tar.gz` | 8u191 | x64 |
| `jdk-8u202-linux-x64.tar.gz` | 8u202 | x64 |
| `jdk-11.0.2-linux-x64.tar.gz` | 11.0.2 | x64 |
| `jdk-17-linux-x64.tar.gz` | 17 | x64 |
| `jdk-18.0.2-linux-x64.tar.gz` | 18.0.2 | x64 |
| `jdk-21.0.1-linux-x64.tar.gz` | 21.0.1 | x64 |
| `jdk-21.0.1-linux-aarch64.tar.gz` | 21.0.1 | aarch64 |
| `jdk-25-linux-x64.tar.gz` | 25 | x64 |
| `jdk-25-linux-aarch64.tar.gz` | 25 | aarch64 |
| `jdk-25.0.1-linux-x64.tar.gz` | 25.0.1 | x64 |
| `jdk-25.0.1-linux-aarch64.tar.gz` | 25.0.1 | aarch64 |
| `jdk-25.0.2-linux-x64.tar.gz` | 25.0.2 | x64 |
| `jdk-25.0.2-linux-aarch64.tar.gz` | 25.0.2 | aarch64 |

---

> **IMPORTANT: No code changes required for future Java major/minor
releases!**

The validation regex supports all version formats:
- **Major versions**: `17`, `25`, `26`
- **Minor versions**: `25.0.1`, `25.0.2`, `26.0.1`
- **Legacy format**: `8u144`, `8u202`

To add support for a new JDK version (e.g., JDK 26, 25.0.3):

1. Download the JDK tarball from Oracle/Adoptium
2. Rename to follow naming convention:
`jdk-{VERSION}-linux-{ARCH}.tar.gz`
3. Upload to S3: `aws s3 cp jdk-{VERSION}-linux-{ARCH}.tar.gz
s3://kafka-packages/jdk/`
4. Use in tests: `--jdk-version {VERSION} --jdk-arch {ARCH}`

No modifications to `base.sh` or any other scripts are needed.

---

| Before | After |
|--------|-------|
| `--jdk-version` ignored | ✅ Correctly uses specified version |
| `--jdk-arch` ignored | ✅ Correctly uses specified architecture |
| Only major version support | ✅ Full version support (e.g., `25.0.2`) |
| Code change needed for new JDK | ✅ Just upload to S3 and pass version
|

---

Tested with different JDK versions to confirm the fix works correctly:

| Test | JDK_MAJOR | Expected | Actual | Result | Test Report |
|------|-----------|----------|--------|--------|-------------|
| JDK 17 | `17` | javac 17.0.4 | javac 17.0.4 | ✅ |
| JDK 25 | `25` | javac 25.0.2 | javac 25.0.2 | ✅ |

---

- **Vagrantfile**: Continues to work as before
- **Existing workflows**: Default behavior unchanged (JDK 17 on x64
architecture)
- **No breaking changes**: All existing configurations continue to work

---

 Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com>
@tirthooo7
Tirth (tirthooo7) marked this pull request as ready for review February 13, 2026 02:25
@tirthooo7
Tirth (tirthooo7) requested a review from a team as a code owner February 13, 2026 02:25
Comment thread vagrant/base.sh
JDK_MAJOR="${JDK_MAJOR:-17}"
JDK_FULL="${JDK_FULL:-17-linux-x64}"
echo "JDK_MAJOR=$JDK_MAJOR JDK_ARCH=$JDK_ARCH"
export DEBIAN_FRONTEND=noninteractive

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like we need to retain this change

@omkreddy
Manikumar Reddy (omkreddy) merged commit 8a934c7 into 4.2 Feb 13, 2026
1 of 2 checks passed
@omkreddy
Manikumar Reddy (omkreddy) deleted the jdk-25-fix-ssl-fix branch February 13, 2026 05:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants