[JENKINS-68694] Winstone 6.1: Upgrade Jetty from 9.4.46.v20220331 to 10.0.11

[basil]

See JENKINS-68694. Jetty 10.0.x implements Servlet 4.0 (JakartaEE 8/javax.servlet.*). The minimum required Java version for Jetty 10 is now Java 11. For more details about the Jetty 10 release, see this Jetty blog post. Winstone 6.1 removes support for OpenSSL-style PEM-encoded RSA private keys in jenkinsci/winstone#232.

Testing done

• Generate a keystore as described in the Jetty 10 Operations Guide; successfully started Winstone with --httpsKeyStore, --httpsKeyStorePassword, and --httpsPort; visited the UI in my browser via TLS and clicked around successfully; build Freestyle and Pipeline jobs; verified Winstone 6.1 is displayed in the About page.
• JENKINS-68933: Interactively verified wsecho/ (in both text and binary modes, including ping visible after 30s with websocat -vv); Pipeline builds on a WebSocket agent; CLI in -webSocket mode.
• JENKINS-68928: Ran mvn -pl war jetty:run 10 times in a row without any failures. Ensured that the JENKINS_HOME being used was the expected $JENKINS_REPO/war/work directory rather than $HOME/.jenkins.
• Ensured that the new RealJenkinsRule-based test added in [JENKINS-68933] Better WebSocket testing, removal of reflection #6780 failed without the addition of Jetty10Provider in this PR and passed with it.
• In Jetty 10 based JenkinsRule jenkins-test-harness#453, Test #6801 with jenkinsci/jenkins-test-harness#453 #6802, and Test jenkinsci/jenkins#6802 with jenkinsci/jenkins-test-harness#453 bom#1255, ran the core test suite and BOM/PCT test suite with a modified JenkinsRule based on Jetty 10. Without the addition of Jetty10Provider in this PR, these tests (including jenkins.agents.WebSocketAgentsTest) failed. With the addition of Jetty10Provider in this PR, all tests passed.
• Inspected jenkins.war before and after this change; verified that no unexpected JAR files had been added to or removed from the WAR archive.

Proposed changelog entries

• Winstone 6.1: Upgrade Jetty from 9.4.46.v20220331 to 10.0.11 (Winstone changelog, Jetty blog post).
• Remove support for OpenSSL-style PEM-encoded RSA private keys when running Jenkins with the embedded Jetty (Winstone) container and TLS (Remove ability to load pem cert for winstone winstone#232).

Proposed upgrade guidelines

Support for OpenSSL-style PEM-encoded RSA private keys has been removed when running Jenkins with the embedded Jetty (Winstone) container and TLS. Specifically, the --httpsPrivateKey and --httpsCertificate flags have been removed in favor of the --httpsKeyStore flag. The removed flags have printed deprecation warnings since 2016 and were implemented with non-standard APIs that have since been removed from Java 17. The recommendation is to migrate to the --httpsKeyStore option, which takes a keystore as described in the documentation. As of JEP 229, PKCS12 is the recommended keystore type.

Submitter checklist

• (If applicable) Jira issue is well described
• Changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developer, depending on the change) and are in the imperative mood. Examples
  • Fill-in the Proposed changelog entries section only if there are breaking changes or other changes which may require extra steps from users during the upgrade
• Appropriate autotests or explanation to why this change has no tests
• New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadoc, as appropriate.
• New deprecations are annotated with @Deprecated(since="TODO") or @Deprecated(since="TODO", forRemoval=true) if applicable.
• For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

• There are at least 2 approvals for the pull request and no outstanding requests for change
• Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
• Changelog entries in the PR title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood
• Proper changelog labels are set so that the changelog can be generated automatically
• If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
• If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

[jglick]

(continuation of #6785, reapplying #6694)

[jglick]

jetty/jetty.project#7970 FTR

[timja]

Is there a workaround to this? i.e. without this we can't live reload resources from what I understand.

[basil]

I don't believe there is, but the pain should be short-lived as this has already been fixed upstream and should be present in the next release of Jetty.

[jglick]

Is this just awaiting another core reviewer to be ready to merge?

(Cheating a bit for me to review as a co-author.)

[basil]

Is this just awaiting another core reviewer to be ready to merge?

Yes, it is.

[basil]

This PR is now ready for merge. We will merge it after approximately 24 hours if there is no negative feedback. Please see the merge process documentation for more information about the merge process. Thanks!