chore(cloud-native): upgrade cryptography library in OCI images

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #13487

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• Chores

  • Updated base container image to 17.0.18 across all Docker services
  • Bumped grpcio Python dependency from 1.72.0 to 1.76.0 across services
  • Updated internal source/version reference

• Refactor

  • Disabled the cloud tools Keycloak sync feature (kc-sync) and removed its runtime support

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumps bellsoft Liberica Java images from 17.0.17 → 17.0.18 and updates ENV JANS_SOURCE_VERSION to commit 1b66569...4547e across multiple Dockerfiles; upgrades grpcio from 1.72.0 → 1.76.0 in multiple requirements.txt files; removes kc-sync runtime in cloudtools entrypoint.

Changes

Cohort / File(s)	Summary
Dockerfile base image & JANS source docker-jans-all-in-one/Dockerfile, docker-jans-auth-server/Dockerfile, docker-jans-casa/Dockerfile, docker-jans-cloudtools/Dockerfile, docker-jans-config-api/Dockerfile, docker-jans-configurator/Dockerfile, docker-jans-fido2/Dockerfile, docker-jans-link/Dockerfile, docker-jans-persistence-loader/Dockerfile, docker-jans-scim/Dockerfile	Updated FROM lines to bellsoft/liberica-(openjdk
Python dependency pins docker-jans-all-in-one/app/requirements.txt, docker-jans-auth-server/requirements.txt, docker-jans-casa/requirements.txt, docker-jans-cloudtools/requirements.txt, docker-jans-config-api/requirements.txt, docker-jans-fido2/requirements.txt, docker-jans-link/requirements.txt, docker-jans-persistence-loader/requirements.txt, docker-jans-scim/requirements.txt	Bumped grpcio from 1.72.0 to 1.76.0 in multiple requirements files.
Cloudtools entrypoint script docker-jans-cloudtools/scripts/entrypoint.sh	Removed/disabled run_kc_sync() and removed kc-sync from help and command dispatch (now prints disabled message and exits).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(cloud-native): sync templates to OCI images #12905: Updates ENV JANS_SOURCE_VERSION across multiple Dockerfiles (same variable changed here).
• chore(cloud-native): ensure python-grpcio compatibility between OS and pip distribution #12651: Prior grpcio version bump in requirements.txt files (same dependency family changed here).
• chore(cloud-native): sync assets of Janssen nightly to OCI images #12623: Combined Dockerfile and requirements updates (base image and grpcio pins), similar scope to this change.

Suggested labels

comp-docker-jans-monolith, comp-docker-jans-saml, comp-jans-pycloudlib

Suggested reviewers

• moabu

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR contains out-of-scope changes: removal of jans-keycloak-integration from docker-jans-cloudtools and disabling of kc-sync functionality are unrelated to the cryptography library upgrade objective specified in issue #13487.	Remove changes related to jans-keycloak-integration removal and kc-sync disabling from this PR, or create a separate PR for these out-of-scope modifications with corresponding issue references.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: upgrading the cryptography library in OCI images, which aligns with the primary objective of the PR.
Description check	✅ Passed	The description follows the template with all required sections completed: Prepare checklist marked done, Target issue referenced (#13487), Implementation Details section present, and documentation confirmation checked.
Linked Issues check	✅ Passed	The PR meets the objectives from linked issue #13487: base images updated to Alpine 3.23 (reflected in bellsoft/liberica image version 17.0.18), grpcio dependency upgraded from 1.72.0 to 1.76.0 across all services, and JANS_SOURCE_VERSION updated to accommodate cryptography library changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cn-cryptography-upgrade

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

⚠️ Snyk checks are incomplete.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
⚠️	Open Source Security	0	0	0	0	See details

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docker-jans-cloudtools/Dockerfile (2)

47-59: 🧹 Nitpick | 🔵 Trivial

Remove the KC scheduler scaffolding in the same cleanup.

Lines 54-59 no longer fetch the scheduler template source, but the image still carries the scheduler setup from earlier stages. Since docker-jans-cloudtools/scripts/entrypoint.sh:10-45 keeps run_kc_sync() commented out, this is dead payload for now and only increases image size and CVE surface.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-jans-cloudtools/Dockerfile` around lines 47 - 59, Remove the unused KC
scheduler scaffolding to avoid shipping dead payload: delete the mkdir -p
/app/templates/kc-scheduler and any steps that add or copy scheduler assets
(e.g., removal of /app/templates/kc-scheduler creation in the RUN that performs
git sparse-checkout and any prior COPY/ADD or git sparse-checkout entries for
scheduler templates); ensure the Dockerfile no longer adds jans-pycloudlib
scheduler files and adjust the sparse-checkout/git commands accordingly (refer
to the RUN that performs git clone/sparse-checkout and the mkdir invocation),
since entrypoint.sh keeps run_kc_sync() commented out.

---

1-10: ⚠️ Potential issue | 🟠 Major

Pin the Alpine Python package revisions you are validating.

Lines 7-10 install py3-cryptography and py3-grpcio without pinned versions. Combined with apk upgrade --available, this allows Alpine packages to drift on future rebuilds, making the cryptography/grpcio upgrade non-reproducible. Note that while grpcio==1.76.0 is pinned in requirements.txt for PyPI installation, py3-cryptography has no version control in requirements.txt and is solely dependent on unpinned Alpine packages.

Proposed fix

+ARG PY3_CRYPTOGRAPHY_VERSION=<exact-apk-revision>
+ARG PY3_GRPCIO_VERSION=<exact-apk-revision>
 RUN apk update \
-    && apk upgrade --available \
-    && apk add --no-cache openssl python3 curl tini py3-cryptography py3-psycopg2 py3-grpcio \
+    && apk add --no-cache \
+       openssl \
+       python3 \
+       curl \
+       tini \
+       py3-psycopg2 \
+       "py3-cryptography=${PY3_CRYPTOGRAPHY_VERSION}" \
+       "py3-grpcio=${PY3_GRPCIO_VERSION}" \
     && apk add --no-cache --virtual .build-deps wget git

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-jans-cloudtools/Dockerfile` around lines 1 - 10, The Dockerfile RUN
that does "apk upgrade --available" and installs py3-cryptography and py3-grpcio
allows Alpine packages to drift; pin those Alpine Python package revisions by
specifying exact package versions in the same RUN that installs packages (e.g.,
use py3-cryptography=<version> and py3-grpcio=<version> with apk add) or move
those Python deps into a reproducible build step (wheel/PyPI with pinned
versions), and remove or avoid a blanket "apk upgrade --available" so future
rebuilds remain reproducible; update the RUN line that installs openssl python3
curl tini py3-cryptography py3-psycopg2 py3-grpcio accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker-jans-cloudtools/scripts/entrypoint.sh`:
- Around line 29-45: Removing the run_kc_sync handler makes incoming "kc-sync"
args silently fall through to show_help (exit 0); restore explicit handling so
"kc-sync" either invokes the original run_kc_sync flow or fails loudly. Re-add a
kc-sync branch in the main arg dispatch that checks for "kc-sync" and either
calls run_kc_sync (restore the commented run_kc_sync function/body) or prints an
explicit error and exits non-zero (e.g., exit 1) so the Helm CronJob doesn't
become a silent no-op; alternatively update the chart that still passes
"kc-sync" to stop doing so.

---

Outside diff comments:
In `@docker-jans-cloudtools/Dockerfile`:
- Around line 47-59: Remove the unused KC scheduler scaffolding to avoid
shipping dead payload: delete the mkdir -p /app/templates/kc-scheduler and any
steps that add or copy scheduler assets (e.g., removal of
/app/templates/kc-scheduler creation in the RUN that performs git
sparse-checkout and any prior COPY/ADD or git sparse-checkout entries for
scheduler templates); ensure the Dockerfile no longer adds jans-pycloudlib
scheduler files and adjust the sparse-checkout/git commands accordingly (refer
to the RUN that performs git clone/sparse-checkout and the mkdir invocation),
since entrypoint.sh keeps run_kc_sync() commented out.
- Around line 1-10: The Dockerfile RUN that does "apk upgrade --available" and
installs py3-cryptography and py3-grpcio allows Alpine packages to drift; pin
those Alpine Python package revisions by specifying exact package versions in
the same RUN that installs packages (e.g., use py3-cryptography=<version> and
py3-grpcio=<version> with apk add) or move those Python deps into a reproducible
build step (wheel/PyPI with pinned versions), and remove or avoid a blanket "apk
upgrade --available" so future rebuilds remain reproducible; update the RUN line
that installs openssl python3 curl tini py3-cryptography py3-psycopg2 py3-grpcio
accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a7d44447-b6b1-4061-a458-98d9d0cbd455

📥 Commits

Reviewing files that changed from the base of the PR and between 5aa4d67 and af0cf9b.

📒 Files selected for processing (20)

• docker-jans-all-in-one/Dockerfile
• docker-jans-all-in-one/app/requirements.txt
• docker-jans-auth-server/Dockerfile
• docker-jans-auth-server/requirements.txt
• docker-jans-casa/Dockerfile
• docker-jans-casa/requirements.txt
• docker-jans-cloudtools/Dockerfile
• docker-jans-cloudtools/requirements.txt
• docker-jans-cloudtools/scripts/entrypoint.sh
• docker-jans-config-api/Dockerfile
• docker-jans-config-api/requirements.txt
• docker-jans-configurator/Dockerfile
• docker-jans-fido2/Dockerfile
• docker-jans-fido2/requirements.txt
• docker-jans-link/Dockerfile
• docker-jans-link/requirements.txt
• docker-jans-persistence-loader/Dockerfile
• docker-jans-persistence-loader/requirements.txt
• docker-jans-scim/Dockerfile
• docker-jans-scim/requirements.txt

[coderabbitai]

♻️ Duplicate comments (1)

docker-jans-cloudtools/scripts/entrypoint.sh (1)

92-94: ⚠️ Potential issue | 🟠 Major

Disabling kc-sync here now breaks the shipped CronJob and documented CLI.

charts/janssen-all-in-one/templates/cronjobs.yaml:110-211 still schedules args: ["kc-sync"] when kc-scheduler.enabled and saml.enabled are true, so this branch turns that deployment path into a permanently failing CronJob. docker-jans-cloudtools/README.md:186-194 also still documents cloudtools kc-sync as a supported command. Please land the chart/docs removal in the same PR, or keep run_kc_sync until those consumers are updated.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-jans-cloudtools/scripts/entrypoint.sh` around lines 92 - 94, The
branch that unconditionally fails the "kc-sync" case breaks external consumers;
revert the change so the "kc-sync" case invokes the existing run_kc_sync logic
instead of exiting with error, i.e., replace the echo+exit with a call to
run_kc_sync (or conditionalize the error only when both the scheduler and SAML
flags indicate it should be disabled), and coordinate updating the
chart/template and README that still reference "kc-sync" in the same PR so
deployments and docs remain consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@docker-jans-cloudtools/scripts/entrypoint.sh`:
- Around line 92-94: The branch that unconditionally fails the "kc-sync" case
breaks external consumers; revert the change so the "kc-sync" case invokes the
existing run_kc_sync logic instead of exiting with error, i.e., replace the
echo+exit with a call to run_kc_sync (or conditionalize the error only when both
the scheduler and SAML flags indicate it should be disabled), and coordinate
updating the chart/template and README that still reference "kc-sync" in the
same PR so deployments and docs remain consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: bf88f743-34a0-4372-81bc-d4b02eec1054

📥 Commits

Reviewing files that changed from the base of the PR and between af0cf9b and 0548860.

📒 Files selected for processing (1)

• docker-jans-cloudtools/scripts/entrypoint.sh