feat(apps): enhance Java 25 CDS and AOT Dockerfiles with improved classpath handling

Author: Yuriy Bezsonov

apps/dockerfiles-java25/Dockerfile.06-cds

@@ -1,33 +1,58 @@
 FROM public.ecr.aws/docker/library/maven:3-amazoncorretto-25-al2023 AS builder
 
+COPY ./pom.xml ./pom.xml
+COPY src ./src/
+
+RUN mvn clean package -DskipTests -ntp && mv target/store-spring-1.0.0-exec.jar app.jar
+
+FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023 AS trainer
+
+COPY --from=builder app.jar app.jar
+
+# Explode fat jar for CDS training
+RUN mkdir -p /ex && (cd /ex && jar -xf /app.jar) && \
+    mkdir -p /opt/app/training /opt/app/lib && \
+    (cd /ex/BOOT-INF/classes && jar -cf /opt/app/training/classes.jar .) && \
+    cp -r /ex/BOOT-INF/lib/* /opt/app/lib/
+
+# Create sorted classpath for deterministic ordering between training and runtime
+RUN ls /opt/app/lib/*.jar | sort | tr '\n' ':' | sed 's/:$//' > /opt/app/lib-cp.txt
+
+ENV MAIN_CLASS="com.unicorn.store.StoreApplication"
+
+# Optional: pass DB props for training to capture Hibernate/JDBC classes
 ARG SPRING_DATASOURCE_URL
-ENV SPRING_DATASOURCE_URL=$SPRING_DATASOURCE_URL
 ARG SPRING_DATASOURCE_USERNAME
-ENV SPRING_DATASOURCE_USERNAME=$SPRING_DATASOURCE_USERNAME
 ARG SPRING_DATASOURCE_PASSWORD
-ENV SPRING_DATASOURCE_PASSWORD=$SPRING_DATASOURCE_PASSWORD
-
-COPY ./pom.xml ./pom.xml
-COPY src ./src/
 
-RUN mvn clean package -DskipTests -ntp && mv target/store-spring-1.0.0-exec.jar store-spring.jar
+# If DB credentials provided, use them; otherwise exclude DB auto-config
+ENV TRAINING_JAVA_OPTS_DEFAULT="-Dspring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.springframework.boot.autoconfigure.liquibase.LiquibaseAutoConfiguration -Dspring.main.lazy-initialization=true"
 
 # CDS training - dump class archive after Spring context initialization
-RUN java -XX:ArchiveClassesAtExit=/app.jsa \
-    -Dspring.context.exit=onRefresh \
-    -jar /store-spring.jar || true && \
-    test -s /app.jsa
+RUN set -e; \
+    if [ -n "${SPRING_DATASOURCE_URL}" ]; then \
+        OPTS="-Dspring.datasource.url=${SPRING_DATASOURCE_URL} -Dspring.datasource.username=${SPRING_DATASOURCE_USERNAME} -Dspring.datasource.password=${SPRING_DATASOURCE_PASSWORD}"; \
+    else \
+        OPTS="${TRAINING_JAVA_OPTS_DEFAULT}"; \
+    fi; \
+    java -XX:ArchiveClassesAtExit=/opt/app/app.jsa \
+    -Dspring.context.exit=onRefresh ${OPTS} \
+    -cp "/opt/app/training/classes.jar:$(cat /opt/app/lib-cp.txt)" \
+    ${MAIN_CLASS} || true && \
+    test -s /opt/app/app.jsa
 
 FROM public.ecr.aws/docker/library/amazoncorretto:25-al2023
 
 RUN yum install -y shadow-utils && \
     groupadd --system spring -g 1000 && \
     adduser spring -u 1000 -g 1000
 
-COPY --from=builder --chown=1000:1000 /store-spring.jar /store-spring.jar
-COPY --from=builder --chown=1000:1000 /app.jsa /app.jsa
+COPY --from=trainer --chown=1000:1000 /opt/app/training/classes.jar /opt/app/training/classes.jar
+COPY --from=trainer --chown=1000:1000 /opt/app/lib/ /opt/app/lib/
+COPY --from=trainer --chown=1000:1000 /opt/app/app.jsa /opt/app/app.jsa
+COPY --from=trainer --chown=1000:1000 /opt/app/lib-cp.txt /opt/app/lib-cp.txt
 
 USER 1000:1000
 EXPOSE 8080
 
-ENTRYPOINT ["java", "-XX:SharedArchiveFile=/app.jsa", "-jar", "-Dserver.port=8080", "/store-spring.jar"]
+ENTRYPOINT ["sh", "-c", "exec java -XX:SharedArchiveFile=/opt/app/app.jsa -Dserver.port=8080 -cp /opt/app/training/classes.jar:$(cat /opt/app/lib-cp.txt) com.unicorn.store.StoreApplication"]

apps/dockerfiles-java25/Dockerfile.07-aot

@@ -23,22 +23,32 @@ RUN ls /opt/app/lib/*.jar | sort | tr '\n' ':' | sed 's/:$//' > /opt/app/lib-cp.
 ENV MAIN_CLASS="com.unicorn.store.StoreApplication"
 
 # Optional: pass DB props for training to capture Hibernate/JDBC classes
-#   docker build --build-arg TRAINING_JAVA_OPTS="-Dspring.datasource.url=... -Dspring.datasource.username=... -Dspring.datasource.password=..." ...
-ARG TRAINING_JAVA_OPTS=""
-ENV TRAINING_JAVA_OPTS=${TRAINING_JAVA_OPTS}
+ARG SPRING_DATASOURCE_URL
+ARG SPRING_DATASOURCE_USERNAME
+ARG SPRING_DATASOURCE_PASSWORD
+
+# If DB credentials provided, use them; otherwise exclude DB auto-config
 ENV TRAINING_JAVA_OPTS_DEFAULT="-Dspring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.springframework.boot.autoconfigure.liquibase.LiquibaseAutoConfiguration -Dspring.main.lazy-initialization=true"
 
 # Record AOT configuration
 RUN set -e; \
-    OPTS="${TRAINING_JAVA_OPTS}"; [ -z "${OPTS}" ] && OPTS="${TRAINING_JAVA_OPTS_DEFAULT}"; \
+    if [ -n "${SPRING_DATASOURCE_URL}" ]; then \
+        OPTS="-Dspring.datasource.url=${SPRING_DATASOURCE_URL} -Dspring.datasource.username=${SPRING_DATASOURCE_USERNAME} -Dspring.datasource.password=${SPRING_DATASOURCE_PASSWORD}"; \
+    else \
+        OPTS="${TRAINING_JAVA_OPTS_DEFAULT}"; \
+    fi; \
     java -XX:AOTMode=record -XX:AOTConfiguration=/app.aotconf \
     -cp "/opt/app/training/classes.jar:$(cat /opt/app/lib-cp.txt)" \
     -Dspring.context.exit=onRefresh ${OPTS} ${MAIN_CLASS} || true && \
     test -s /app.aotconf
 
 # Create AOT cache
 RUN set -e; \
-    OPTS="${TRAINING_JAVA_OPTS}"; [ -z "${OPTS}" ] && OPTS="${TRAINING_JAVA_OPTS_DEFAULT}"; \
+    if [ -n "${SPRING_DATASOURCE_URL}" ]; then \
+        OPTS="-Dspring.datasource.url=${SPRING_DATASOURCE_URL} -Dspring.datasource.username=${SPRING_DATASOURCE_USERNAME} -Dspring.datasource.password=${SPRING_DATASOURCE_PASSWORD}"; \
+    else \
+        OPTS="${TRAINING_JAVA_OPTS_DEFAULT}"; \
+    fi; \
     java -XX:AOTMode=create -XX:AOTConfiguration=/app.aotconf \
     -XX:AOTCache=/opt/app/app.aot \
     -cp "/opt/app/training/classes.jar:$(cat /opt/app/lib-cp.txt)" \

infra/scripts/deploy/test-optimizations.sh

@@ -45,13 +45,13 @@ cleanup() {
            "${APP_DIR}/src/main/java/com/unicorn/store/data/UnicornPublisher.java"
     fi
 
-    # Revert deployment to baseline if in deploy mode (disabled for testing)
-    # if [[ "$DEPLOY_MODE" == true && -n "$ACCOUNT_ID" ]]; then
-    #     log_info "Reverting deployment to :latest..."
-    #     local ecr_uri="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${IMAGE_NAME}"
-    #     kubectl set image deployment/unicorn-store-spring \
-    #         unicorn-store-spring="${ecr_uri}:latest" -n unicorn-store-spring 2>/dev/null || true
-    # fi
+    # Revert deployment to baseline if --revert flag is set
+    if [[ "$REVERT_MODE" == true && "$DEPLOY_MODE" == true && -n "$ACCOUNT_ID" ]]; then
+        log_info "Reverting deployment to :latest..."
+        local ecr_uri="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${IMAGE_NAME}"
+        kubectl set image deployment/unicorn-store-spring \
+            unicorn-store-spring="${ecr_uri}:latest" -n unicorn-store-spring 2>/dev/null || true
+    fi
 
     exit $exit_code
 }
@@ -74,11 +74,13 @@ METHODS=(
 
 # Parse arguments
 DEPLOY_MODE=false
+REVERT_MODE=false
 ONLY_METHOD=""
 
 while [[ $# -gt 0 ]]; do
     case $1 in
         --deploy) DEPLOY_MODE=true; shift ;;
+        --revert) REVERT_MODE=true; shift ;;
         --only) ONLY_METHOD="$2"; shift 2 ;;
         *) log_error "Unknown option: $1"; exit 1 ;;
     esac
@@ -113,8 +115,43 @@ needs_code_change() {
     [[ "$1" == "09-crac" ]]
 }
 
-# Start PostgreSQL for training
+# Database configuration - try AWS first, fallback to local Docker
+USE_AWS_DB=false
+SPRING_DATASOURCE_URL=""
+SPRING_DATASOURCE_USERNAME=""
+SPRING_DATASOURCE_PASSWORD=""
+
+init_db_config() {
+    log_info "Checking for AWS database configuration..."
+
+    # Try to get AWS database credentials
+    local aws_url aws_secret
+    aws_url=$(aws ssm get-parameter --name workshop-db-connection-string --no-cli-pager 2>/dev/null | jq --raw-output '.Parameter.Value' 2>/dev/null) || true
+    aws_secret=$(aws secretsmanager get-secret-value --secret-id workshop-db-secret --no-cli-pager 2>/dev/null | jq --raw-output '.SecretString' 2>/dev/null) || true
+
+    if [[ -n "$aws_url" && "$aws_url" != "null" && -n "$aws_secret" && "$aws_secret" != "null" ]]; then
+        SPRING_DATASOURCE_URL="$aws_url"
+        SPRING_DATASOURCE_USERNAME=$(echo "$aws_secret" | jq -r .username)
+        SPRING_DATASOURCE_PASSWORD=$(echo "$aws_secret" | jq -r .password)
+
+        if [[ -n "$SPRING_DATASOURCE_USERNAME" && "$SPRING_DATASOURCE_USERNAME" != "null" ]]; then
+            USE_AWS_DB=true
+            log_info "Using AWS RDS database for training"
+            return 0
+        fi
+    fi
+
+    log_info "AWS database not available, will use local Docker PostgreSQL"
+    USE_AWS_DB=false
+}
+
+# Start PostgreSQL for training (only if not using AWS DB)
 start_build_db() {
+    if [[ "$USE_AWS_DB" == true ]]; then
+        log_info "Using AWS RDS database (no local DB needed)"
+        return 0
+    fi
+
     log_info "Starting PostgreSQL for training..."
     docker rm -f build-postgres 2>/dev/null || true
     docker run -d --name build-postgres \
@@ -128,10 +165,19 @@ start_build_db() {
     until docker exec build-postgres pg_isready -U unicorn -d unicornstore >/dev/null 2>&1; do
         sleep 1
     done
+
+    # Set local DB credentials
+    SPRING_DATASOURCE_URL="jdbc:postgresql://host.docker.internal:5432/unicornstore"
+    SPRING_DATASOURCE_USERNAME="unicorn"
+    SPRING_DATASOURCE_PASSWORD="unicorn"
+
     log_info "PostgreSQL ready"
 }
 
 stop_build_db() {
+    if [[ "$USE_AWS_DB" == true ]]; then
+        return 0
+    fi
     docker rm -f build-postgres 2>/dev/null || true
 }
 
@@ -188,12 +234,12 @@ build_image() {
         crac_pre_build
     fi
 
-    # Start DB if needed
+    # Start DB if needed and set build args (all methods use same SPRING_DATASOURCE_* args)
     if needs_db "$tag"; then
         start_build_db
-        build_args="--build-arg SPRING_DATASOURCE_URL=jdbc:postgresql://host.docker.internal:5432/unicornstore"
-        build_args="${build_args} --build-arg SPRING_DATASOURCE_USERNAME=unicorn"
-        build_args="${build_args} --build-arg SPRING_DATASOURCE_PASSWORD=unicorn"
+        build_args="--build-arg SPRING_DATASOURCE_URL=${SPRING_DATASOURCE_URL}"
+        build_args="${build_args} --build-arg SPRING_DATASOURCE_USERNAME=${SPRING_DATASOURCE_USERNAME}"
+        build_args="${build_args} --build-arg SPRING_DATASOURCE_PASSWORD=${SPRING_DATASOURCE_PASSWORD}"
     fi
 
     # Build with --progress=plain for cleaner logs
@@ -373,6 +419,9 @@ rm -rf "${OUTPUT_DIR}"
 mkdir -p "${OUTPUT_DIR}"
 log_info "Output: ${OUTPUT_DIR}"
 
+# Initialize database configuration (AWS or local Docker)
+init_db_config
+
 # Initialize deploy mode
 if [[ "$DEPLOY_MODE" == true ]]; then
     log_info "Deploy mode enabled - will push to ECR and deploy to EKS"