registry.access.redhat.com/ubi8/openjdk-17:latest and registry.access.redhat.com/ubi8/openjdk-11:latest got updated and both are now using Maven 3.8.5, which can lead regression.

Affected customer: Using custom HTTP maven repository in setting.xml will now (with Maven bump) fail the S2I build. Which can be regression for some customers.

It currently affects Camel Quarkus (https://issues.redhat.com/browse/CEQ-6923) apps (also plain Quarkus apps and basically any Java apps on OCP).

The main problem i see is that the Openjdk image is not tight to one specific major maven version range - eg. 3.6.x, but major upgrades happens there. It would be ideal to have option in S2I workflow how to specify the maven version. So it would be in more controlled fashion.

For current state, it would be nice to document this behaviour somewhere and put best practice note how to configure SSL certificate for HTTPS maven repo with S2I builds.

Reproducer:

1. oc new-project openjdk
2. oc create -f settings.yaml
3. oc create -f reproducer-s2i.yaml

See error:

[ERROR]     Non-resolvable import POM: Could not transfer artifact com.redhat.quarkus.platform:quarkus-bom:pom:2.13.7.SP3-redhat-00003 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [internal.s2i.maven.remote.repository (http://indy.psi.redhat.com/api/content/maven/group/builds-untested+shared-imports, default, releases)] @ line 59, column 25 -> [Help 2]
[ERROR]     Non-resolvable import POM: Could not transfer artifact com.redhat.quarkus.platform:quarkus-camel-bom:pom:2.13.7.SP3-redhat-00003 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [internal.s2i.maven.remote.repository (http://indy.psi.redhat.com/api/content/maven/group/builds-untested+shared-imports, default, releases)] @ line 66, column 25 -> [Help 2]