Feature/productionize image

[leiicamundi]

Pull Request Description:
This pull request addresses the need for a production-ready Camunda-flavored Keycloak Docker image that supports AWS IAM roles for Service Accounts (IRSA) out of the box. Currently, customers are required to create their own Keycloak Docker image for AWS with IRSA support, and this enhancement aims to simplify this process.

Problem Description:
Customers running Keycloak in AWS with IRSA face challenges in creating custom Docker images. This PR introduces a Camunda-flavored Keycloak image for both ARM and AMD architectures, facilitating easier deployment in AWS environments.

Proposed Solution:

• Renames the existing repository from https://github.com/camunda/keycloak-aws to camunda/keycloak to accommodate multi-cloud support in the future (already implemented, repository is now public).
• Adds Open Container Initiative (OCI) labels to the Docker image for enhanced metadata.
• Establishes a release pipeline and strategy that supports all currently supported Keycloak versions for ARM and AMD architectures.
• Publishes the Docker image to DockerHub, aligning with the Infrastructure team's guidelines.
• Creates an integration test within https://github.com/camunda/keycloak-aws to validate AWS usage via self-hosted runners, specifically testing IRSA against existing shared Aurora databases.

Desired Outcome:

1. Repository renamed to camunda/keycloak.
2. Docker image includes OCI labels.
3. Release pipeline supports all currently supported Keycloak versions for ARM and AMD architectures.
4. Docker image is published to DockerHub.
5. Integration test validates AWS usage with IRSA against shared Aurora databases.

Implementation Details:

• Multi-cloud support implemented.
• Integration test added for AWS usage.
• Multi-architecture image CI build.
• Added static image analysis in CI using Snyk.
• DockerHub project set up for Keycloak images, with token for image publishing => currently waiting for the official repo (tested w/ https://hub.docker.com/r/leiicamundi/keycloak-camunda-test).
• Nightly builds scheduled by cron.
• Pre-commit tests integrated with image linting (hadolint and YAML check).
• Harbor retention policy for CI implemented.
• Renovate enabled for automated dependency updates.

Implementation Details:

In addition to the previously mentioned implementation details, a dynamic test matrix is now generated for all Keycloak versions. Each version undergoes a suite of tests on GCP, AWS, and Docker Compose environments.

The testing process follows these steps:

1. Dynamic Test Matrix:

   • A matrix is dynamically generated to cover various Keycloak versions.
   • Each version undergoes tests on GCP, AWS, and Docker Compose environments to ensure cross-cloud compatibility.

2. Semantic Versioning and Image Tagging:

   • Images are tagged with semantic versioning for easy identification and version tracking.
   • The following tags are used when publishing images on docker.io:
     • keycloak-<version>-latest: Represents the latest version.
     • keycloak-<version>-<yyyy-mm-dd-xxx>: Timestamped version for historical reference and traceability.
     • latest: Used if the version is the most recent.

3. Publishing Process:

   • After passing all tests and completing the security scan, the images are automatically published on docker.io with the appropriate semantic tags.

4. Pending Tasks:

   • Efforts are ongoing to enhance documentation.
   • Further refinement of the publication process is needed.

PS: This PR will be squashed merged due to the number of commits

[Langleu]

I had another look over the action.
The remaining files looked good / Maxim already left some comments.

[leiicamundi]

Thanks @maxdanilov and @Langleu for the review.
The last blocking point is regarding usage of snyk action.

Currently, it is not a blocking action (so even if snyk reports CVEs, we will still be able to merge/release). I think it could help but as discussed with Lars, it could be a little overkilled.

@maxdanilov we'd like to hear your opinion on this, then the PR should be ready to be merged

[maxdanilov]

@leiicamundi I don't have a strong opinion, but more in favor of keeping it light for now and drop it.
You could move the Snyk logic addition to a separate PR (that will be closed) so we can have a reference implementation for the future, should we rethink the scanning approach later, wdyt?

[maxdanilov]

Looks good in general, thank you 🚀
Just leaving small final styling suggestions + discovered hiccup with the pre-commit hook when running it locally.

[leiicamundi]

Hello @maxdanilov, thank you for the review.

I have implemented the suggestions and also extracted the Snyk scan into its own issue (#25).

I am unable to reproduce the pre-commit bug. Could you please retry with the latest version of the repository? Otherwise, I will likely switch back to the Python script, as it seems to work without the need to consider the underlying platform.

[Langleu]

looks good from my side.

[maxdanilov]

All good, just last suggestion for fixing the colored output of ls in one of the scripts so the pre-commit hook works consistently for all users.

[leiicamundi]

Hey @Langleu, @maxdanilov, thank you for the reviews!

Now that everything is aligned, I'm merging the PR.

We'll continue to keep track of the remaining items to process at https://github.com/orgs/camunda/projects/87/views/1?pane=issue&itemId=47441722.