From b5d6d59e42c0b65d92c0934dd620afaf411233d9 Mon Sep 17 00:00:00 2001 From: Michal Hajas Date: Wed, 17 Jan 2024 10:49:30 +0100 Subject: [PATCH] Add possibility to run rosa-cross-dc deployment from KC repository and branch Closes #522 Signed-off-by: Michal Hajas --- .../rosa-multi-az-cluster-create.yml | 16 +- .../ROOT/pages/openshift/cross-site-rosa.adoc | 22 +- provision/keycloak-tasks/Taskfile.yaml | 61 +++++ provision/keycloak-tasks/Utils.yaml | 227 ++++++++++++++++++ .../keycloak-image-helm/Chart.yaml | 24 ++ .../templates/keycloak-build-config.yaml | 36 +++ .../keycloak-operator-build-config.yaml | 33 +++ .../templates/ubi9-imagestream.yaml | 18 ++ .../keycloak-image-helm/values.yaml | 5 + .../minikube/keycloak/templates/keycloak.yaml | 4 + provision/minikube/keycloak/values.yaml | 1 + provision/rosa-cross-dc/Taskfile.yaml | 137 +++-------- 12 files changed, 472 insertions(+), 112 deletions(-) create mode 100644 provision/keycloak-tasks/Taskfile.yaml create mode 100644 provision/keycloak-tasks/Utils.yaml create mode 100644 provision/keycloak-tasks/keycloak-image-helm/Chart.yaml create mode 100644 provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-build-config.yaml create mode 100644 provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-operator-build-config.yaml create mode 100644 provision/keycloak-tasks/keycloak-image-helm/templates/ubi9-imagestream.yaml create mode 100644 provision/keycloak-tasks/keycloak-image-helm/values.yaml diff --git a/.github/workflows/rosa-multi-az-cluster-create.yml b/.github/workflows/rosa-multi-az-cluster-create.yml index 2503ca95..7878d151 100644 --- a/.github/workflows/rosa-multi-az-cluster-create.yml +++ b/.github/workflows/rosa-multi-az-cluster-create.yml @@ -1,4 +1,4 @@ -name: Multi-AZ Clusters - Create and Test +name: Multi-AZ Clusters - Create and Deploy Keycloak on: workflow_dispatch: @@ -13,6 +13,12 @@ on: description: 'Check to Create Cluster.' type: boolean default: true + keycloakRepository: + description: 'The repository to deploy Keycloak from. If not set nightly image is used' + type: string + keycloakBranch: + description: 'The branch to deploy Keycloak from. If not set nightly image is used' + type: string workflow_call: inputs: clusterPrefix: @@ -25,6 +31,12 @@ on: description: 'Check to Create Cluster' type: boolean default: true + keycloakRepository: + description: 'The repository to deploy Keycloak from. If not set nightly image is used' + type: string + keycloakBranch: + description: 'The branch to deploy Keycloak from. If not set nightly image is used' + type: string env: CLUSTER_PREFIX: ${{ inputs.clusterPrefix || format('gh-{0}', github.repository_owner) }} @@ -124,3 +136,5 @@ jobs: KC_DB_POOL_MIN_SIZE: 30 KC_DATABASE: "aurora-postgres" MULTI_AZ: "true" + KC_REPOSITORY: ${{ inputs.keycloakRepository }} + KC_BRANCH: ${{ inputs.keycloakBranch }} diff --git a/doc/kubernetes/modules/ROOT/pages/openshift/cross-site-rosa.adoc b/doc/kubernetes/modules/ROOT/pages/openshift/cross-site-rosa.adoc index c97dd0f3..e147b0b8 100644 --- a/doc/kubernetes/modules/ROOT/pages/openshift/cross-site-rosa.adoc +++ b/doc/kubernetes/modules/ROOT/pages/openshift/cross-site-rosa.adoc @@ -70,7 +70,25 @@ For Keycloak deployment, check xref:customizing-deployment.adoc[Keycloak Customi Note that not all variable are respected. As an example, `KC_ISPN_NAMESPACE` is not possible to change since it is automatically computed by this installation script. -=== Warnings / Known issues +=== Customize Keycloak source -Using `--force` will break the keycloak deployment because it patches the keycloak operator deployment with an incorrect image. +This setup, by default, deploys Keycloak from nightly build. +To create a deployment for specific Keycloak source code, git repository and branch can be specified. +This replaces deployments for both Keycloak and Keycloak operator. +Specify the following variables for using custom source code: + + +|=== +|Variable |Details + +|KC_REPOSITORY +|Git repository to clone Keycloak source code from. +Example: https://github.com/keycloak/keycloak.git + +Note: SSH repositories may not work in Github Actions as SSH keys may not be configured. + +|KC_BRANCH +|The branch within `KC_REPOSITORY` to use. + +|=== diff --git a/provision/keycloak-tasks/Taskfile.yaml b/provision/keycloak-tasks/Taskfile.yaml new file mode 100644 index 00000000..3cfef669 --- /dev/null +++ b/provision/keycloak-tasks/Taskfile.yaml @@ -0,0 +1,61 @@ +# This Taskfile is used only for testing purposes of tasks defined in Utils.yaml +version: '3' +includes: + utils: + taskfile: ./Utils.yaml + internal: true +output: prefixed + +dotenv: [ '.env' ] + +required: + - KUBECONFIG + - NAMESPACE + +vars: + KC_REPOSITORY: '{{.KC_REPOSITORY | default ""}}' + KC_BRANCH: '{{.KC_BRANCH | default ""}}' + + # To compute Infinispan namespace + KC_NAMESPACE_PREFIX: '{{default "$(whoami)-" .KC_NAMESPACE_PREFIX}}' + KC_ISPN_NAMESPACE: '{{.KC_NAMESPACE_PREFIX}}keycloak' + ISPN_DIR: "{{.ROOT_DIR}}/../infinispan" + ROUTE53_DIR: "{{.ROOT_DIR}}/../aws/route53" + RDS_DIR: "{{.ROOT_DIR}}/../aws/rds" + KC_DIR: "{{.ROOT_DIR}}/../openshift" + ANSIBLE_DIR: "{{.ROOT_DIR}}/../../ansible" + PYTHON_DIR: "{{.ROOT_DIR}}/../../benchmark/src/main/python" + BENCHMARK_DIR: "{{.ROOT_DIR}}/../../benchmark/src/main/content/bin" + KC_ADMIN_PASSWORD: + sh: aws secretsmanager get-secret-value --region eu-central-1 --secret-id keycloak-master-password --query SecretString --output text --no-cli-pager + + KB_RETENTION: '{{default "168h" .KB_RETENTION}}' + KC_OTEL: '{{default "false" .KC_OTEL}}' + KC_CRYOSTAT: '{{default "true" .KC_CRYOSTAT}}' + KC_OTEL_SAMPLING_PERCENTAGE: '{{default "0.001" .KC_OTEL_SAMPLING_PERCENTAGE}}' + KC_DB_POOL_INITIAL_SIZE: '{{default "5" .KC_DB_POOL_INITIAL_SIZE}}' + KC_DB_POOL_MAX_SIZE: '{{default "10" .KC_DB_POOL_MAX_SIZE}}' + KC_DB_POOL_MIN_SIZE: '{{default "5" .KC_DB_POOL_MIN_SIZE}}' + KC_DATABASE: '{{default "postgres" .KC_DATABASE}}' + KC_OPERATOR_TAG: '{{default "nightly" .KC_OPERATOR_TAG}}' + KC_CONTAINER_IMAGE: '{{default "" .KC_CONTAINER_IMAGE}}' + KC_INSTANCES: '{{default "1" .KC_INSTANCES}}' + KC_CPU_REQUESTS: '{{default "0" .KC_CPU_REQUESTS}}' + KC_CPU_LIMITS: '{{default "" .KC_CPU_LIMITS}}' + KC_MEMORY_REQUESTS_MB: '{{default "1024" .KC_MEMORY_REQUESTS_MB}}' + KC_MEMORY_LIMITS_MB: '{{default "1024" .KC_MEMORY_LIMITS_MB}}' + KC_HEAP_INIT_MB: '{{default "64" .KC_HEAP_INIT_MB}}' + KC_HEAP_MAX_MB: '{{default "512" .KC_HEAP_MAX_MB}}' + KC_METASPACE_INIT_MB: '{{default "96" .KC_METASPACE_INIT_MB}}' + KC_METASPACE_MAX_MB: '{{default "256" .KC_METASPACE_MAX_MB}}' + KC_CUSTOM_INFINISPAN_CONFIG: '{{default "true" .KC_CUSTOM_INFINISPAN_CONFIG}}' + KC_CUSTOM_INFINISPAN_CONFIG_FILE: '{{default "config/kcb-infinispan-cache-config.xml" .KC_CUSTOM_INFINISPAN_CONFIG_FILE}}' + KC_REMOTE_STORE: '{{default "false" .KC_REMOTE_STORE}}' + KC_REMOTE_STORE_HOST: '{{default "localhost" .KC_REMOTE_STORE_HOST}}' + KC_REMOTE_STORE_PORT: '{{default "11222" .KC_REMOTE_STORE_PORT}}' + KC_DISABLE_STICKY_SESSION: '{{default "false" .KC_DISABLE_STICKY_SESSION}}' + +tasks: + default: + cmds: + - task: utils:install-keycloak diff --git a/provision/keycloak-tasks/Utils.yaml b/provision/keycloak-tasks/Utils.yaml new file mode 100644 index 00000000..87e2efd4 --- /dev/null +++ b/provision/keycloak-tasks/Utils.yaml @@ -0,0 +1,227 @@ +# https://taskfile.dev +version: '3' + +tasks: + + no-op: + desc: "No-op task" + internal: true + + clone-keycloak: + desc: "Clone the Keycloak repository" + internal: true + dir: ".task" + requires: + vars: + - KC_REPOSITORY + - KC_BRANCH + cmds: + - rm -rf "keycloak" || true + - git clone --branch "{{.KC_BRANCH}}" "{{.KC_REPOSITORY}}" "keycloak" + - git -C "keycloak" checkout "{{.KC_BRANCH}}" + - git -C "keycloak" pull + generates: + - ./keycloak/**/*.* + status: + - test -d keycloak + - test -n "$(ls -A keycloak)" + - test "{{.KC_REPOSITORY}}" == "$(git -C keycloak remote get-url origin)" + - test "{{.KC_BRANCH}}" == "$(git -C keycloak rev-parse --abbrev-ref HEAD)" + + build-keycloak-dist: + desc: "Build the Keycloak distribution and operator" + label: "{{.TASK}}-{{.CURRENT_HASH}}" + internal: true + dir: ".task/keycloak" + vars: + CURRENT_HASH: + sh: git rev-parse HEAD + cmd: ./mvnw clean install -DskipTests -Poperator -am -pl quarkus/dist,operator + sources: + - pom.xml # We are relying on git hash to detect changes (see `label:` above) but we need something as a source for it to work + generates: + - quarkus/dist/target/keycloak-*.tar.gz + - operator/target/keycloak-*.jar + + prepare-keycloak-images-openshift: + desc: "Create images for the current build of Keycloak distribution" + label: "{{.TASK}}-{{.ROSA_CLUSTER_NAME}}" + internal: true + requires: + task: + - build-keycloak-dist + vars: + - NAMESPACE + - KUBECONFIG + - ROSA_CLUSTER_NAME + vars: + ARCHIVE_NAME: + sh: ls .task/keycloak/quarkus/dist/target/keycloak-*.tar.gz | xargs -n 1 basename + cmds: + - KUBECONFIG="{{.KUBECONFIG}}" oc create namespace "{{.NAMESPACE}}" || true + - KUBECONFIG={{.KUBECONFIG}} helm uninstall --namespace {{.NAMESPACE}} keycloak-build-config || true + # Create custom Keycloak resources for both Keycloak and Keycloak operator + - > + KUBECONFIG="{{.KUBECONFIG}}" helm upgrade --install keycloak-build-config --namespace "{{.NAMESPACE}}" + --set "namespace={{.NAMESPACE}}" + --set "archiveName={{.ARCHIVE_NAME}}" + ./keycloak-image-helm + + # Start Keycloak image build + - cp "$(ls .task/keycloak/quarkus/dist/target/keycloak-*.tar.gz)" ".task/keycloak/quarkus/container/" + - KUBECONFIG="{{.KUBECONFIG}}" oc start-build -n {{.NAMESPACE}} keycloak --from-dir ".task/keycloak/quarkus/container" --follow + - echo "image-registry.openshift-image-registry.svc:5000/{{.NAMESPACE}}/keycloak:latest" > .task/var-CUSTOM_CONTAINER_IMAGE_FILE + + # Start Keycloak operator image build + - KUBECONFIG="{{.KUBECONFIG}}" oc start-build -n {{.NAMESPACE}} keycloak-operator --from-dir ".task/keycloak/operator" --follow + - echo "image-registry.openshift-image-registry.svc:5000/{{.NAMESPACE}}/keycloak-operator:latest" > .task/var-KC_OPERATOR_CONTAINER_IMAGE + sources: + - quarkus/dist/target/keycloak-*.tar.gz + - operator/target/keycloak-*.jar + status: + - test -n "$(KUBECONFIG="{{.KUBECONFIG}}" helm list --namespace {{.NAMESPACE}} --filter keycloak-build-config -q)" + preconditions: + - test -f {{.KUBECONFIG}} + + install-keycloak-operator: + desc: "Install the Keycloak operator" + internal: true + requires: + vars: + - NAMESPACE + - KUBECONFIG + vars: + OPERATOR_IMAGE: + sh: cat .task/var-KC_OPERATOR_CONTAINER_IMAGE || echo "" + EXTERNAL_OPERATOR_PREFIX: "https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/refs/tags/{{.KC_OPERATOR_TAG}}/kubernetes/" + CUSTOM_OPERATOR_PREFIX: ".task/keycloak/operator/target/kubernetes/" + CURRENT_PREFIX: '{{ ternary .CUSTOM_OPERATOR_PREFIX .EXTERNAL_OPERATOR_PREFIX (hasPrefix "image-registry.openshift-image-registry.svc:5000" .OPERATOR_IMAGE) }}' + cmds: + - KUBECONFIG="{{.KUBECONFIG}}" kubectl create namespace "{{.NAMESPACE}}" || true + - KUBECONFIG="{{.KUBECONFIG}}" kubectl -n {{.NAMESPACE}} apply -f {{.CURRENT_PREFIX}}keycloaks.k8s.keycloak.org-v1.yml + - KUBECONFIG="{{.KUBECONFIG}}" kubectl -n {{.NAMESPACE}} apply -f {{.CURRENT_PREFIX}}keycloakrealmimports.k8s.keycloak.org-v1.yml + - KUBECONFIG="{{.KUBECONFIG}}" kubectl -n {{.NAMESPACE}} delete deployment/keycloak-operator || true + - KUBECONFIG="{{.KUBECONFIG}}" kubectl -n {{.NAMESPACE}} apply -f {{.CURRENT_PREFIX}}kubernetes.yml + - task: patch-keycloak-operator-image + vars: + NAMESPACE: "{{.NAMESPACE}}" + KUBECONFIG: "{{.KUBECONFIG}}" + preconditions: + - test -f {{.KUBECONFIG}} + + patch-keycloak-operator-image: + desc: "Patch the Keycloak operator image" + internal: true + requires: + vars: + - NAMESPACE + - KUBECONFIG + vars: + OPERATOR_IMAGE: + sh: cat .task/var-KC_OPERATOR_CONTAINER_IMAGE 2> /dev/null || echo "" + cmds: + - | + (test -n "{{.OPERATOR_IMAGE}}" && KUBECONFIG="{{.KUBECONFIG}}" kubectl patch deployment keycloak-operator -n {{.NAMESPACE}} --type json -p '[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value": "{{.OPERATOR_IMAGE}}"}]') || true + preconditions: + - test -f {{.KUBECONFIG}} + + prepare-custom-images: + des: "Prepare custom images for Keycloak and Keycloak operator" + internal: true + requires: + vars: + - KC_REPOSITORY + - KC_BRANCH + - NAMESPACE + - KUBECONFIG + - ROSA_CLUSTER_NAME + cmds: + - task: clone-keycloak + - task: build-keycloak-dist + - task: prepare-keycloak-images-openshift + vars: + NAMESPACE: "{{.NAMESPACE}}" + KUBECONFIG: "{{.KUBECONFIG}}" + ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" + + install-keycloak: + des: "Install Keycloak to the given namespace and cluster" + internal: true + requires: + vars: + - KUBECONFIG + - NAMESPACE + - KC_HOSTNAME_SUFFIX + - KC_ADMIN_PASSWORD + - ROSA_CLUSTER_NAME + vars: + CURRENT_KC_CONTAINER_IMAGE: '{{ ternary "$(cat .task/var-CUSTOM_CONTAINER_IMAGE_FILE 2> /dev/null || echo \"\")" .KC_CONTAINER_IMAGE (empty .KC_CONTAINER_IMAGE) }}' + cmds: + - task: '{{if .KC_REPOSITORY}}prepare-custom-images{{else}}no-op{{end}}' + vars: + KUBECONFIG: "{{.KUBECONFIG}}" + NAMESPACE: "{{.NAMESPACE}}" + ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" + - task: install-keycloak-operator + vars: + NAMESPACE: "{{.NAMESPACE}}" + KUBECONFIG: "{{.KUBECONFIG}}" + - > + KUBECONFIG="{{.KUBECONFIG}}" + helm upgrade --install keycloak --namespace {{.NAMESPACE}} + --set hostname={{.KC_HOSTNAME_SUFFIX}} + --set keycloakHostname={{.KC_HOSTNAME_OVERRIDE}} + --set keycloakHealthHostname={{.KC_HEALTH_HOSTNAME}} + --set otel={{.KC_OTEL}} + --set otelSamplingPercentage={{.KC_OTEL_SAMPLING_PERCENTAGE}} + --set dbPoolInitialSize={{.KC_DB_POOL_INITIAL_SIZE}} + --set dbPoolMinSize={{.KC_DB_POOL_MIN_SIZE}} + --set dbPoolMaxSize={{.KC_DB_POOL_MAX_SIZE}} + --set dbUrl={{ .KC_DATABASE_URL }} + --set database={{.KC_DATABASE}} + --set keycloakImage={{.CURRENT_KC_CONTAINER_IMAGE}} + --set instances={{ .KC_INSTANCES }} + --set cpuRequests={{ .KC_CPU_REQUESTS }} + --set cpuLimits={{ .KC_CPU_LIMITS }} + --set memoryRequestsMB={{ .KC_MEMORY_REQUESTS_MB }} + --set memoryLimitsMB={{ .KC_MEMORY_LIMITS_MB }} + --set heapInitMB={{ .KC_HEAP_INIT_MB }} + --set heapMaxMB={{ .KC_HEAP_MAX_MB }} + --set metaspaceInitMB={{ .KC_METASPACE_INIT_MB }} + --set metaspaceMaxMB={{ .KC_METASPACE_MAX_MB }} + --set infinispan.jgroupsTls={{ .KC_JGROUPS_TLS }} + --set infinispan.customConfig={{ .KC_CUSTOM_INFINISPAN_CONFIG }} + --set infinispan.configFile={{ .KC_CUSTOM_INFINISPAN_CONFIG_FILE }} + --set infinispan.remoteStore.enabled=true + --set infinispan.remoteStore.host=infinispan.{{.KC_ISPN_NAMESPACE}}.svc + --set infinispan.remoteStore.port=11222 + --set infinispan.remoteStore.username=developer + --set infinispan.remoteStore.password={{ .RS_HOT_ROD_PASSWORD | default .KEYCLOAK_MASTER_PASSWORD }} + --set infinispan.site={{ .ROSA_CLUSTER_NAME }} + --set cryostat={{ .KC_CRYOSTAT }} + --set sqlpad=false + --set environment=openshift + --set namespace={{.NAMESPACE}} + --set keycloakAdminPassword="{{.KC_ADMIN_PASSWORD}}" + --set disableIngressStickySession={{ .KC_DISABLE_STICKY_SESSION }} + --set nodePortsEnabled=false + ../minikube/keycloak + preconditions: + - test -f {{.KUBECONFIG}} + + uninstall-keycloak: + internal: true + requires: + vars: + - KUBECONFIG + - NAMESPACE + cmds: + - KUBECONFIG={{.KUBECONFIG}} helm uninstall --namespace {{.NAMESPACE}} keycloak || true + - KUBECONFIG={{.KUBECONFIG}} helm uninstall --namespace {{.NAMESPACE}} keycloak-build-config || true + status: + - test -z "$(KUBECONFIG={{.KUBECONFIG}} helm list --namespace {{.NAMESPACE}} --filter keycloak -q)" + preconditions: + - test -f {{.KUBECONFIG}} + + + diff --git a/provision/keycloak-tasks/keycloak-image-helm/Chart.yaml b/provision/keycloak-tasks/keycloak-image-helm/Chart.yaml new file mode 100644 index 00000000..9f73533b --- /dev/null +++ b/provision/keycloak-tasks/keycloak-image-helm/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: keycloak-image-helm +description: Keycloak image build config + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "14.0" diff --git a/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-build-config.yaml b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-build-config.yaml new file mode 100644 index 00000000..0e2c3a6e --- /dev/null +++ b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-build-config.yaml @@ -0,0 +1,36 @@ +kind: ImageStream +apiVersion: image.openshift.io/v1 +metadata: + name: keycloak + namespace: {{ .Values.namespace }} + labels: + build: keycloak +spec: + lookupPolicy: + local: false +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + labels: + build: keycloak + name: keycloak + namespace: {{ .Values.namespace }} +spec: + output: + to: + kind: ImageStreamTag + name: keycloak:latest + runPolicy: Serial + source: + binary: {} + type: Binary + strategy: + dockerStrategy: + buildArgs: + - name: KEYCLOAK_DIST + value: "{{ .Values.archiveName | default "keycloak.tar.gz" }}" + from: + kind: ImageStreamTag + name: ubi9:latest + type: Docker diff --git a/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-operator-build-config.yaml b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-operator-build-config.yaml new file mode 100644 index 00000000..d2753962 --- /dev/null +++ b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-operator-build-config.yaml @@ -0,0 +1,33 @@ +kind: ImageStream +apiVersion: image.openshift.io/v1 +metadata: + name: keycloak-operator + namespace: {{ .Values.namespace }} + labels: + build: keycloak-operator +spec: + lookupPolicy: + local: false +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + labels: + build: keycloak-operator + name: keycloak-operator + namespace: {{ .Values.namespace }} +spec: + output: + to: + kind: ImageStreamTag + name: keycloak-operator:latest + runPolicy: Serial + source: + binary: {} + type: Binary + strategy: + dockerStrategy: + from: + kind: ImageStreamTag + name: ubi9:latest + type: Docker diff --git a/provision/keycloak-tasks/keycloak-image-helm/templates/ubi9-imagestream.yaml b/provision/keycloak-tasks/keycloak-image-helm/templates/ubi9-imagestream.yaml new file mode 100644 index 00000000..d88bf767 --- /dev/null +++ b/provision/keycloak-tasks/keycloak-image-helm/templates/ubi9-imagestream.yaml @@ -0,0 +1,18 @@ +kind: ImageStream +apiVersion: image.openshift.io/v1 +metadata: + name: ubi9 + namespace: {{ .Values.namespace }} +spec: + lookupPolicy: + local: false + tags: + - name: latest + from: + kind: DockerImage + name: registry.access.redhat.com/ubi9 + generation: 2 + importPolicy: + importMode: Legacy + referencePolicy: + type: Source diff --git a/provision/keycloak-tasks/keycloak-image-helm/values.yaml b/provision/keycloak-tasks/keycloak-image-helm/values.yaml new file mode 100644 index 00000000..ddf7f53f --- /dev/null +++ b/provision/keycloak-tasks/keycloak-image-helm/values.yaml @@ -0,0 +1,5 @@ +# Default values for keycloak-image-helm. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +namespace: keycloak diff --git a/provision/minikube/keycloak/templates/keycloak.yaml b/provision/minikube/keycloak/templates/keycloak.yaml index d63b481e..0ebafe78 100644 --- a/provision/minikube/keycloak/templates/keycloak.yaml +++ b/provision/minikube/keycloak/templates/keycloak.yaml @@ -38,6 +38,10 @@ spec: # to avoid receiving all requests on a single Keycloak Pod. haproxy.router.openshift.io/balance: roundrobin haproxy.router.openshift.io/disable_cookies: 'true' + {{- if .Values.keycloakImage }} + image: {{ .Values.keycloakImage }} + startOptimized: {{ .Values.startOptimized }} + {{- end }} {{end}} features: enabled: diff --git a/provision/minikube/keycloak/values.yaml b/provision/minikube/keycloak/values.yaml index 7174c2ef..7563dff1 100644 --- a/provision/minikube/keycloak/values.yaml +++ b/provision/minikube/keycloak/values.yaml @@ -23,6 +23,7 @@ database: postgres disableCaches: false environment: minikube keycloakImage: '' +startOptimized: false instances: 1 cpuRequests: 0 cpuLimits: '' diff --git a/provision/rosa-cross-dc/Taskfile.yaml b/provision/rosa-cross-dc/Taskfile.yaml index 225a8f32..94407bbc 100644 --- a/provision/rosa-cross-dc/Taskfile.yaml +++ b/provision/rosa-cross-dc/Taskfile.yaml @@ -33,6 +33,10 @@ includes: internal: true chaos: taskfile: ./Chaos.yaml + keycloak: + taskfile: ../keycloak-tasks/Utils.yaml + dir: ../keycloak-tasks/ + internal: true tasks: fetch-rosa-region: @@ -204,7 +208,10 @@ tasks: requires: vars: - AURORA_CLUSTER - cmd: ../aws/rds/aurora_endpoint.sh > .task/aurora-endpoint-{{.AURORA_CLUSTER}} + - ROSA_CLUSTER_NAME_1 + vars: + AURORA_REGION: "$(cat .task/rosa-region-{{.ROSA_CLUSTER_NAME_1}})" + cmd: AURORA_REGION={{.AURORA_REGION}} ../aws/rds/aurora_endpoint.sh > .task/aurora-endpoint-{{.AURORA_CLUSTER}} generates: - .task/aurora-endpoint-{{.AURORA_CLUSTER}} @@ -236,106 +243,6 @@ tasks: vars: ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME_2}}" - patch-keycloak-image: - internal: true - requires: - vars: - - ROSA_CLUSTER_NAME - cmds: - - envsubst < ../minikube/keycloak/operator-patch.yaml > .task/operator-patchfile-{{.ROSA_CLUSTER_NAME}}.yaml - - KUBECONFIG="{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}}" oc patch deployment keycloak-operator -n {{.KC_NAMESPACE_PREFIX}}keycloak --patch-file .task/operator-patchfile-{{.ROSA_CLUSTER_NAME}}.yaml - status: - - test "{{.KC_CONTAINER_IMAGE}}" == "" - preconditions: - - test -f {{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}} - - install-keycloak: - internal: true - requires: - vars: - - ROSA_CLUSTER_NAME - vars: - KC_HOSTNAME_SUFFIX: - sh: cat {{.ISPN_DIR}}/.task/kubecfg/ocp-prefix-{{.ROSA_CLUSTER_NAME}} - KC_DATABASE_URL: - sh: cat .task/aurora-endpoint-{{.AURORA_CLUSTER}} - KC_ADMIN_PASSWORD: - sh: "aws secretsmanager get-secret-value --region eu-central-1 --secret-id keycloak-master-password --query SecretString --output text --no-cli-pager || echo admin" - KC_CUSTOM_INFINISPAN_CONFIG: "true" - KC_CUSTOM_INFINISPAN_CONFIG_FILE: "config/kcb-infinispan-cache-remote-store-config.xml" - KC_ISPN_CLUSTER: "infinispan" - cmds: - - KUBECONFIG="{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}}" oc -n {{.KC_NAMESPACE_PREFIX}}keycloak apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/refs/tags/{{.KC_OPERATOR_TAG}}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml - - KUBECONFIG="{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}}" oc -n {{.KC_NAMESPACE_PREFIX}}keycloak apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/refs/tags/{{.KC_OPERATOR_TAG}}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml - - KUBECONFIG="{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}}" oc -n {{.KC_NAMESPACE_PREFIX}}keycloak apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/refs/tags/{{.KC_OPERATOR_TAG}}/kubernetes/kubernetes.yml || (kubectl -n {{.KC_NAMESPACE_PREFIX}}keycloak delete deployment/keycloak-operator && kubectl -n {{.KC_NAMESPACE_PREFIX}}keycloak apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/refs/tags/{{.KC_OPERATOR_TAG}}/kubernetes/kubernetes.yml) - - task: patch-keycloak-image - vars: - ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" - - > - KUBECONFIG="{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}}" - helm upgrade --install keycloak --namespace {{.KC_NAMESPACE_PREFIX}}keycloak - --set hostname={{.KC_HOSTNAME_SUFFIX}} - --set keycloakHostname={{.KC_HOSTNAME_OVERRIDE}} - --set keycloakHealthHostname={{.KC_HEALTH_HOSTNAME}} - --set otel={{.KC_OTEL}} - --set otelSamplingPercentage={{.KC_OTEL_SAMPLING_PERCENTAGE}} - --set dbPoolInitialSize={{.KC_DB_POOL_INITIAL_SIZE}} - --set dbPoolMinSize={{.KC_DB_POOL_MIN_SIZE}} - --set dbPoolMaxSize={{.KC_DB_POOL_MAX_SIZE}} - --set dbUrl={{ .KC_DATABASE_URL }} - --set database={{.KC_DATABASE}} - --set keycloakImage={{.KC_CONTAINER_IMAGE}} - --set instances={{ .KC_INSTANCES }} - --set cpuRequests={{ .KC_CPU_REQUESTS }} - --set cpuLimits={{ .KC_CPU_LIMITS }} - --set memoryRequestsMB={{ .KC_MEMORY_REQUESTS_MB }} - --set memoryLimitsMB={{ .KC_MEMORY_LIMITS_MB }} - --set heapInitMB={{ .KC_HEAP_INIT_MB }} - --set heapMaxMB={{ .KC_HEAP_MAX_MB }} - --set metaspaceInitMB={{ .KC_METASPACE_INIT_MB }} - --set metaspaceMaxMB={{ .KC_METASPACE_MAX_MB }} - --set infinispan.jgroupsTls={{ .KC_JGROUPS_TLS }} - --set infinispan.customConfig={{ .KC_CUSTOM_INFINISPAN_CONFIG }} - --set infinispan.configFile={{ .KC_CUSTOM_INFINISPAN_CONFIG_FILE }} - --set infinispan.remoteStore.enabled=true - --set infinispan.remoteStore.host=infinispan.{{.KC_ISPN_NAMESPACE}}.svc - --set infinispan.remoteStore.port=11222 - --set infinispan.remoteStore.username=developer - --set infinispan.remoteStore.password={{ .RS_HOT_ROD_PASSWORD | default .KEYCLOAK_MASTER_PASSWORD }} - --set infinispan.site={{ .ROSA_CLUSTER_NAME }} - --set cryostat={{ .KC_CRYOSTAT }} - --set sqlpad=false - --set environment=openshift - --set namespace={{.KC_NAMESPACE_PREFIX}}keycloak - --set keycloakAdminPassword="{{.KC_ADMIN_PASSWORD}}" - --set disableIngressStickySession={{ .KC_DISABLE_STICKY_SESSION }} - --set nodePortsEnabled=false - ../minikube/keycloak - sources: - - .task/aurora-endpoint-{{.AURORA_CLUSTER}} - - "{{.ISPN_DIR}}/.task/kubecfg/ocp-prefix-{{.ROSA_CLUSTER_NAME}}" - - ../minikube/keycloak/**/*.* - status: - - KUBECONFIG="{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}}" oc -n {{.NAMESPACE}} get keycloaks.k8s.keycloak.org keycloak - - test "{{.FORCE_KEYCLOAK | default 0}}" == "0" - preconditions: - - test -f {{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}} - - uninstall-keycloak: - internal: true - requires: - vars: - - ROSA_CLUSTER_NAME - vars: - KC_HOSTNAME_SUFFIX: - sh: cat {{.ISPN_DIR}}/.task/kubecfg/ocp-prefix-{{.ROSA_CLUSTER_NAME}} - cmd: KUBECONFIG={{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}} helm uninstall --namespace {{.KC_NAMESPACE_PREFIX}}keycloak keycloak || true - status: - - test -z "$(KUBECONFIG={{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}} helm list --namespace {{.KC_NAMESPACE_PREFIX}}keycloak --filter keycloak -q)" - preconditions: - - test -f {{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}} - - test -f {{.ISPN_DIR}}/.task/kubecfg/ocp-prefix-{{.ROSA_CLUSTER_NAME}} - uninstall-infinispan: internal: true requires: @@ -348,7 +255,6 @@ tasks: preconditions: - test -f {{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}} - deploy-keycloak: internal: true requires: @@ -360,11 +266,23 @@ tasks: - task: create-{{ ternary "global" "single" (eq .CROSS_DC_MODE "ASYNC") }}-peering-connection vars: ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" - - task: install-keycloak + - task: keycloak:install-keycloak vars: - ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" + NAMESPACE: "{{.KC_NAMESPACE_PREFIX}}keycloak" + KUBECONFIG: "{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME}}" KC_HOSTNAME_OVERRIDE: "{{.KC_HOSTNAME_OVERRIDE}}" KC_HEALTH_HOSTNAME: "{{.KC_HEALTH_HOSTNAME}}" + KC_HOSTNAME_SUFFIX: + sh: cat {{.ISPN_DIR}}/.task/kubecfg/ocp-prefix-{{.ROSA_CLUSTER_NAME}} + KC_DATABASE_URL: + sh: cat .task/aurora-endpoint-{{.AURORA_CLUSTER}} + KC_ADMIN_PASSWORD: + sh: "aws secretsmanager get-secret-value --region eu-central-1 --secret-id keycloak-master-password --query SecretString --output text --no-cli-pager || echo admin" + KC_DATABASE: "aurora-postgres" + KC_CUSTOM_INFINISPAN_CONFIG: "true" + KC_CUSTOM_INFINISPAN_CONFIG_FILE: "config/kcb-infinispan-cache-remote-store-config.xml" + KC_ISPN_CLUSTER: "infinispan" + ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" - task: wait-cryostat vars: ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" @@ -461,12 +379,14 @@ tasks: - task: ispn:rosa-oc-login vars: ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME_1}}" - - task: uninstall-keycloak + - task: keycloak:uninstall-keycloak vars: - ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME_2}}" - - task: uninstall-keycloak + KUBECONFIG: "{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME_2}}" + NAMESPACE: "{{.KC_NAMESPACE_PREFIX}}keycloak" + - task: keycloak:uninstall-keycloak vars: - ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME_1}}" + KUBECONFIG: "{{.ISPN_DIR}}/.task/kubecfg/{{.ROSA_CLUSTER_NAME_1}}" + NAMESPACE: "{{.KC_NAMESPACE_PREFIX}}keycloak" - task: uninstall-infinispan vars: ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME_2}}" @@ -480,7 +400,6 @@ tasks: vars: ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME_2}}" - helm-add-repos: internal: true cmds: