Merge pull request #3624 from uselagoon/keycloak-21-realm-import

refactor: upgrade keycloak to 21 and support initial realm import
uselagoon · Feb 7, 2024 · d0983ad · d0983ad
2 parents 7dfbaa4 + 9ad1a33
commit d0983ad
Show file tree

Hide file tree

Showing 12 changed files with 4,926 additions and 2,445 deletions.
diff --git a/Makefile b/Makefile
@@ -356,7 +356,7 @@ STERN_VERSION = v2.6.1
 CHART_TESTING_VERSION = v3.10.1
 K3D_IMAGE = docker.io/rancher/k3s:v1.27.3-k3s1
 TESTS = [nginx,api,features-kubernetes,bulk-deployment,features-kubernetes-2,features-variables,active-standby-kubernetes,tasks,drush,python,gitlab,github,bitbucket,services,workflows]
-CHARTS_TREEISH = main
+CHARTS_TREEISH = keycloak-health-endpoint
 TASK_IMAGES = task-activestandby
 
 # Symlink the installed kubectl client if the correct version is already

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -131,6 +131,7 @@ services:
     ports:
       - '8088:8080'
     environment:
+      - KEYCLOAK_FRONTEND_URL=http://localhost:8088/auth/
       - [email protected]
       # Uncomment for local new relic tracking
       # - NEW_RELIC_LICENSE_KEY=

diff --git a/services/keycloak/Dockerfile b/services/keycloak/Dockerfile
@@ -1,3 +1,7 @@
+FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
+RUN mkdir -p /mnt/rootfs
+RUN dnf install --installroot /mnt/rootfs nc jq openssl curl unzip --releasever 9 --setopt install_weak_deps=false --nodocs -y; dnf --installroot /mnt/rootfs clean all
+
 ARG UPSTREAM_REPO
 ARG UPSTREAM_TAG
 FROM ${UPSTREAM_REPO:-uselagoon}/commons:${UPSTREAM_TAG:-latest} as commons
@@ -8,17 +12,14 @@ COPY javascript /tmp/lagoon-scripts
 
 RUN cd /tmp/lagoon-scripts && zip -r ../lagoon-scripts.jar *
 
-FROM quay.io/keycloak/keycloak:17.0.1-legacy
+FROM quay.io/keycloak/keycloak:21.1.2
+COPY --from=ubi-micro-build /mnt/rootfs /
 
 ARG LAGOON_VERSION
 ENV LAGOON_VERSION=$LAGOON_VERSION
 
 USER root
 
-RUN microdnf install -y nc jq unzip \
-    && microdnf clean all \
-    && rm -rf /var/cache/yum
-
 LABEL maintainer="amazee.io"
 ENV LAGOON=keycloak
 
@@ -30,10 +31,6 @@ COPY --from=commons /home /home
 RUN chmod g+w /etc/passwd \
     && mkdir -p /home
 
-# Fix permissions for JBoss home directory
-RUN chgrp -R 0 $JBOSS_HOME &&\
-    chmod -R g+rw $JBOSS_HOME
-
 # Reproduce behavior of Alpine: Run Bash as sh
 RUN rm -f /bin/sh && ln -s /bin/bash /bin/sh
 
@@ -69,15 +66,18 @@ ENV TMPDIR=/tmp \
     KEYCLOAK_SERVICE_API_CLIENT_SECRET=d3724d52-34d1-4967-a802-4d178678564b \
     JAVA_OPTS="-server -Xms2048m -Xmx4096m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true"
 
-VOLUME /opt/jboss/keycloak/standalone/data
+VOLUME /opt/keycloak/data
 
+COPY entrypoints/kc-startup.sh /lagoon/kc-startup.sh
 COPY entrypoints/wait-for-mariadb.sh /lagoon/entrypoints/98-wait-for-mariadb.sh
 COPY entrypoints/default-keycloak-entrypoint.sh /lagoon/entrypoints/99-default-keycloak-entrypoint.sh
-COPY startup-scripts /opt/jboss/startup-scripts
-COPY profile.properties /opt/jboss/keycloak/standalone/configuration/profile.properties
-COPY configure-ds-pool.cli /opt/jboss/tools/cli/databases/configure-ds-pool.cli
-COPY themes/lagoon /opt/jboss/keycloak/themes/lagoon
-COPY --from=commons /tmp/lagoon-scripts.jar /opt/jboss/keycloak/standalone/deployments/lagoon-scripts.jar
+COPY startup-scripts /opt/keycloak/startup-scripts
+COPY themes/lagoon /opt/keycloak/themes/lagoon
+COPY --from=commons /tmp/lagoon-scripts.jar /opt/keycloak/providers/lagoon-scripts.jar
+
+COPY lagoon-realm-2.16.0.json /lagoon/seed/lagoon-realm-2.16.0.json
+
+RUN /opt/keycloak/bin/kc.sh build
 
 ENTRYPOINT ["/sbin/tini", "--", "/lagoon/entrypoints.bash"]
-CMD ["-b", "0.0.0.0"]
+CMD ["start"]
diff --git a/services/keycloak/configure-ds-pool.cli b/services/keycloak/configure-ds-pool.cli
diff --git a/services/keycloak/entrypoints/default-keycloak-entrypoint.sh b/services/keycloak/entrypoints/default-keycloak-entrypoint.sh
@@ -1,2 +1,20 @@
 #!/bin/sh
-KEYCLOAK_USER=$KEYCLOAK_ADMIN_USER KEYCLOAK_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD /opt/jboss/tools/docker-entrypoint.sh "$@"
+export KC_DB=$DB_VENDOR
+export KC_DB_USERNAME=$DB_USER
+export KC_DB_PASSWORD=$DB_PASSWORD
+export KC_DB_URL=jdbc:mariadb://$DB_ADDR:3306/$DB_DATABASE
+
+export KC_PROXY=${KC_PROXY:-edge}
+export KC_HOSTNAME_STRICT=${KC_HOSTNAME_STRICT:-false}
+export KC_HOSTNAME_STRICT_HTTPS=${KC_HOSTNAME_STRICT_HTTPS:-false}
+export KC_HTTP_RELATIVE_PATH=${KC_HTTP_RELATIVE_PATH:-/auth}
+export KC_HOSTNAME_URL=${KEYCLOAK_FRONTEND_URL}
+
+# this may need to be changed to an optional override and only set for k3d testing so that it allows access to
+# the admin page in a k3d deployed environment locally
+export KC_HOSTNAME_ADMIN_URL=${KEYCLOAK_FRONTEND_URL}
+
+export KC_DB_POOL_MAX_SIZE=${KEYCLOAK_DS_MAX_POOL_SIZE:-20}
+export KC_DB_POOL_MIN_SIZE=${KEYCLOAK_DS_MIN_POOL_SIZE:-0}
+
+KEYCLOAK_USER=$KEYCLOAK_ADMIN_USER KEYCLOAK_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD KEYCLOAK_ADMIN=$KEYCLOAK_ADMIN_USER /lagoon/kc-startup.sh "$@"
diff --git a/services/keycloak/entrypoints/kc-startup.sh b/services/keycloak/entrypoints/kc-startup.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Wrapper script as docker entrypoint to run initialize-my-realm.sh in parallel to actual kc.sh (the official entrypoint).
+
+set -e -u -o pipefail
+shopt -s failglob
+
+/opt/keycloak/startup-scripts/00-configure-lagoon.sh & disown
+
+/opt/keycloak/bin/kc.sh "$@" --features="scripts,token-exchange,admin-fine-grained-authz"
diff --git a/services/keycloak/javascript/META-INF/keycloak-scripts.json b/services/keycloak/javascript/META-INF/keycloak-scripts.json
@@ -7,6 +7,11 @@
     }
   ],
   "policies": [
+    {
+      "name": "Default Policy",
+      "description": "A policy that grants access only for users within this realm",
+      "fileName": "policies/default-policy.js"
+    },
     {
       "name": "[Lagoon] Users role for realm is Platform Owner",
       "description": "Checks the users role for the realm is Platform Owner or higher",

diff --git a/services/keycloak/javascript/policies/default-policy.js b/services/keycloak/javascript/policies/default-policy.js
@@ -0,0 +1,2 @@
+// by default, grants any permission associated with this policy
+$evaluation.grant();
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		// by default, grants any permission associated with this policy
		$evaluation.grant();