✨ Update upstream keycloak to V26

Signed-off-by: Jason Montleon <jmontleo@redhat.com>
konveyor · Feb 10, 2025 · 9006638 · 9006638
1 parent e161635
commit 9006638
Show file tree

Hide file tree

Showing 11 changed files with 169 additions and 45 deletions.
diff --git a/bundle/manifests/konveyor-operator.clusterserviceversion.yaml b/bundle/manifests/konveyor-operator.clusterserviceversion.yaml
@@ -103,7 +103,7 @@ metadata:
     categories: Modernization & Migration
     certified: "false"
     containerImage: quay.io/konveyor/tackle2-operator:latest
-    createdAt: "2024-11-07T18:19:51Z"
+    createdAt: "2025-02-05T21:27:13Z"
     description: Konveyor is an open-source application modernization platform that
       helps organizations safely and predictably modernize applications to Kubernetes
       at scale.
@@ -279,7 +279,7 @@ spec:
                 - name: RELATED_IMAGE_TACKLE_POSTGRES
                   value: quay.io/sclorg/postgresql-15-c9s:latest
                 - name: RELATED_IMAGE_KEYCLOAK_SSO
-                  value: quay.io/keycloak/keycloak:18.0.2-legacy
+                  value: quay.io/keycloak/keycloak:26.1
                 - name: RELATED_IMAGE_KEYCLOAK_INIT
                   value: quay.io/konveyor/tackle-keycloak-init:latest
                 - name: RELATED_IMAGE_TACKLE_UI
@@ -474,7 +474,7 @@ spec:
     name: tackle-hub
   - image: quay.io/sclorg/postgresql-15-c9s:latest
     name: tackle-postgres
-  - image: quay.io/keycloak/keycloak:18.0.2-legacy
+  - image: quay.io/keycloak/keycloak:26.1
     name: keycloak-sso
   - image: quay.io/konveyor/tackle-keycloak-init:latest
     name: keycloak-init

diff --git a/helm/templates/rbac/cluster_role.yaml b/helm/templates/rbac/cluster_role.yaml
@@ -20,6 +20,7 @@ rules:
   - get
 - apiGroups:
   - keycloak.org
+  - k8s.keycloak.org
   resources:
   - keycloaks
   - keycloakrealms

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -15,7 +15,7 @@ images:
   oauth_proxy: quay.io/openshift/origin-oauth-proxy:latest
   tackle_hub: quay.io/konveyor/tackle2-hub:latest
   tackle_postgres: quay.io/sclorg/postgresql-15-c9s:latest
-  keycloak_sso: quay.io/keycloak/keycloak:18.0.2-legacy
+  keycloak_sso: quay.io/keycloak/keycloak:26.1
   keycloak_init: quay.io/konveyor/tackle-keycloak-init:latest
   tackle_ui: quay.io/konveyor/tackle2-ui:latest
   addon_analyzer: quay.io/konveyor/tackle2-addon-analyzer:latest

diff --git a/roles/tackle/defaults/main.yml b/roles/tackle/defaults/main.yml
@@ -93,7 +93,7 @@ keycloak_database_db_version: "15"
 keycloak_sso_image_fqin: "{{ lookup('env', 'RELATED_IMAGE_KEYCLOAK_SSO') }}"
 keycloak_init_image_fqin: "{{ lookup('env', 'RELATED_IMAGE_KEYCLOAK_INIT') }}"
 keycloak_sso_name: "keycloak"
-keycloak_sso_component_name: "sso"
+keycloak_sso_component_name: "{{ 'rhbk' if app_profile == 'mta' | bool else 'sso' }}"
 keycloak_sso_service_name: "{{ app_name }}-{{ keycloak_sso_name }}-{{ keycloak_sso_component_name }}"
 keycloak_sso_configmap_name: "{{ keycloak_sso_service_name }}"
 keycloak_sso_secret_name: "{{ keycloak_sso_service_name }}"
@@ -113,7 +113,7 @@ keycloak_sso_java_opts: "-Dcom.redhat.fips=false"
 keycloak_sso_realm: "{{ app_name }}"
 keycloak_sso_req_passwd_update: true
 keycloak_sso_client_id: "{{ app_name }}-ui"
-keycloak_sso_tls_enabled: false
+keycloak_sso_tls_enabled: true
 keycloak_sso_tls_secret_name: "{{ keycloak_sso_service_name }}-serving-cert"
 keycloak_sso_port: "{{ '8443' if keycloak_sso_tls_enabled | bool else '8080' }}"
 keycloak_sso_proto: "{{ 'https' if keycloak_sso_tls_enabled | bool else 'http' }}"
@@ -217,11 +217,20 @@ rhsso_service_name: "{{ app_name }}-{{ rhsso_name }}"
 rhsso_secret_name: "credential-{{ rhsso_service_name }}"
 rhsso_api_version: "keycloak.org/v1alpha1"
 rhsso_external_access: false
-rhsso_tls_enabled: true
+rhsso_tls_enabled: "{{ true if openshift_cluster | bool else false }}"
 rhsso_port: "{{ '8443' if rhsso_tls_enabled | bool else '8080' }}"
 rhsso_proto: "{{ 'https' if rhsso_tls_enabled | bool else 'http' }}"
 rhsso_url: "{{ rhsso_proto }}://keycloak.{{ app_namespace }}.svc:{{ rhsso_port }}"
 
+# RHBK Specific
+rhbk_name: "rhbk"
+rhbk_service_name: "{{ app_name }}-{{ rhbk_name }}"
+rhbk_api_version: "k8s.keycloak.org/v2alpha1"
+rhbk_tls_enabled: "{{ true if openshift_cluster | bool else false }}"
+rhbk_tls_secret_name: "{{ rhbk_service_name }}-serving-cert"
+rhbk_port: "{{ '8443' if rhsso_tls_enabled | bool else '8080' }}"
+rhbk_proto: "{{ 'https' if rhsso_tls_enabled | bool else 'http' }}"
+rhbk_url: "{{ rhsso_proto }}://{{ rhbk_service_name }}-service.{{ app_namespace }}.svc:{{ rhsso_port }}"
 
 # Kai-related variables
 experimental_deploy_kai: false

diff --git a/roles/tackle/tasks/main.yml b/roles/tackle/tasks/main.yml
@@ -322,6 +322,14 @@
         state: present
         definition: "{{ lookup('template', 'service-keycloak-postgresql.yml.j2') }}"
 
+    - name: "Check if Keycloak SSO Credential Secret exists"
+      k8s_info:
+        api_version: v1
+        kind: Secret
+        name: "{{ rhsso_secret_name }}"
+        namespace: "{{ app_namespace }}"
+      register: keycloak_sso_credential_secret_status
+
     - name: "Check if Keycloak SSO Secret exists already so we don't update it"
       k8s_info:
         api_version: v1
@@ -330,6 +338,45 @@
         namespace: "{{ app_namespace }}"
       register: keycloak_sso_secret_status
 
+    - when:
+        - (keycloak_sso_secret_status.resources | length) == 0
+        - (keycloak_sso_credential_secret_status.resources | length) == 1
+      block:
+        - name: "Lookup RHSSO username and password"
+          set_fact:
+            keycloak_sso_admin_username_b64: "{{ keycloak_sso_credential_secret_status.resources[0].data.ADMIN_USERNAME }}"
+            keycloak_sso_admin_password_b64: "{{ keycloak_sso_credential_secret_status.resources[0].data.ADMIN_PASSWORD }}"
+
+        - name: Move RHSSO credentials to RHBK location
+          k8s:
+            state: present
+            definition: "{{ lookup('template', 'secret-keycloak-sso.yml.j2') }}"
+
+    - name: "Check if Keycloak SSO Secret exists already so we don't update it"
+      k8s_info:
+        api_version: v1
+        kind: Secret
+        name: "{{ keycloak_sso_secret_name }}"
+        namespace: "{{ app_namespace }}"
+      register: keycloak_sso_secret_status
+
+    - when:
+        - keycloak_sso_secret_status.resources | length == 1
+        - keycloak_sso_secret_status.resources[0].data['admin-username'] is defined
+        - keycloak_sso_secret_status.resources[0].data['admin-password'] is defined
+        - keycloak_sso_secret_status.resources[0].data.username is not defined
+        - keycloak_sso_secret_status.resources[0].data.password is not defined
+      block:
+        - name: Get values from old key names
+          set_fact:
+            keycloak_sso_admin_username_b64: "{{ keycloak_sso_secret_status.resources[0].data['admin-username'] }}"
+            keycloak_sso_admin_password_b64: "{{ keycloak_sso_secret_status.resources[0].data['admin-password'] }}"
+
+        - name: Update new values for new keys
+          k8s:
+            state: present
+            definition: "{{ lookup('template', 'secret-keycloak-sso.yml.j2') }}"
+
     - when: (keycloak_sso_secret_status.resources | length) == 0
       block:
         - name: "Generate random values for Keycloak SSO credentials"
@@ -424,20 +471,40 @@
         definition: "{{ lookup('template', 'secret-keycloak-db.yml.j2') }}"
         merge_type: merge
 
-    - name: "Create RHSSO Keycloak CR"
+    - name: "Delete RHSSO Keycloak CR"
       k8s:
-        state: present
+        state: absent
         definition: "{{ lookup('template', 'customresource-rhsso-keycloak.yml.j2') }}"
 
-    - name: "Check RHSSO for readiness"
+    - name: "Create RHBK Keycloak CR"
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'customresource-rhbk-keycloak.yml.j2') }}"
+
+    - name: "Check RHBK for service"
       k8s_info:
-        api_version: "{{ rhsso_api_version }}"
+        api_version: v1
+        kind: service
+        name: "{{ rhbk_service_name  }}-service"
+        namespace: "{{ app_namespace }}"
+      register: rhbk_service
+      until: rhbk_service.resources|length > 0
+      retries: 30
+      delay: 5
+
+    - name: "Annotate the service to create SSL cert"
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'service-keycloak-rhbk.yml.j2') }}"
+
+    - name: "Check RHBK for readiness"
+      k8s_info:
+        api_version: "{{ rhbk_api_version }}"
         kind: Keycloak
+        name: "{{ app_name }}-{{ rhbk_name }}"
         namespace: "{{ app_namespace }}"
-        label_selectors:
-          - app = {{ rhsso_service_name }}
       register: cr
-      until: true in (cr | json_query('resources[].status.ready'))
+      until: cr | json_query('resources[].status.conditions[?type==`Ready`].status') | first | first | bool
       retries: 30
       delay: 5
 

diff --git a/roles/tackle/templates/customresource-rhbk-keycloak.yml.j2 b/roles/tackle/templates/customresource-rhbk-keycloak.yml.j2
@@ -0,0 +1,30 @@
+apiVersion: {{ rhbk_api_version }}
+kind: Keycloak
+metadata:
+  name: {{ app_name }}-{{ rhbk_name }}
+  namespace: {{ app_namespace }}
+spec:
+  instances: 1
+  db:
+    vendor: postgres
+    database: {{ keycloak_database_db_name }}
+    host: {{ keycloak_database_service_k8s_resource_name }} 
+    usernameSecret:
+      name: keycloak-db-secret
+      key: POSTGRES_USERNAME
+    passwordSecret:
+      name: keycloak-db-secret
+      key: POSTGRES_PASSWORD
+  proxy:
+    headers: xforwarded
+  http:
+    tlsSecret: {{ rhbk_tls_secret_name }}
+  hostname:
+    strict: false
+  additionalOptions:
+    - name: http-relative-path
+      value: /auth
+  bootstrapAdmin:
+    user:
+      secret: {{ keycloak_sso_secret_name }}
+
diff --git a/roles/tackle/templates/deployment-hub.yml.j2 b/roles/tackle/templates/deployment-hub.yml.j2
@@ -112,31 +112,21 @@ spec:
               value: "{{ keycloak_sso_client_id }}"
 {% if app_profile == 'mta' %}
             - name: KEYCLOAK_HOST
-              value: "{{ rhsso_url }}"
-            - name: KEYCLOAK_ADMIN_USER
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ rhsso_secret_name }}"
-                  key: ADMIN_USERNAME
-            - name: KEYCLOAK_ADMIN_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ rhsso_secret_name }}"
-                  key: ADMIN_PASSWORD
+              value: "{{ rhbk_url }}"
 {% else %}
             - name: KEYCLOAK_HOST
               value: "{{ keycloak_sso_url }}"
+{% endif %}
             - name: KEYCLOAK_ADMIN_USER
               valueFrom:
                 secretKeyRef:
                   name: "{{ keycloak_sso_secret_name }}"
-                  key: admin-username
+                  key: username
             - name: KEYCLOAK_ADMIN_PASS
               valueFrom:
                 secretKeyRef:
                   name: "{{ keycloak_sso_secret_name }}"
-                  key: admin-password
-{% endif %}
+                  key: password
             - name: KEYCLOAK_REQ_PASS_UPDATE
               value: "{{ keycloak_sso_req_passwd_update|lower }}"
 {% endif %}

diff --git a/roles/tackle/templates/deployment-keycloak-sso.yml.j2 b/roles/tackle/templates/deployment-keycloak-sso.yml.j2
@@ -42,41 +42,52 @@ spec:
       containers:
         - name: {{ keycloak_sso_container_name }}
           image: "{{ keycloak_sso_image_fqin }}"
+          args:
+          - -Djgroups.dns.query=mta-kc-discovery.openshift-mta
+          - --verbose
+          - start
           imagePullPolicy: "{{ image_pull_policy }}"
           env:
-            - name: KEYCLOAK_USER
+            - name: KC_BOOTSTRAP_ADMIN_USERNAME
               valueFrom:
                 secretKeyRef:
                   name: {{ keycloak_sso_secret_name }}
-                  key: admin-username
-            - name: KEYCLOAK_PASSWORD
+                  key: username
+            - name: KC_BOOTSTRAP_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ keycloak_sso_secret_name }}
-                  key: admin-password
+                  key: password
             - name: JAVA_OPTS
               value: {{ keycloak_sso_java_opts }}
             - name: PROXY_ADDRESS_FORWARDING
               value: 'true'
-            - name: DB_VENDOR
+            - name: KC_DB
               value: postgres
-            - name: DB_ADDR
-              value: {{ keycloak_database_service_k8s_resource_name }}
-            - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: {{ keycloak_database_secret_name }}
-                  key: database-name
-            - name: DB_USER
+            - name: KC_DB_URL
+              value: jdbc:postgresql://{{ keycloak_database_service_k8s_resource_name }}:5432/{{ keycloak_database_db_name }}
+            - name: KC_DB_USERNAME
               valueFrom:
                 secretKeyRef:
                   name: {{ keycloak_database_secret_name }}
                   key: database-user
-            - name: DB_PASSWORD
+            - name: KC_DB_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ keycloak_database_secret_name }}
                   key: database-password
+            - name: KC_HTTP_RELATIVE_PATH
+              value: /auth
+            - name: KC_PROXY_HEADERS
+              value: xforwarded
+            - name: KC_HTTPS_CERTIFICATE_FILE
+              value: /service-crt/tls.crt
+            - name: KC_HTTPS_CERTIFICATE_KEY_FILE
+              value: /service-crt/tls.key
+            - name: KC_HOSTNAME_STRICT
+              value: "false"
+            - name: KC_HTTP_ENABLED
+              value: "true"
           ports:
             - name: http
               containerPort: 8080
@@ -114,6 +125,12 @@ spec:
           volumeMounts:
             - name: {{ keycloak_sso_service_name }}-theme
               mountPath: /opt/jboss/keycloak/standalone/deployments
+            - mountPath: "/service-crt"
+              name: service-crt
+              readOnly: true
       volumes:
         - name: {{ keycloak_sso_service_name }}-theme
           emptyDir: {}
+        - name: service-crt
+          secret:
+            secretName: {{ keycloak_sso_tls_secret_name }}
diff --git a/roles/tackle/templates/deployment-ui.yml.j2 b/roles/tackle/templates/deployment-ui.yml.j2
@@ -103,7 +103,7 @@ spec:
               value: {{ keycloak_sso_client_id }}
 {% if app_profile == 'mta' %}
             - name: KEYCLOAK_SERVER_URL
-              value: {{ rhsso_url }}
+              value: {{ rhbk_url }}
 {% else %}
             - name: KEYCLOAK_SERVER_URL
               value: {{ keycloak_sso_url }}

diff --git a/roles/tackle/templates/secret-keycloak-sso.yml.j2 b/roles/tackle/templates/secret-keycloak-sso.yml.j2
@@ -9,5 +9,5 @@ metadata:
   namespace: {{ app_namespace }}
 type: Opaque
 data:
-  admin-username: {{ keycloak_sso_admin_username_b64 }}
-  admin-password: {{ keycloak_sso_admin_password_b64 }}
+  username: {{ keycloak_sso_admin_username_b64 }}
+  password: {{ keycloak_sso_admin_password_b64 }}
diff --git a/roles/tackle/templates/service-keycloak-rhbk.yml.j2 b/roles/tackle/templates/service-keycloak-rhbk.yml.j2
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+{% if keycloak_sso_tls_enabled|bool and openshift_cluster|bool %}
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: {{ rhbk_tls_secret_name }}
+{% endif %}
+  name: {{ rhbk_service_name  }}-service
+  namespace: {{ app_namespace }}