From a3f5592646ef74dc484b42cf5571eb31891636d6 Mon Sep 17 00:00:00 2001 From: Jason Montleon Date: Thu, 6 Feb 2025 11:29:59 -0500 Subject: [PATCH] :sparkles: Update upstream keycloak to V26 Signed-off-by: Jason Montleon --- ...nveyor-operator.clusterserviceversion.yaml | 7 +- helm/templates/rbac/cluster_role.yaml | 1 + helm/values.yaml | 2 +- roles/tackle/defaults/main.yml | 15 ++- roles/tackle/tasks/main.yml | 101 ++++++++++++++++-- .../customresource-rhbk-keycloak.yml.j2 | 30 ++++++ roles/tackle/templates/deployment-hub.yml.j2 | 18 +--- .../templates/deployment-keycloak-sso.yml.j2 | 45 +++++--- roles/tackle/templates/deployment-ui.yml.j2 | 2 +- .../templates/secret-keycloak-sso.yml.j2 | 4 +- .../templates/service-keycloak-rhbk.yml.j2 | 10 ++ 11 files changed, 186 insertions(+), 49 deletions(-) create mode 100644 roles/tackle/templates/customresource-rhbk-keycloak.yml.j2 create mode 100644 roles/tackle/templates/service-keycloak-rhbk.yml.j2 diff --git a/bundle/manifests/konveyor-operator.clusterserviceversion.yaml b/bundle/manifests/konveyor-operator.clusterserviceversion.yaml index d603ba12..3fc2315b 100644 --- a/bundle/manifests/konveyor-operator.clusterserviceversion.yaml +++ b/bundle/manifests/konveyor-operator.clusterserviceversion.yaml @@ -103,7 +103,7 @@ metadata: categories: Modernization & Migration certified: "false" containerImage: quay.io/konveyor/tackle2-operator:latest - createdAt: "2024-11-07T18:19:51Z" + createdAt: "2025-02-11T17:50:14Z" description: Konveyor is an open-source application modernization platform that helps organizations safely and predictably modernize applications to Kubernetes at scale. @@ -223,6 +223,7 @@ spec: - get - apiGroups: - keycloak.org + - k8s.keycloak.org resources: - keycloaks - keycloakrealms @@ -279,7 +280,7 @@ spec: - name: RELATED_IMAGE_TACKLE_POSTGRES value: quay.io/sclorg/postgresql-15-c9s:latest - name: RELATED_IMAGE_KEYCLOAK_SSO - value: quay.io/keycloak/keycloak:18.0.2-legacy + value: quay.io/keycloak/keycloak:26.1 - name: RELATED_IMAGE_KEYCLOAK_INIT value: quay.io/konveyor/tackle-keycloak-init:latest - name: RELATED_IMAGE_TACKLE_UI @@ -474,7 +475,7 @@ spec: name: tackle-hub - image: quay.io/sclorg/postgresql-15-c9s:latest name: tackle-postgres - - image: quay.io/keycloak/keycloak:18.0.2-legacy + - image: quay.io/keycloak/keycloak:26.1 name: keycloak-sso - image: quay.io/konveyor/tackle-keycloak-init:latest name: keycloak-init diff --git a/helm/templates/rbac/cluster_role.yaml b/helm/templates/rbac/cluster_role.yaml index 902d327f..b399cc20 100644 --- a/helm/templates/rbac/cluster_role.yaml +++ b/helm/templates/rbac/cluster_role.yaml @@ -20,6 +20,7 @@ rules: - get - apiGroups: - keycloak.org + - k8s.keycloak.org resources: - keycloaks - keycloakrealms diff --git a/helm/values.yaml b/helm/values.yaml index 3a4f76c5..a38ded22 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -15,7 +15,7 @@ images: oauth_proxy: quay.io/openshift/origin-oauth-proxy:latest tackle_hub: quay.io/konveyor/tackle2-hub:latest tackle_postgres: quay.io/sclorg/postgresql-15-c9s:latest - keycloak_sso: quay.io/keycloak/keycloak:18.0.2-legacy + keycloak_sso: quay.io/keycloak/keycloak:26.1 keycloak_init: quay.io/konveyor/tackle-keycloak-init:latest tackle_ui: quay.io/konveyor/tackle2-ui:latest addon_analyzer: quay.io/konveyor/tackle2-addon-analyzer:latest diff --git a/roles/tackle/defaults/main.yml b/roles/tackle/defaults/main.yml index 476b9e89..7831df5b 100644 --- a/roles/tackle/defaults/main.yml +++ b/roles/tackle/defaults/main.yml @@ -93,7 +93,7 @@ keycloak_database_db_version: "15" keycloak_sso_image_fqin: "{{ lookup('env', 'RELATED_IMAGE_KEYCLOAK_SSO') }}" keycloak_init_image_fqin: "{{ lookup('env', 'RELATED_IMAGE_KEYCLOAK_INIT') }}" keycloak_sso_name: "keycloak" -keycloak_sso_component_name: "sso" +keycloak_sso_component_name: "{{ 'rhbk' if app_profile == 'mta' else 'sso' }}" keycloak_sso_service_name: "{{ app_name }}-{{ keycloak_sso_name }}-{{ keycloak_sso_component_name }}" keycloak_sso_configmap_name: "{{ keycloak_sso_service_name }}" keycloak_sso_secret_name: "{{ keycloak_sso_service_name }}" @@ -113,7 +113,7 @@ keycloak_sso_java_opts: "-Dcom.redhat.fips=false" keycloak_sso_realm: "{{ app_name }}" keycloak_sso_req_passwd_update: true keycloak_sso_client_id: "{{ app_name }}-ui" -keycloak_sso_tls_enabled: false +keycloak_sso_tls_enabled: true keycloak_sso_tls_secret_name: "{{ keycloak_sso_service_name }}-serving-cert" keycloak_sso_port: "{{ '8443' if keycloak_sso_tls_enabled | bool else '8080' }}" keycloak_sso_proto: "{{ 'https' if keycloak_sso_tls_enabled | bool else 'http' }}" @@ -217,11 +217,20 @@ rhsso_service_name: "{{ app_name }}-{{ rhsso_name }}" rhsso_secret_name: "credential-{{ rhsso_service_name }}" rhsso_api_version: "keycloak.org/v1alpha1" rhsso_external_access: false -rhsso_tls_enabled: true +rhsso_tls_enabled: "{{ true if openshift_cluster | bool else false }}" rhsso_port: "{{ '8443' if rhsso_tls_enabled | bool else '8080' }}" rhsso_proto: "{{ 'https' if rhsso_tls_enabled | bool else 'http' }}" rhsso_url: "{{ rhsso_proto }}://keycloak.{{ app_namespace }}.svc:{{ rhsso_port }}" +# RHBK Specific +rhbk_name: "rhbk" +rhbk_service_name: "{{ app_name }}-{{ rhbk_name }}" +rhbk_api_version: "k8s.keycloak.org/v2alpha1" +rhbk_tls_enabled: "{{ true if openshift_cluster | bool else false }}" +rhbk_tls_secret_name: "{{ rhbk_service_name }}-serving-cert" +rhbk_port: "{{ '8443' if rhsso_tls_enabled | bool else '8080' }}" +rhbk_proto: "{{ 'https' if rhsso_tls_enabled | bool else 'http' }}" +rhbk_url: "{{ rhsso_proto }}://{{ rhbk_service_name }}-service.{{ app_namespace }}.svc:{{ rhsso_port }}" # Kai-related variables experimental_deploy_kai: false diff --git a/roles/tackle/tasks/main.yml b/roles/tackle/tasks/main.yml index 39c39313..3649670e 100644 --- a/roles/tackle/tasks/main.yml +++ b/roles/tackle/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Gather available apis + kubernetes.core.k8s_cluster_info: + register: cluster_info + - name: "Load cluster API groups" set_fact: api_groups: "{{ lookup('k8s', cluster_info='api_groups') }}" @@ -173,7 +177,10 @@ definition: "{{ lookup('template', 'service-keycloak-postgresql-migration.yml.j2') }}" - name: Scale down RHSSO - when: app_name == "mta" + when: + - app_name == "mta" + - rhsso_api_version in cluster_info.apis + - '"Keycloak" in cluster_info.apis[rhsso_api_version]' k8s: state: present definition: "{{ lookup('template', 'customresource-rhsso-keycloak.yml.j2') }}" @@ -322,6 +329,36 @@ state: present definition: "{{ lookup('template', 'service-keycloak-postgresql.yml.j2') }}" + - name: "Check if Keycloak SSO Credential Secret exists" + k8s_info: + api_version: v1 + kind: Secret + name: "{{ rhsso_secret_name }}" + namespace: "{{ app_namespace }}" + register: keycloak_sso_credential_secret_status + + - name: "Check if Keycloak SSO Secret exists already so we don't update it" + k8s_info: + api_version: v1 + kind: Secret + name: "{{ keycloak_sso_secret_name }}" + namespace: "{{ app_namespace }}" + register: keycloak_sso_secret_status + + - when: + - (keycloak_sso_secret_status.resources | length) == 0 + - (keycloak_sso_credential_secret_status.resources | length) == 1 + block: + - name: "Lookup RHSSO username and password" + set_fact: + keycloak_sso_admin_username_b64: "{{ keycloak_sso_credential_secret_status.resources[0].data.ADMIN_USERNAME }}" + keycloak_sso_admin_password_b64: "{{ keycloak_sso_credential_secret_status.resources[0].data.ADMIN_PASSWORD }}" + + - name: Move RHSSO credentials to RHBK location + k8s: + state: present + definition: "{{ lookup('template', 'secret-keycloak-sso.yml.j2') }}" + - name: "Check if Keycloak SSO Secret exists already so we don't update it" k8s_info: api_version: v1 @@ -330,6 +367,23 @@ namespace: "{{ app_namespace }}" register: keycloak_sso_secret_status + - when: + - keycloak_sso_secret_status.resources | length == 1 + - keycloak_sso_secret_status.resources[0].data['admin-username'] is defined + - keycloak_sso_secret_status.resources[0].data['admin-password'] is defined + - keycloak_sso_secret_status.resources[0].data.username is not defined + - keycloak_sso_secret_status.resources[0].data.password is not defined + block: + - name: Get values from old key names + set_fact: + keycloak_sso_admin_username_b64: "{{ keycloak_sso_secret_status.resources[0].data['admin-username'] }}" + keycloak_sso_admin_password_b64: "{{ keycloak_sso_secret_status.resources[0].data['admin-password'] }}" + + - name: Update new values for new keys + k8s: + state: present + definition: "{{ lookup('template', 'secret-keycloak-sso.yml.j2') }}" + - when: (keycloak_sso_secret_status.resources | length) == 0 block: - name: "Generate random values for Keycloak SSO credentials" @@ -371,6 +425,9 @@ label_selectors: - app = {{ rhsso_service_name }} register: rhsso_keycloak + when: + - rhsso_api_version in cluster_info.apis + - '"Keycloak" in cluster_info.apis[rhsso_api_version]' - name: "Delete old RHSSO Keycloak" k8s: @@ -380,6 +437,8 @@ name: "{{ rhsso_service_name }}" namespace: "{{ app_namespace }}" when: + - rhsso_api_version in cluster_info.apis + - '"Keycloak" in cluster_info.apis[rhsso_api_version]' - rhsso_keycloak.resources | length > 0 - rhsso_keycloak.resources[0].status.secondaryResources.Deployment is defined - '"keycloak-postgresql" in rhsso_keycloak.resources[0].status.secondaryResources.Deployment' @@ -424,20 +483,43 @@ definition: "{{ lookup('template', 'secret-keycloak-db.yml.j2') }}" merge_type: merge - - name: "Create RHSSO Keycloak CR" + - name: "Delete RHSSO Keycloak CR" k8s: - state: present + state: absent definition: "{{ lookup('template', 'customresource-rhsso-keycloak.yml.j2') }}" + when: + - rhsso_api_version in cluster_info.apis + - '"Keycloak" in cluster_info.apis[rhsso_api_version]' - - name: "Check RHSSO for readiness" + - name: "Create RHBK Keycloak CR" + k8s: + state: present + definition: "{{ lookup('template', 'customresource-rhbk-keycloak.yml.j2') }}" + + - name: "Check RHBK for service" k8s_info: - api_version: "{{ rhsso_api_version }}" + api_version: v1 + kind: service + name: "{{ rhbk_service_name }}-service" + namespace: "{{ app_namespace }}" + register: rhbk_service + until: rhbk_service.resources|length > 0 + retries: 30 + delay: 5 + + - name: "Annotate the service to create SSL cert" + k8s: + state: present + definition: "{{ lookup('template', 'service-keycloak-rhbk.yml.j2') }}" + + - name: "Check RHBK for readiness" + k8s_info: + api_version: "{{ rhbk_api_version }}" kind: Keycloak + name: "{{ app_name }}-{{ rhbk_name }}" namespace: "{{ app_namespace }}" - label_selectors: - - app = {{ rhsso_service_name }} register: cr - until: true in (cr | json_query('resources[].status.ready')) + until: cr | json_query('resources[].status.conditions[?type==`Ready`].status') | first | first | bool retries: 30 delay: 5 @@ -625,9 +707,6 @@ - when: - not(feature_auth_required|bool) or not(feature_auth_type == "keycloak") block: - - name: Gather available apis - kubernetes.core.k8s_cluster_info: - register: cluster_info - name: "Deprovision RHSSO Keycloak CR" k8s: diff --git a/roles/tackle/templates/customresource-rhbk-keycloak.yml.j2 b/roles/tackle/templates/customresource-rhbk-keycloak.yml.j2 new file mode 100644 index 00000000..4ab04bbe --- /dev/null +++ b/roles/tackle/templates/customresource-rhbk-keycloak.yml.j2 @@ -0,0 +1,30 @@ +apiVersion: {{ rhbk_api_version }} +kind: Keycloak +metadata: + name: {{ app_name }}-{{ rhbk_name }} + namespace: {{ app_namespace }} +spec: + instances: 1 + db: + vendor: postgres + database: {{ keycloak_database_db_name }} + host: {{ keycloak_database_service_k8s_resource_name }} + usernameSecret: + name: keycloak-db-secret + key: POSTGRES_USERNAME + passwordSecret: + name: keycloak-db-secret + key: POSTGRES_PASSWORD + proxy: + headers: xforwarded + http: + tlsSecret: {{ rhbk_tls_secret_name }} + hostname: + strict: false + additionalOptions: + - name: http-relative-path + value: /auth + bootstrapAdmin: + user: + secret: {{ keycloak_sso_secret_name }} + diff --git a/roles/tackle/templates/deployment-hub.yml.j2 b/roles/tackle/templates/deployment-hub.yml.j2 index a41be286..abb683dc 100644 --- a/roles/tackle/templates/deployment-hub.yml.j2 +++ b/roles/tackle/templates/deployment-hub.yml.j2 @@ -112,31 +112,21 @@ spec: value: "{{ keycloak_sso_client_id }}" {% if app_profile == 'mta' %} - name: KEYCLOAK_HOST - value: "{{ rhsso_url }}" - - name: KEYCLOAK_ADMIN_USER - valueFrom: - secretKeyRef: - name: "{{ rhsso_secret_name }}" - key: ADMIN_USERNAME - - name: KEYCLOAK_ADMIN_PASS - valueFrom: - secretKeyRef: - name: "{{ rhsso_secret_name }}" - key: ADMIN_PASSWORD + value: "{{ rhbk_url }}" {% else %} - name: KEYCLOAK_HOST value: "{{ keycloak_sso_url }}" +{% endif %} - name: KEYCLOAK_ADMIN_USER valueFrom: secretKeyRef: name: "{{ keycloak_sso_secret_name }}" - key: admin-username + key: username - name: KEYCLOAK_ADMIN_PASS valueFrom: secretKeyRef: name: "{{ keycloak_sso_secret_name }}" - key: admin-password -{% endif %} + key: password - name: KEYCLOAK_REQ_PASS_UPDATE value: "{{ keycloak_sso_req_passwd_update|lower }}" {% endif %} diff --git a/roles/tackle/templates/deployment-keycloak-sso.yml.j2 b/roles/tackle/templates/deployment-keycloak-sso.yml.j2 index 4eae6aa2..105aec52 100644 --- a/roles/tackle/templates/deployment-keycloak-sso.yml.j2 +++ b/roles/tackle/templates/deployment-keycloak-sso.yml.j2 @@ -42,41 +42,52 @@ spec: containers: - name: {{ keycloak_sso_container_name }} image: "{{ keycloak_sso_image_fqin }}" + args: + - -Djgroups.dns.query=mta-kc-discovery.openshift-mta + - --verbose + - start imagePullPolicy: "{{ image_pull_policy }}" env: - - name: KEYCLOAK_USER + - name: KC_BOOTSTRAP_ADMIN_USERNAME valueFrom: secretKeyRef: name: {{ keycloak_sso_secret_name }} - key: admin-username - - name: KEYCLOAK_PASSWORD + key: username + - name: KC_BOOTSTRAP_ADMIN_PASSWORD valueFrom: secretKeyRef: name: {{ keycloak_sso_secret_name }} - key: admin-password + key: password - name: JAVA_OPTS value: {{ keycloak_sso_java_opts }} - name: PROXY_ADDRESS_FORWARDING value: 'true' - - name: DB_VENDOR + - name: KC_DB value: postgres - - name: DB_ADDR - value: {{ keycloak_database_service_k8s_resource_name }} - - name: DB_DATABASE - valueFrom: - secretKeyRef: - name: {{ keycloak_database_secret_name }} - key: database-name - - name: DB_USER + - name: KC_DB_URL + value: jdbc:postgresql://{{ keycloak_database_service_k8s_resource_name }}:5432/{{ keycloak_database_db_name }} + - name: KC_DB_USERNAME valueFrom: secretKeyRef: name: {{ keycloak_database_secret_name }} key: database-user - - name: DB_PASSWORD + - name: KC_DB_PASSWORD valueFrom: secretKeyRef: name: {{ keycloak_database_secret_name }} key: database-password + - name: KC_HTTP_RELATIVE_PATH + value: /auth + - name: KC_PROXY_HEADERS + value: xforwarded + - name: KC_HTTPS_CERTIFICATE_FILE + value: /service-crt/tls.crt + - name: KC_HTTPS_CERTIFICATE_KEY_FILE + value: /service-crt/tls.key + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HTTP_ENABLED + value: "true" ports: - name: http containerPort: 8080 @@ -114,6 +125,12 @@ spec: volumeMounts: - name: {{ keycloak_sso_service_name }}-theme mountPath: /opt/jboss/keycloak/standalone/deployments + - mountPath: "/service-crt" + name: service-crt + readOnly: true volumes: - name: {{ keycloak_sso_service_name }}-theme emptyDir: {} + - name: service-crt + secret: + secretName: {{ keycloak_sso_tls_secret_name }} diff --git a/roles/tackle/templates/deployment-ui.yml.j2 b/roles/tackle/templates/deployment-ui.yml.j2 index 951f6af6..0ae26f3d 100644 --- a/roles/tackle/templates/deployment-ui.yml.j2 +++ b/roles/tackle/templates/deployment-ui.yml.j2 @@ -103,7 +103,7 @@ spec: value: {{ keycloak_sso_client_id }} {% if app_profile == 'mta' %} - name: KEYCLOAK_SERVER_URL - value: {{ rhsso_url }} + value: {{ rhbk_url }} {% else %} - name: KEYCLOAK_SERVER_URL value: {{ keycloak_sso_url }} diff --git a/roles/tackle/templates/secret-keycloak-sso.yml.j2 b/roles/tackle/templates/secret-keycloak-sso.yml.j2 index f710cf98..35615d04 100644 --- a/roles/tackle/templates/secret-keycloak-sso.yml.j2 +++ b/roles/tackle/templates/secret-keycloak-sso.yml.j2 @@ -9,5 +9,5 @@ metadata: namespace: {{ app_namespace }} type: Opaque data: - admin-username: {{ keycloak_sso_admin_username_b64 }} - admin-password: {{ keycloak_sso_admin_password_b64 }} + username: {{ keycloak_sso_admin_username_b64 }} + password: {{ keycloak_sso_admin_password_b64 }} diff --git a/roles/tackle/templates/service-keycloak-rhbk.yml.j2 b/roles/tackle/templates/service-keycloak-rhbk.yml.j2 new file mode 100644 index 00000000..2f17e98d --- /dev/null +++ b/roles/tackle/templates/service-keycloak-rhbk.yml.j2 @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Service +metadata: +{% if keycloak_sso_tls_enabled|bool and openshift_cluster|bool %} + annotations: + service.beta.openshift.io/serving-cert-secret-name: {{ rhbk_tls_secret_name }} +{% endif %} + name: {{ rhbk_service_name }}-service + namespace: {{ app_namespace }}