Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Update keycloak #400

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+185 −48
Open

✨ Update keycloak #400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions bundle/manifests/konveyor-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ metadata:
categories: Modernization & Migration
certified: "false"
containerImage: quay.io/konveyor/tackle2-operator:latest
createdAt: "2024-11-07T18:19:51Z"
createdAt: "2025-02-11T17:50:14Z"
description: Konveyor is an open-source application modernization platform that
helps organizations safely and predictably modernize applications to Kubernetes
at scale.
Expand Down Expand Up @@ -223,6 +223,7 @@ spec:
- get
- apiGroups:
- keycloak.org
- k8s.keycloak.org
resources:
- keycloaks
- keycloakrealms
Expand Down Expand Up @@ -279,7 +280,7 @@ spec:
- name: RELATED_IMAGE_TACKLE_POSTGRES
value: quay.io/sclorg/postgresql-15-c9s:latest
- name: RELATED_IMAGE_KEYCLOAK_SSO
value: quay.io/keycloak/keycloak:18.0.2-legacy
value: quay.io/keycloak/keycloak:26.1
- name: RELATED_IMAGE_KEYCLOAK_INIT
value: quay.io/konveyor/tackle-keycloak-init:latest
- name: RELATED_IMAGE_TACKLE_UI
Expand Down Expand Up @@ -474,7 +475,7 @@ spec:
name: tackle-hub
- image: quay.io/sclorg/postgresql-15-c9s:latest
name: tackle-postgres
- image: quay.io/keycloak/keycloak:18.0.2-legacy
- image: quay.io/keycloak/keycloak:26.1
name: keycloak-sso
- image: quay.io/konveyor/tackle-keycloak-init:latest
name: keycloak-init
Expand Down
1 change: 1 addition & 0 deletions helm/templates/rbac/cluster_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ rules:
- get
- apiGroups:
- keycloak.org
- k8s.keycloak.org
resources:
- keycloaks
- keycloakrealms
Expand Down
2 changes: 1 addition & 1 deletion helm/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ images:
oauth_proxy: quay.io/openshift/origin-oauth-proxy:latest
tackle_hub: quay.io/konveyor/tackle2-hub:latest
tackle_postgres: quay.io/sclorg/postgresql-15-c9s:latest
keycloak_sso: quay.io/keycloak/keycloak:18.0.2-legacy
keycloak_sso: quay.io/keycloak/keycloak:26.1
keycloak_init: quay.io/konveyor/tackle-keycloak-init:latest
tackle_ui: quay.io/konveyor/tackle2-ui:latest
addon_analyzer: quay.io/konveyor/tackle2-addon-analyzer:latest
Expand Down
13 changes: 11 additions & 2 deletions roles/tackle/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ keycloak_database_db_version: "15"
keycloak_sso_image_fqin: "{{ lookup('env', 'RELATED_IMAGE_KEYCLOAK_SSO') }}"
keycloak_init_image_fqin: "{{ lookup('env', 'RELATED_IMAGE_KEYCLOAK_INIT') }}"
keycloak_sso_name: "keycloak"
keycloak_sso_component_name: "sso"
keycloak_sso_component_name: "{{ 'rhbk' if app_profile == 'mta' else 'sso' }}"
keycloak_sso_service_name: "{{ app_name }}-{{ keycloak_sso_name }}-{{ keycloak_sso_component_name }}"
keycloak_sso_configmap_name: "{{ keycloak_sso_service_name }}"
keycloak_sso_secret_name: "{{ keycloak_sso_service_name }}"
Expand All @@ -113,7 +113,7 @@ keycloak_sso_java_opts: "-Dcom.redhat.fips=false"
keycloak_sso_realm: "{{ app_name }}"
keycloak_sso_req_passwd_update: true
keycloak_sso_client_id: "{{ app_name }}-ui"
keycloak_sso_tls_enabled: false
keycloak_sso_tls_enabled: "{{ true if openshift_cluster | bool else false }}"
keycloak_sso_tls_secret_name: "{{ keycloak_sso_service_name }}-serving-cert"
keycloak_sso_port: "{{ '8443' if keycloak_sso_tls_enabled | bool else '8080' }}"
keycloak_sso_proto: "{{ 'https' if keycloak_sso_tls_enabled | bool else 'http' }}"
Expand Down Expand Up @@ -222,6 +222,15 @@ rhsso_port: "{{ '8443' if rhsso_tls_enabled | bool else '8080' }}"
rhsso_proto: "{{ 'https' if rhsso_tls_enabled | bool else 'http' }}"
rhsso_url: "{{ rhsso_proto }}://keycloak.{{ app_namespace }}.svc:{{ rhsso_port }}"

# RHBK Specific
rhbk_name: "rhbk"
rhbk_service_name: "{{ app_name }}-{{ rhbk_name }}"
rhbk_api_version: "k8s.keycloak.org/v2alpha1"
rhbk_tls_enabled: "{{ true if openshift_cluster | bool else false }}"
rhbk_tls_secret_name: "{{ rhbk_service_name }}-serving-cert"
rhbk_port: "{{ '8443' if rhsso_tls_enabled | bool else '8080' }}"
rhbk_proto: "{{ 'https' if rhsso_tls_enabled | bool else 'http' }}"
rhbk_url: "{{ rhsso_proto }}://{{ rhbk_service_name }}-service.{{ app_namespace }}.svc:{{ rhsso_port }}"

# Kai-related variables
experimental_deploy_kai: false
Expand Down
101 changes: 90 additions & 11 deletions roles/tackle/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
---
- name: Gather available apis
kubernetes.core.k8s_cluster_info:
register: cluster_info

- name: "Load cluster API groups"
set_fact:
api_groups: "{{ lookup('k8s', cluster_info='api_groups') }}"
Expand Down Expand Up @@ -173,7 +177,10 @@
definition: "{{ lookup('template', 'service-keycloak-postgresql-migration.yml.j2') }}"

- name: Scale down RHSSO
when: app_name == "mta"
when:
- app_name == "mta"
- rhsso_api_version in cluster_info.apis
- '"Keycloak" in cluster_info.apis[rhsso_api_version]'
k8s:
state: present
definition: "{{ lookup('template', 'customresource-rhsso-keycloak.yml.j2') }}"
Expand Down Expand Up @@ -322,6 +329,36 @@
state: present
definition: "{{ lookup('template', 'service-keycloak-postgresql.yml.j2') }}"

- name: "Check if Keycloak SSO Credential Secret exists"
k8s_info:
api_version: v1
kind: Secret
name: "{{ rhsso_secret_name }}"
namespace: "{{ app_namespace }}"
register: keycloak_sso_credential_secret_status

- name: "Check if Keycloak SSO Secret exists"
k8s_info:
api_version: v1
kind: Secret
name: "{{ keycloak_sso_secret_name }}"
namespace: "{{ app_namespace }}"
register: keycloak_sso_secret_status

- when:
- (keycloak_sso_secret_status.resources | length) == 0
- (keycloak_sso_credential_secret_status.resources | length) == 1
block:
- name: "Lookup RHSSO username and password"
set_fact:
keycloak_sso_admin_username_b64: "{{ keycloak_sso_credential_secret_status.resources[0].data.ADMIN_USERNAME }}"
keycloak_sso_admin_password_b64: "{{ keycloak_sso_credential_secret_status.resources[0].data.ADMIN_PASSWORD }}"

- name: Move RHSSO credentials to RHBK location
k8s:
state: present
definition: "{{ lookup('template', 'secret-keycloak-sso.yml.j2') }}"

- name: "Check if Keycloak SSO Secret exists already so we don't update it"
k8s_info:
api_version: v1
Expand All @@ -330,6 +367,23 @@
namespace: "{{ app_namespace }}"
register: keycloak_sso_secret_status

- when:
- keycloak_sso_secret_status.resources | length == 1
- keycloak_sso_secret_status.resources[0].data['admin-username'] is defined
- keycloak_sso_secret_status.resources[0].data['admin-password'] is defined
- keycloak_sso_secret_status.resources[0].data.username is not defined
- keycloak_sso_secret_status.resources[0].data.password is not defined
block:
- name: Get values from old key names
set_fact:
keycloak_sso_admin_username_b64: "{{ keycloak_sso_secret_status.resources[0].data['admin-username'] }}"
keycloak_sso_admin_password_b64: "{{ keycloak_sso_secret_status.resources[0].data['admin-password'] }}"

- name: Update values for new key mames
k8s:
state: present
definition: "{{ lookup('template', 'secret-keycloak-sso.yml.j2') }}"

- when: (keycloak_sso_secret_status.resources | length) == 0
block:
- name: "Generate random values for Keycloak SSO credentials"
Expand Down Expand Up @@ -371,6 +425,9 @@
label_selectors:
- app = {{ rhsso_service_name }}
register: rhsso_keycloak
when:
- rhsso_api_version in cluster_info.apis
- '"Keycloak" in cluster_info.apis[rhsso_api_version]'

- name: "Delete old RHSSO Keycloak"
k8s:
Expand All @@ -380,6 +437,8 @@
name: "{{ rhsso_service_name }}"
namespace: "{{ app_namespace }}"
when:
- rhsso_api_version in cluster_info.apis
- '"Keycloak" in cluster_info.apis[rhsso_api_version]'
- rhsso_keycloak.resources | length > 0
- rhsso_keycloak.resources[0].status.secondaryResources.Deployment is defined
- '"keycloak-postgresql" in rhsso_keycloak.resources[0].status.secondaryResources.Deployment'
Expand Down Expand Up @@ -424,20 +483,43 @@
definition: "{{ lookup('template', 'secret-keycloak-db.yml.j2') }}"
merge_type: merge

- name: "Create RHSSO Keycloak CR"
- name: "Delete RHSSO Keycloak CR"
k8s:
state: present
state: absent
definition: "{{ lookup('template', 'customresource-rhsso-keycloak.yml.j2') }}"
when:
- rhsso_api_version in cluster_info.apis
- '"Keycloak" in cluster_info.apis[rhsso_api_version]'

- name: "Check RHSSO for readiness"
- name: "Create RHBK Keycloak CR"
k8s:
state: present
definition: "{{ lookup('template', 'customresource-rhbk-keycloak.yml.j2') }}"

- name: "Check RHBK for service"
k8s_info:
api_version: "{{ rhsso_api_version }}"
api_version: v1
kind: service
name: "{{ rhbk_service_name }}-service"
namespace: "{{ app_namespace }}"
register: rhbk_service
until: rhbk_service.resources|length > 0
retries: 30
delay: 5

- name: "Annotate the service to create SSL cert"
k8s:
state: present
definition: "{{ lookup('template', 'service-keycloak-rhbk.yml.j2') }}"

- name: "Check RHBK for readiness"
k8s_info:
api_version: "{{ rhbk_api_version }}"
kind: Keycloak
name: "{{ app_name }}-{{ rhbk_name }}"
namespace: "{{ app_namespace }}"
label_selectors:
- app = {{ rhsso_service_name }}
register: cr
until: true in (cr | json_query('resources[].status.ready'))
until: cr | json_query('resources[].status.conditions[?type==`Ready`].status') | first | first | bool
retries: 30
delay: 5

Expand Down Expand Up @@ -625,9 +707,6 @@
- when:
- not(feature_auth_required|bool) or not(feature_auth_type == "keycloak")
block:
- name: Gather available apis
kubernetes.core.k8s_cluster_info:
register: cluster_info

- name: "Deprovision RHSSO Keycloak CR"
k8s:
Expand Down
30 changes: 30 additions & 0 deletions roles/tackle/templates/customresource-rhbk-keycloak.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
apiVersion: {{ rhbk_api_version }}
kind: Keycloak
metadata:
name: {{ app_name }}-{{ rhbk_name }}
namespace: {{ app_namespace }}
spec:
instances: 1
db:
vendor: postgres
database: {{ keycloak_database_db_name }}
host: {{ keycloak_database_service_k8s_resource_name }}
usernameSecret:
name: keycloak-db-secret
key: POSTGRES_USERNAME
passwordSecret:
name: keycloak-db-secret
key: POSTGRES_PASSWORD
proxy:
headers: xforwarded
http:
tlsSecret: {{ rhbk_tls_secret_name }}
hostname:
strict: false
additionalOptions:
- name: http-relative-path
value: /auth
bootstrapAdmin:
user:
secret: {{ keycloak_sso_secret_name }}

18 changes: 4 additions & 14 deletions roles/tackle/templates/deployment-hub.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,31 +112,21 @@ spec:
value: "{{ keycloak_sso_client_id }}"
{% if app_profile == 'mta' %}
- name: KEYCLOAK_HOST
value: "{{ rhsso_url }}"
- name: KEYCLOAK_ADMIN_USER
valueFrom:
secretKeyRef:
name: "{{ rhsso_secret_name }}"
key: ADMIN_USERNAME
- name: KEYCLOAK_ADMIN_PASS
valueFrom:
secretKeyRef:
name: "{{ rhsso_secret_name }}"
key: ADMIN_PASSWORD
value: "{{ rhbk_url }}"
{% else %}
- name: KEYCLOAK_HOST
value: "{{ keycloak_sso_url }}"
{% endif %}
- name: KEYCLOAK_ADMIN_USER
valueFrom:
secretKeyRef:
name: "{{ keycloak_sso_secret_name }}"
key: admin-username
key: username
- name: KEYCLOAK_ADMIN_PASS
valueFrom:
secretKeyRef:
name: "{{ keycloak_sso_secret_name }}"
key: admin-password
{% endif %}
key: password
- name: KEYCLOAK_REQ_PASS_UPDATE
value: "{{ keycloak_sso_req_passwd_update|lower }}"
{% endif %}
Expand Down
45 changes: 31 additions & 14 deletions roles/tackle/templates/deployment-keycloak-sso.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,41 +42,52 @@ spec:
containers:
- name: {{ keycloak_sso_container_name }}
image: "{{ keycloak_sso_image_fqin }}"
args:
- -Djgroups.dns.query=mta-kc-discovery.openshift-mta
- --verbose
- start
imagePullPolicy: "{{ image_pull_policy }}"
env:
- name: KEYCLOAK_USER
- name: KC_BOOTSTRAP_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: {{ keycloak_sso_secret_name }}
key: admin-username
- name: KEYCLOAK_PASSWORD
key: username
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ keycloak_sso_secret_name }}
key: admin-password
key: password
- name: JAVA_OPTS
value: {{ keycloak_sso_java_opts }}
- name: PROXY_ADDRESS_FORWARDING
value: 'true'
- name: DB_VENDOR
- name: KC_DB
value: postgres
- name: DB_ADDR
value: {{ keycloak_database_service_k8s_resource_name }}
- name: DB_DATABASE
valueFrom:
secretKeyRef:
name: {{ keycloak_database_secret_name }}
key: database-name
- name: DB_USER
- name: KC_DB_URL
value: jdbc:postgresql://{{ keycloak_database_service_k8s_resource_name }}:5432/{{ keycloak_database_db_name }}
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: {{ keycloak_database_secret_name }}
key: database-user
- name: DB_PASSWORD
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ keycloak_database_secret_name }}
key: database-password
- name: KC_HTTP_RELATIVE_PATH
value: /auth
- name: KC_PROXY_HEADERS
value: xforwarded
- name: KC_HTTPS_CERTIFICATE_FILE
value: /service-crt/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /service-crt/tls.key
- name: KC_HOSTNAME_STRICT
value: "false"
- name: KC_HTTP_ENABLED
value: "true"
ports:
- name: http
containerPort: 8080
Expand Down Expand Up @@ -114,6 +125,12 @@ spec:
volumeMounts:
- name: {{ keycloak_sso_service_name }}-theme
mountPath: /opt/jboss/keycloak/standalone/deployments
- mountPath: "/service-crt"
name: service-crt
readOnly: true
volumes:
- name: {{ keycloak_sso_service_name }}-theme
emptyDir: {}
- name: service-crt
secret:
secretName: {{ keycloak_sso_tls_secret_name }}
Loading
Loading