Item: hitachienergy#397, Updated keycloak definition to 9.0.0 (withou…

…t migration container yet)
toszo · Mar 9, 2020 · 59e6510 · 59e6510
1 parent 9cd08eb
commit 59e6510
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 17 deletions.
diff --git a/...ta/common/ansible/playbooks/roles/applications/templates/auth-service/auth-service.yml.j2 b/...ta/common/ansible/playbooks/roles/applications/templates/auth-service/auth-service.yml.j2
@@ -44,25 +44,41 @@ data:
   keycloak.cli: |
     embed-server --server-config=standalone-ha.xml --std-out=echo
     batch
-
-    # Makes node identifier unique getting rid of a warning in the logs
+    ## Sets the node identifier to the node name (= pod name). Node identifiers have to be unique. They can have a
+    ## maximum length of 23 characters. Thus, the chart's fullname template truncates its length accordingly.
     /subsystem=transactions:write-attribute(name=node-identifier, value=${jboss.node.name})
 
+
     # Allow log level to be configured via environment variable
     /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO})
     /subsystem=logging/root-logger=ROOT:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO})
 
-    # Log only to console
-    /subsystem=logging/root-logger=ROOT:write-attribute(name=handlers, value=[CONSOLE])
+    # Add dedicated eventsListener config element to allow configuring elements.
+    /subsystem=keycloak-server/spi=eventsListener:add()
+    /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true)
+
+    # Propagate success events to INFO instead of DEBUG, to expose successful logins for log analysis
+    /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info)
+    /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn)
+
+
+    # Configure datasource to use explicit query timeout in seconds
+    /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=query-timeout,value=${env.DB_QUERY_TIMEOUT:300})
+
+    # Configure datasource to connection before use
+    /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=validate-on-match,value=${env.DB_VALIDATE_ON_MATCH:true})
+
+    # Configure datasource to try all other connections before failing
+    /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=use-fast-fail,value=${env.DB_USE_CAST_FAIL:false})
 
-    /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
-    /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
-    /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)
 
     /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
     /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
     /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+    /subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+    /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
     /subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+    /subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
 
     /subsystem=jgroups/channel=ee:write-attribute(name=stack, value=tcp)
 
@@ -172,7 +188,7 @@ spec:
           valueFrom:
             secretKeyRef:
               key: password
-              name: {{ auth_service_name }}-http
+              name: "{{ auth_service_name }}-http"
         - name: JGROUPS_DISCOVERY_PROTOCOL
           value: dns.DNS_PING
         - name: JGROUPS_DISCOVERY_PROPERTIES
@@ -191,7 +207,9 @@ spec:
           valueFrom:
             secretKeyRef:
               key: password
-              name: {{ auth_service_name }}-db
+              name: "{{ auth_service_name }}-db"
+#        - name: PROXY_ADDRESS_FORWARDING ## TODO
+#          value: "{{ data.XXXX }}"
         - name: X509_CA_BUNDLE
           value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 {% if data.use_local_image_registry is undefined or data.use_local_image_registry is sameas true %}
@@ -214,7 +232,7 @@ spec:
         readinessProbe:
           failureThreshold: 3
           httpGet:
-            path: /auth/
+            path: /auth/realms/master
             port: http
             scheme: HTTP
           initialDelaySeconds: 30
@@ -227,7 +245,7 @@ spec:
             path: /auth/
             port: http
             scheme: HTTP
-          initialDelaySeconds: 120
+          initialDelaySeconds: 300
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 5

diff --git a/.../ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt b/.../ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt
@@ -171,7 +171,9 @@ calico/kube-controllers:v3.8.1
 registry:2
 # applications
 apacheignite/ignite:2.5.0
-jboss/keycloak:4.8.3.Final
+# TODO remove?
+jboss/keycloak:4.8.3.Final 
+jboss/keycloak:9.0.0
 rabbitmq:3.7.10
 # K8s upgrade
 ## v1.11.5

diff --git a/.../ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt b/.../ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt
@@ -168,7 +168,9 @@ calico/kube-controllers:v3.8.1
 registry:2
 # applications
 apacheignite/ignite:2.5.0
-jboss/keycloak:4.8.3.Final
+# TODO remove?
+jboss/keycloak:4.8.3.Final 
+jboss/keycloak:9.0.0
 rabbitmq:3.7.10
 # K8s upgrade
 ## v1.11.5

diff --git a/...ible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt b/...ible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt
@@ -192,7 +192,9 @@ calico/kube-controllers:v3.8.1
 registry:2
 # applications
 apacheignite/ignite:2.5.0
-jboss/keycloak:4.8.3.Final
+# TODO remove?
+jboss/keycloak:4.8.3.Final 
+jboss/keycloak:9.0.0
 rabbitmq:3.7.10
 # K8s upgrade
 ## v1.11.5

diff --git a/core/src/epicli/data/common/defaults/configuration/applications.yml b/core/src/epicli/data/common/defaults/configuration/applications.yml
@@ -18,7 +18,7 @@ specification:
 # Abstract these configs to seperate default files and add 
 # the ability to add custom application roles.
 
-# - name: rabbitmq 2
+# - name: rabbitmq
 #   image_path: rabbitmq:3.7.10
 #   use_local_image_registry: true
 #   #image_pull_secret_name: regcred # optional
@@ -47,7 +47,7 @@ specification:
 
 
 # - name: auth-service # this service require postgresql to be installed in cluster
-#   image_path: jboss/keycloak:4.8.3.Final
+#   image_path: jboss/keycloak:9.0.0
 #   use_local_image_registry: true
 #   #image_pull_secret_name: regcred
 #   service:

diff --git a/core/src/epicli/data/common/defaults/configuration/image-registry.yml b/core/src/epicli/data/common/defaults/configuration/image-registry.yml
@@ -42,7 +42,9 @@ specification:
       file_name: kube-controllers-v3.8.1.tar
     # applications
     - name: "jboss/keycloak:4.8.3.Final"
-      file_name: keycloak-4.8.3.Final.tar
+      file_name: keycloak-4.8.3.Final.tar # TODO Remove?
+    - name: "jboss/keycloak:9.0.0"
+      file_name: keycloak-9.0.0.tar
     - name: "rabbitmq:3.7.10"
       file_name: rabbitmq-3.7.10.tar
     - name: "apacheignite/ignite:2.5.0"