From 59e65104482a9d9bc6d77cf152ec53b03b7df209 Mon Sep 17 00:00:00 2001 From: Tomasz Szostak Date: Mon, 2 Mar 2020 15:22:34 +0100 Subject: [PATCH] Item: #397, Updated keycloak definition to 9.0.0 (without migration container yet) --- .../auth-service/auth-service.yml.j2 | 40 ++++++++++++++----- .../centos-7/requirements.txt | 4 +- .../redhat-7/requirements.txt | 4 +- .../ubuntu-18.04/requirements.txt | 4 +- .../defaults/configuration/applications.yml | 4 +- .../defaults/configuration/image-registry.yml | 4 +- 6 files changed, 43 insertions(+), 17 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/applications/templates/auth-service/auth-service.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/applications/templates/auth-service/auth-service.yml.j2 index 0f99aec52f..28a0b80113 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/applications/templates/auth-service/auth-service.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/applications/templates/auth-service/auth-service.yml.j2 @@ -44,25 +44,41 @@ data: keycloak.cli: | embed-server --server-config=standalone-ha.xml --std-out=echo batch - - # Makes node identifier unique getting rid of a warning in the logs + ## Sets the node identifier to the node name (= pod name). Node identifiers have to be unique. They can have a + ## maximum length of 23 characters. Thus, the chart's fullname template truncates its length accordingly. /subsystem=transactions:write-attribute(name=node-identifier, value=${jboss.node.name}) + # Allow log level to be configured via environment variable /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO}) /subsystem=logging/root-logger=ROOT:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO}) - # Log only to console - /subsystem=logging/root-logger=ROOT:write-attribute(name=handlers, value=[CONSOLE]) + # Add dedicated eventsListener config element to allow configuring elements. + /subsystem=keycloak-server/spi=eventsListener:add() + /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true) + + # Propagate success events to INFO instead of DEBUG, to expose successful logins for log analysis + /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info) + /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn) + + + # Configure datasource to use explicit query timeout in seconds + /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=query-timeout,value=${env.DB_QUERY_TIMEOUT:300}) + + # Configure datasource to connection before use + /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=validate-on-match,value=${env.DB_VALIDATE_ON_MATCH:true}) + + # Configure datasource to try all other connections before failing + /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=use-fast-fail,value=${env.DB_USE_CAST_FAIL:false}) - /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) - /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https) - /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true) /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) + /subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) + /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) /subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) + /subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) /subsystem=jgroups/channel=ee:write-attribute(name=stack, value=tcp) @@ -172,7 +188,7 @@ spec: valueFrom: secretKeyRef: key: password - name: {{ auth_service_name }}-http + name: "{{ auth_service_name }}-http" - name: JGROUPS_DISCOVERY_PROTOCOL value: dns.DNS_PING - name: JGROUPS_DISCOVERY_PROPERTIES @@ -191,7 +207,9 @@ spec: valueFrom: secretKeyRef: key: password - name: {{ auth_service_name }}-db + name: "{{ auth_service_name }}-db" +# - name: PROXY_ADDRESS_FORWARDING ## TODO +# value: "{{ data.XXXX }}" - name: X509_CA_BUNDLE value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" {% if data.use_local_image_registry is undefined or data.use_local_image_registry is sameas true %} @@ -214,7 +232,7 @@ spec: readinessProbe: failureThreshold: 3 httpGet: - path: /auth/ + path: /auth/realms/master port: http scheme: HTTP initialDelaySeconds: 30 @@ -227,7 +245,7 @@ spec: path: /auth/ port: http scheme: HTTP - initialDelaySeconds: 120 + initialDelaySeconds: 300 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt index e06e1f0eb3..cd0e3ec5d2 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt @@ -171,7 +171,9 @@ calico/kube-controllers:v3.8.1 registry:2 # applications apacheignite/ignite:2.5.0 -jboss/keycloak:4.8.3.Final +# TODO remove? +jboss/keycloak:4.8.3.Final +jboss/keycloak:9.0.0 rabbitmq:3.7.10 # K8s upgrade ## v1.11.5 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt index 264e29d916..5c806113f3 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt @@ -168,7 +168,9 @@ calico/kube-controllers:v3.8.1 registry:2 # applications apacheignite/ignite:2.5.0 -jboss/keycloak:4.8.3.Final +# TODO remove? +jboss/keycloak:4.8.3.Final +jboss/keycloak:9.0.0 rabbitmq:3.7.10 # K8s upgrade ## v1.11.5 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt index 3c13b45cd6..55a13cdbb6 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt @@ -192,7 +192,9 @@ calico/kube-controllers:v3.8.1 registry:2 # applications apacheignite/ignite:2.5.0 -jboss/keycloak:4.8.3.Final +# TODO remove? +jboss/keycloak:4.8.3.Final +jboss/keycloak:9.0.0 rabbitmq:3.7.10 # K8s upgrade ## v1.11.5 diff --git a/core/src/epicli/data/common/defaults/configuration/applications.yml b/core/src/epicli/data/common/defaults/configuration/applications.yml index 5125a771d6..9c6eb9518a 100644 --- a/core/src/epicli/data/common/defaults/configuration/applications.yml +++ b/core/src/epicli/data/common/defaults/configuration/applications.yml @@ -18,7 +18,7 @@ specification: # Abstract these configs to seperate default files and add # the ability to add custom application roles. -# - name: rabbitmq 2 +# - name: rabbitmq # image_path: rabbitmq:3.7.10 # use_local_image_registry: true # #image_pull_secret_name: regcred # optional @@ -47,7 +47,7 @@ specification: # - name: auth-service # this service require postgresql to be installed in cluster -# image_path: jboss/keycloak:4.8.3.Final +# image_path: jboss/keycloak:9.0.0 # use_local_image_registry: true # #image_pull_secret_name: regcred # service: diff --git a/core/src/epicli/data/common/defaults/configuration/image-registry.yml b/core/src/epicli/data/common/defaults/configuration/image-registry.yml index 7e245aeb89..fa8d73ecaa 100644 --- a/core/src/epicli/data/common/defaults/configuration/image-registry.yml +++ b/core/src/epicli/data/common/defaults/configuration/image-registry.yml @@ -42,7 +42,9 @@ specification: file_name: kube-controllers-v3.8.1.tar # applications - name: "jboss/keycloak:4.8.3.Final" - file_name: keycloak-4.8.3.Final.tar + file_name: keycloak-4.8.3.Final.tar # TODO Remove? + - name: "jboss/keycloak:9.0.0" + file_name: keycloak-9.0.0.tar - name: "rabbitmq:3.7.10" file_name: rabbitmq-3.7.10.tar - name: "apacheignite/ignite:2.5.0"