Merge pull request #800 from MetaCell/feature/ch-158

CH-159 Keycloak upgrade configuration changes

Author: filippomc

.gitignore

@@ -1,4 +1,6 @@
 *.jar
+# Allow the KC kafka plugin
+!applications/accounts/plugins/*.jar
 .idea
 node_modules
 .openapi-generator

applications/accounts/Dockerfile

@@ -1,12 +1,18 @@
-FROM quay.io/keycloak/keycloak:16.1.0
+FROM quay.io/keycloak/keycloak:26.2.1
 
-# add kubectl
+EXPOSE 9000
+EXPOSE 8080
 USER root
-COPY --chmod=0755 scripts/create_api_user.sh /opt/jboss/startup-scripts/create_api_user.sh
-USER jboss
+COPY --chmod=0755 scripts/create_api_user.sh /opt/keycloak/startup-scripts/create_api_user.sh
+COPY --chmod=0755 scripts/kc-entrypoint.sh /opt/keycloak/bin/kc-entrypoint.sh
+
+USER keycloak
 
 # Customize keycloak look
-COPY themes/custom /opt/jboss/keycloak/themes/custom
+COPY themes/custom /opt/keycloak/themes/custom
+
+# # keycloak kafka listener plugin
+COPY plugins/metacell-admin-event-listener-module-1.0.0.jar /opt/keycloak/providers/
 
-# keycloak kafka listener plugin
-COPY plugins/metacell-admin-event-listener-bundle-1.0.0.ear /opt/jboss/keycloak/standalone/deployments/
+ENTRYPOINT [ "/opt/keycloak/bin/kc-entrypoint.sh" ]
+CMD [ "start-dev", "--import-realm", "--health-enabled=true" ]

applications/accounts/admin-event-listener/jar-module/pom.xml

@@ -49,4 +49,28 @@
             <version>2.5.0</version>
         </dependency>
     </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.4.1</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                        <configuration>
+                            <createDependencyReducedPom>false</createDependencyReducedPom>
+                            <transformers>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+                            </transformers>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
 </project>

applications/accounts/deploy/values.yaml

@@ -16,23 +16,21 @@ harness:
     auto: true
     port: 8080
   env:
-    - name: KEYCLOAK_IMPORT
-      value: "/tmp/realm.json"
-    - name: KEYCLOAK_USER
+    - name: KC_BOOTSTRAP_ADMIN_USERNAME
       value: "admin"
-    - name: KEYCLOAK_PASSWORD
+    - name: KC_BOOTSTRAP_ADMIN_PASSWORD
       value: "metacell"
-    - name: PROXY_ADDRESS_FORWARDING
-      value: "true"
-    - name: DB_VENDOR
-      value: "POSTGRES"
-    - name: DB_ADDR
+    - name: KC_PROXY_HEADERS
+      value: xforwarded
+    - name: KC_DB
+      value: "postgres"
+    - name: KC_DB_URL_HOST
       value: "keycloak-postgres"
-    - name: DB_DATABASE
+    - name: KC_DB_URL_DATABASE
       value: "auth_db"
-    - name: DB_USER
+    - name: KC_DB_USERNAME
       value: "user"
-    - name: DB_PASSWORD
+    - name: KC_DB_PASSWORD
       value: "password"
     - name: JAVA_OPTS
       value: -server -Xms64m -Xmx896m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
@@ -42,7 +40,7 @@ harness:
     type: postgres
     size: 2Gi
     postgres:
-      image: postgres:10.4
+      image: postgres:17
       initialdb: auth_db
     user: user
     pass: password
@@ -51,9 +49,16 @@ harness:
   resources:
     - name: realm-config
       src: realm.json
-      dst: /tmp/realm.json
+      dst: /opt/keycloak/data/import/realm.json
+  startupProbe:
+    path: /health/started
+    port: 9000
   readinessProbe:
-    path: /auth/realms/master
+    path: /health/ready
+    port: 9000
+  livenessProbe:
+    path: /health/live
+    port: 9000
 
 # Keycloak realm configuration
 client:

…ll-admin-event-listener-bundle-1.0.0.ear …ll-admin-event-listener-module-1.0.0.jarapplications/accounts/plugins/metacell-admin-event-listener-bundle-1.0.0.ear renamed to applications/accounts/plugins/metacell-admin-event-listener-module-1.0.0.jar applications/accounts/plugins/metacell-admin-event-listener-bundle-1.0.0.ear renamed to applications/accounts/plugins/metacell-admin-event-listener-module-1.0.0.jar

@@ -8,4 +8,6 @@ set -e
 echo Creating API user
 
 # create the user and reload keycloak
-/opt/jboss/keycloak/bin/add-user-keycloak.sh -u ${USERNAME} -p ${PASSWORD}
+/opt/keycloak/bin/kcadm.sh create users -s "username=$USERNAME" -s enabled=True
+/opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
+/opt/keycloak/bin/kcadm.sh add-roles --uusername "$USERNAME" --rolename admin

applications/accounts/scripts/create_api_user.sh

@@ -0,0 +1,19 @@
+#! /bin/bash
+
+/opt/keycloak/bin/kc.sh $@ &
+
+until /opt/keycloak/bin/kcadm.sh config credentials \
+    --server http://localhost:8080 \
+    --realm master \
+    --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \
+    --password "$KC_BOOTSTRAP_ADMIN_PASSWORD";
+do
+    sleep 1s
+done
+
+for script in /opt/keycloak/startup-scripts/*.sh;
+do
+    bash "$script";
+done
+
+wait

applications/accounts/scripts/kc-entrypoint.sh

@@ -546,13 +546,16 @@ def camelCaseify(s):
     c.OAuthenticator.client_secret = client_secret
     c.OAuthenticator.allow_all = True
 
+
     c.GenericOAuthenticator.login_service = "CH"
     c.GenericOAuthenticator.username_key = "email"
-    c.GenericOAuthenticator.authorize_url = f"{accounts_url}/auth/realms/{realm}/protocol/openid-connect/auth"
-    c.GenericOAuthenticator.token_url = f"{accounts_url}/auth/realms/{realm}/protocol/openid-connect/token"
-    c.GenericOAuthenticator.userdata_url = f"{accounts_url}/auth/realms/{realm}/protocol/openid-connect/userinfo"
+    c.GenericOAuthenticator.username_claim = "email"
+    c.GenericOAuthenticator.scope = ["openid"]
+    c.GenericOAuthenticator.authorize_url = f"{accounts_url}/realms/{realm}/protocol/openid-connect/auth"
+    c.GenericOAuthenticator.token_url = f"{accounts_url}/realms/{realm}/protocol/openid-connect/token"
+    c.GenericOAuthenticator.userdata_url = f"{accounts_url}/realms/{realm}/protocol/openid-connect/userinfo"
     c.GenericOAuthenticator.userdata_params = {'state': 'state'}
-
+    c.GenericOAuthenticator.admin_groups = {"administrator"}
 
 set_config_if_not_none(c.OAuthenticator, 'scope', 'auth.scopes')
 

applications/jupyterhub/deploy/resources/hub/jupyterhub_config.py

@@ -18,9 +18,14 @@
 def custom_options_form(spawner, abc):
     # let's skip the profile selection form for now
     # ToDo: for future we can remove this hook
-    spawner._ch_profile_list = spawner.profile_list
-    spawner.profile_list = []
     # ref: https://github.com/jupyterhub/kubespawner/blob/37a80abb0a6c826e5c118a068fa1cf2725738038/kubespawner/spawner.py#L1885-L1935
+    try:
+        print("Cloudharness: start saving profile list in _ch_profile_list")
+        spawner._ch_profile_list = spawner.profile_list
+        spawner.profile_list = []
+        print("Cloudharness: saving profile list in _ch_profile_list")
+    except Exception as e:
+        print(f"Cloudharness: finish daving profile exception: {e}")
     return spawner._options_form_default()
 
 
@@ -32,9 +37,8 @@ def harness_hub():
     """Wraps the method to change spawner configuration"""
     KubeSpawner.get_pod_manifest_base = KubeSpawner.get_pod_manifest
     KubeSpawner.get_pod_manifest = spawner_pod_manifest
-    # let's skip the profile selection form for now
-    # TODO: for future we can remove this hook
-    KubeSpawner.options_form = custom_options_form
+    # to skip the profile selection form enable the line below
+    # KubeSpawner.options_form = custom_options_form
     KubeSpawner.get_pvc_manifest_base = KubeSpawner.get_pvc_manifest
     KubeSpawner.get_pvc_manifest = spawner_pvc_manifest
 

applications/jupyterhub/src/harness_jupyter/harness_jupyter/jupyterhub.py

@@ -86,7 +86,7 @@ services:
     {{- end }}
     {{- if eq $app_name "accounts" }}
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://127.0.0.1:8080/auth/realms/{{ $.Values.namespace }}/account"]
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:8080/realms/{{ $.Values.namespace }}/account"]
       interval: 1s
       timeout: 3s
       retries: 30