Update to Keycloak 26 and split Terraform modules#491
Open
lucas-koehler wants to merge 37 commits into
Open
Conversation
- Installs the keycloak operator via offical keycloak K8S resources - Sets up postgreSQL database and ingress - Setup keycloak instance via CR
- Add helm_release for nginx ingress controller with configurable installation, version, namespace, and load balancer IP - Update deprecated kubernetes resources to v1 versions: kubernetes_namespace, kubernetes_secret, kubernetes_persistent_volume_claim, kubernetes_deployment, kubernetes_service
The helm module now only installs theia-cloud components (base, crds, theia-cloud). Cert-manager, nginx-ingress-controller, and keycloak are now handled by the cluster-prerequisites module which should be installed first. Removed resources: - helm_release.cert-manager - helm_release.nginx-ingress-controller - helm_release.keycloak - kubectl_manifest.selfsigned_issuer Deleted files: - keycloak.yaml - clusterissuer-selfsigned.yaml
Replace helm module usage with cluster-prerequisites for keycloak, cert-manager, and nginx-ingress setup in all configurations: - gke_getting_started - minikube_getting_started - 0_minikube-setup/minikube_test_cluster - 0_minikube-keycloak-setup (removed redundant http provider) - ci-configurations/e2e_tests The helm module now only handles theia-cloud components (base, crds, theia-cloud), while cluster-prerequisites handles the infrastructure.
Move trimsuffix() into the cluster-prerequisites module output so consumers don't need to handle URL normalization. This follows URL conventions and meets the Keycloak provider's requirement directly.
Replace kubectl_manifest with terraform_data and local-exec to avoid the "for_each value depends on resource attributes that cannot be determined until apply" error. The previous approach parsed YAML from an HTTP response to construct dynamic map keys, which Terraform cannot evaluate at plan time.
use K8S instead
Do not make it wait until a pod is bound because the pod is only created in the next step
- Remove usage of helm module - Install cert-manager and theia-cloud-base before cluster-prerequisites because we re-use theia cloud's let's encrypt cluster issuer
This avoids being asked to enter a first and last name on first login.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge note: This should probably be squashed on merge because there are various tryout and rebase-fix commits.
Fixes #472
E2E test run: https://github.com/eclipse-theia/theia-cloud/actions/runs/26575253687
Update Keycloak setup and split Terraform modules
This PR updates the Keycloak deployment to Keycloak 26 (via the official Keycloak Operator instead of the Bitnami chart) and restructures the Terraform modules so that cluster prerequisites and Theia Cloud installation are clearly separated.
Terraform: new
cluster-prerequisitesmoduleA new module replaces the prerequisite parts of the old
helmmodule. It uses the official Keycloak Operator (instead of the deprecated Bitnami Helm chart) and is configurable enough to skip parts that are already installed in the target cluster.keycloak-k8s-resources(default version26.4.5) and creates the Keycloak instance via theKeycloakCRv1.17.4) and a self-signedClusterIssuerfor local developmentIngresswith TLS, configurable cluster issuer, common name, annotations, and HTTP relative path (default/keycloak/)keycloak_url,namespace,tls_secret_name, and service-name outputs;keycloak_urlis trimmed of any trailing slash so downstream consumers (e.g. the Keycloak provider) can use it directlyTwo notable implementation details:
terraform_data+local-execinstead ofkubectl_manifest. The previous approach parsed YAML from an HTTP response to build dynamicfor_eachkeys, which Terraform cannot evaluate at plan time.Terraform: new
theia-cloudmoduleA new module that only installs the Theia Cloud Helm charts (
theia-cloud-base,theia-cloud-crds,theia-cloud). Each chart can be toggled individually viainstall_theia_cloud_base,install_theia_cloud_crds, andinstall_theia_cloudso that downstream configurations can stage installs as needed.theia_cloud_versionvariable (default1.2.0) pins the chart version for all three releaseskeycloak_urlvariable lets consumers pass the URL from the cluster-prerequisites module; falls back tohttps://<hostname>/keycloakif emptyTerraform: removed
helmmoduleThe old
helmmodule has been deleted; its functionality is now split betweencluster-prerequisitesandtheia-cloud.Terraform: updated configurations
All consumers have been migrated to the new modules:
gke_getting_started: drops the unusedpostgres_postgres_passwordvariable, installs cert-manager and thetheia-cloud-basemodule first (to re-use itsletsencrypt-prodClusterIssuerfor the Keycloak ingress), thencluster-prerequisites, then the remainder oftheia-cloud. The Keycloak provider URL is taken frommodule.cluster_prerequisites.keycloak_url.minikube_getting_started/1_theiacloud-and-dependencies: replaces thehelmmodule withcluster_prerequisites+theia-cloud. The standalone.terraform.lock.hclat the configuration root has been removed (the configuration is split into sub-directories with their own lockfiles).ci-configurations/e2e_tests: switches tocluster_prerequisitesfor Keycloak and prerequisites; Theia Cloud charts continue to be installed from the local checkout via directhelm_releases.test-configurations/1_dependencies: switches tocluster_prerequisites. Thekeycloakoutput now exposes the module URL directly.Terraform:
keycloakmodulehostnamevariable (the Keycloak URL is supplied via the provider configuration)first_name/last_nameon thefooandbartest users so that first login does not prompt for them with Keycloak 26.Landing page and testing page (
keycloak-jsupdate)Both pages have been updated for Keycloak 26 compatibility:
node/landing-page:keycloak-jsbumped from20.0.5to26.2.4node/testing-page:keycloak-jsbumped from^17.0.1to26.2.4App.tsx: usesnew Keycloak(...)(the v26 API no longer supports callingKeycloak()withoutnew) and logs the underlying error in the auth failure handlersDocumentation
README.mdrelease checklist now points toterraform/modules/theia-cloud/variables.tffor the Helm chart version (the oldterraform/modules/helmpath no longer exists)terraform/terraform.mdpoints at the two new modules instead of the removedhelmmodule