From 979c03790675c014d5bf47a571b2f0ec05127310 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 20 Nov 2025 15:07:18 +0100 Subject: [PATCH 01/37] terraform: initial keycloak-setup module using keycloak operator - Installs the keycloak operator via offical keycloak K8S resources - Sets up postgreSQL database and ingress - Setup keycloak instance via CR --- terraform/modules/keycloak-setup/README.md | 256 ++++++++++++ terraform/modules/keycloak-setup/main.tf | 381 ++++++++++++++++++ terraform/modules/keycloak-setup/outputs.tf | 29 ++ terraform/modules/keycloak-setup/variables.tf | 167 ++++++++ terraform/modules/keycloak-setup/versions.tf | 17 + 5 files changed, 850 insertions(+) create mode 100644 terraform/modules/keycloak-setup/README.md create mode 100644 terraform/modules/keycloak-setup/main.tf create mode 100644 terraform/modules/keycloak-setup/outputs.tf create mode 100644 terraform/modules/keycloak-setup/variables.tf create mode 100644 terraform/modules/keycloak-setup/versions.tf diff --git a/terraform/modules/keycloak-setup/README.md b/terraform/modules/keycloak-setup/README.md new file mode 100644 index 000000000..83721635f --- /dev/null +++ b/terraform/modules/keycloak-setup/README.md @@ -0,0 +1,256 @@ +# Keycloak Setup Module + +This Terraform module deploys Keycloak in a Kubernetes cluster using the official Keycloak Operator. It replaces the deprecated Bitnami Helm chart approach with a native Kubernetes operator installation. + +## Features + +- Installs Keycloak Operator without Operator Lifecycle Manager (OLM) +- Configurable Keycloak operator version (default: v26.4.5) +- Deploys Keycloak with configurable resources and replicas +- Optional integrated PostgreSQL database deployment +- Kubernetes Ingress support with TLS +- Cert-manager integration for automatic certificate generation +- Support for Minikube, GKE, and generic Kubernetes clusters +- Configurable HTTP relative path (e.g., `/keycloak/`) + +## Prerequisites + +The following components must be installed in your Kubernetes cluster before using this module: + +1. **cert-manager** (if using TLS): For automatic certificate generation +2. **nginx-ingress-controller** (if using ingress): For routing traffic to Keycloak +3. **Persistent Volume provisioner**: For PostgreSQL data persistence (if using integrated database) + +## Usage + +### Minikube Example + +```hcl +module "keycloak" { + source = "../../modules/keycloak-setup" + + hostname = "192.168.49.2.nip.io" + keycloak_admin_password = "admin" + postgres_password = "admin" + + # Minikube-specific configuration + postgres_storage_class = "manual" + postgres_volume_permissions = true + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + cloud_provider = "MINIKUBE" +} +``` + +### GKE Example + +```hcl +module "keycloak" { + source = "../../modules/keycloak-setup" + + hostname = "keycloak.example.com" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = var.postgres_password + + # GKE-specific configuration + postgres_storage_class = "standard-rwo" + ingress_cert_manager_cluster_issuer = "letsencrypt-prod" + cloud_provider = "GKE" + + # Production resources + keycloak_replicas = 2 + keycloak_resource_requests_cpu = "1" + keycloak_resource_requests_memory = "2Gi" + keycloak_resource_limits_cpu = "2" + keycloak_resource_limits_memory = "4Gi" +} +``` + +### Using External PostgreSQL Database + +```hcl +module "keycloak" { + source = "../../modules/keycloak-setup" + + hostname = "keycloak.example.com" + keycloak_admin_password = var.keycloak_admin_password + + # Disable integrated PostgreSQL + postgres_enabled = false + + # Note: You'll need to manually configure external database + # connection in the Keycloak CR or use environment variables +} +``` + +## Input Variables + +### Required Variables + +| Name | Type | Description | +| ------------------------- | -------- | ------------------------------------------------------------------ | +| `hostname` | `string` | Hostname for Keycloak ingress | +| `keycloak_admin_password` | `string` | Keycloak admin password (sensitive) | +| `postgres_password` | `string` | PostgreSQL password (sensitive, required if postgres_enabled=true) | + +### Keycloak Configuration + +| Name | Type | Default | Description | +| ----------------------------------- | -------- | -------------- | ---------------------------------------------------------------------- | +| `keycloak_admin_username` | `string` | `"admin"` | Keycloak admin username | +| `keycloak_namespace` | `string` | `"keycloak"` | Kubernetes namespace for Keycloak | +| `keycloak_version` | `string` | `"26.4.5"` | Keycloak operator version (tag from keycloak-k8s-resources repository) | +| `keycloak_http_relative_path` | `string` | `"/keycloak/"` | HTTP relative path for Keycloak | +| `keycloak_replicas` | `number` | `1` | Number of Keycloak replicas | +| `keycloak_resource_requests_cpu` | `string` | `"500m"` | CPU resource requests | +| `keycloak_resource_requests_memory` | `string` | `"1Gi"` | Memory resource requests | +| `keycloak_resource_limits_cpu` | `string` | `"1"` | CPU resource limits | +| `keycloak_resource_limits_memory` | `string` | `"2Gi"` | Memory resource limits | + +### PostgreSQL Configuration + +| Name | Type | Default | Description | +| ----------------------------- | -------- | --------------- | -------------------------------------------------- | +| `postgres_enabled` | `bool` | `true` | Whether to deploy PostgreSQL database | +| `postgres_database` | `string` | `"keycloak"` | PostgreSQL database name | +| `postgres_username` | `string` | `"keycloak"` | PostgreSQL username | +| `postgres_storage_class` | `string` | `""` | Storage class for PostgreSQL PVC (empty = default) | +| `postgres_storage_size` | `string` | `"10Gi"` | Storage size for PostgreSQL PVC | +| `postgres_volume_permissions` | `bool` | `false` | Enable init container for volume permissions | +| `postgres_image` | `string` | `"postgres:16"` | PostgreSQL Docker image | + +### Ingress Configuration + +| Name | Type | Default | Description | +| ------------------------------------- | ------------- | --------- | -------------------------------------------- | +| `ingress_enabled` | `bool` | `true` | Whether to create Kubernetes Ingress | +| `ingress_class_name` | `string` | `"nginx"` | Ingress class name | +| `ingress_tls_enabled` | `bool` | `true` | Whether to enable TLS for ingress | +| `ingress_cert_manager_cluster_issuer` | `string` | `""` | Cert-manager cluster issuer for TLS | +| `ingress_cert_manager_common_name` | `string` | `""` | The common name for the certificate | +| `ingress_annotations` | `map(string)` | `{}` | Additional annotations for ingress | +| `ingress_tls_secret_name` | `string` | `""` | Name of TLS secret (auto-generated if empty) | + +### Other Configuration + +| Name | Type | Default | Description | +| ---------------- | -------- | ------- | ---------------------------------------- | +| `cloud_provider` | `string` | `"K8S"` | Cloud provider type (MINIKUBE, GKE, K8S) | + +## Outputs + +| Name | Description | +| ----------------------- | -------------------------------------------- | +| `namespace` | Keycloak namespace | +| `keycloak_url` | Full URL to access Keycloak | +| `admin_username` | Keycloak admin username | +| `postgres_service_name` | PostgreSQL service name (if deployed) | +| `keycloak_service_name` | Keycloak service name | +| `tls_secret_name` | TLS certificate secret name (if TLS enabled) | + +## Migration from Bitnami Helm Chart + +This module replaces the deprecated Bitnami Helm chart with the official Keycloak Operator. Key differences: + +### What Changed + +1. **Installation Method**: Uses Keycloak Operator instead of Helm chart +2. **Image Source**: Uses official Keycloak images instead of Bitnami images +3. **CRD-based**: Keycloak instance is defined as a Custom Resource +4. **Database**: PostgreSQL is deployed separately (not as a sub-chart) + +### Migration Steps + +1. **Backup Data**: Export realms and data from existing Keycloak instance +2. **Update Module Reference**: Change from `helm` module to `keycloak-setup` module +3. **Update Variables**: Some variable names have changed (see mapping below) +4. **Apply Changes**: Run `terraform apply` to deploy new Keycloak +5. **Restore Data**: Import realms and data into new instance + +### Variable Mapping + +| Old (Bitnami) | New (Operator) | +| ------------------------------ | ----------------------------- | +| `postgresql_storageClass` | `postgres_storage_class` | +| `postgresql_volumePermissions` | `postgres_volume_permissions` | +| `postgresql_enabled` | `postgres_enabled` | +| `auth.adminPassword` | `keycloak_admin_password` | +| `httpRelativePath` | `keycloak_http_relative_path` | + +## Troubleshooting + +### Keycloak Pod Not Starting + +Check the operator logs: + +```bash +kubectl logs -n keycloak -l app=keycloak-operator +``` + +Check Keycloak resource status: + +```bash +kubectl get keycloak -n keycloak keycloak -o yaml +``` + +### Database Connection Issues + +Verify PostgreSQL is running: + +```bash +kubectl get pods -n keycloak -l app=postgres +kubectl logs -n keycloak -l app=postgres +``` + +Check database credentials: + +```bash +kubectl get secret -n keycloak postgres-credentials -o yaml +``` + +### TLS Certificate Not Generated + +Check cert-manager: + +```bash +kubectl get certificate -n keycloak +kubectl describe certificate -n keycloak +``` + +Verify cluster issuer exists: + +```bash +kubectl get clusterissuer +``` + +### Ingress Not Working + +Check ingress status: + +```bash +kubectl get ingress -n keycloak +kubectl describe ingress -n keycloak keycloak +``` + +Verify ingress controller is running: + +```bash +kubectl get pods -n ingress-nginx +``` + +### Volume Permission Errors + +If PostgreSQL fails with permission errors, enable volume permissions: + +```hcl +postgres_volume_permissions = true +``` + +## Additional Resources + +- [Keycloak Operator Documentation](https://www.keycloak.org/operator/installation) +- [Keycloak on Kubernetes Guide](https://www.keycloak.org/operator/basic-deployment) +- [Keycloak K8s Resources Repository](https://github.com/keycloak/keycloak-k8s-resources) + +## License + +This module follows the same license as the parent project. diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/keycloak-setup/main.tf new file mode 100644 index 000000000..3dda7ce96 --- /dev/null +++ b/terraform/modules/keycloak-setup/main.tf @@ -0,0 +1,381 @@ +resource "kubernetes_namespace" "keycloak" { + metadata { + name = var.keycloak_namespace + } +} + +data "http" "keycloak_crd" { + url = "https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${var.keycloak_version}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml" +} + +resource "kubectl_manifest" "keycloak_crd" { + yaml_body = data.http.keycloak_crd.response_body + depends_on = [ + kubernetes_namespace.keycloak + ] +} + +data "http" "keycloak_realm_import_crd" { + url = "https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${var.keycloak_version}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml" +} + +resource "kubectl_manifest" "keycloak_realm_import_crd" { + yaml_body = data.http.keycloak_realm_import_crd.response_body + depends_on = [ + kubernetes_namespace.keycloak + ] +} + +data "http" "keycloak_operator" { + url = "https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${var.keycloak_version}/kubernetes/kubernetes.yml" +} + +locals { + operator_manifests_raw = split("---", data.http.keycloak_operator.response_body) + operator_manifests = [ + for doc in local.operator_manifests_raw : + yamldecode(doc) + if trimspace(doc) != "" && can(yamldecode(doc)) + ] + operator_resources = { + for idx, doc in local.operator_manifests : + "${doc.kind}-${doc.metadata.name}-${idx}" => doc + } +} + +resource "kubectl_manifest" "keycloak_operator" { + for_each = local.operator_resources + yaml_body = yamlencode(each.value) + override_namespace = var.keycloak_namespace + depends_on = [ + kubectl_manifest.keycloak_crd, + kubectl_manifest.keycloak_realm_import_crd + ] +} + +resource "kubernetes_secret" "postgres" { + count = var.postgres_enabled ? 1 : 0 + + metadata { + name = "postgres-credentials" + namespace = kubernetes_namespace.keycloak.metadata[0].name + } + + data = { + username = var.postgres_username + password = var.postgres_password + database = var.postgres_database + } + + type = "Opaque" +} + +resource "kubernetes_persistent_volume_claim" "postgres" { + count = var.postgres_enabled ? 1 : 0 + + metadata { + name = "postgres-pvc" + namespace = kubernetes_namespace.keycloak.metadata[0].name + } + + spec { + access_modes = ["ReadWriteOnce"] + resources { + requests = { + storage = var.postgres_storage_size + } + } + storage_class_name = var.postgres_storage_class != "" ? var.postgres_storage_class : null + } +} + +resource "kubernetes_deployment" "postgres" { + count = var.postgres_enabled ? 1 : 0 + + metadata { + name = "postgres" + namespace = kubernetes_namespace.keycloak.metadata[0].name + labels = { + app = "postgres" + } + } + + spec { + replicas = 1 + + selector { + match_labels = { + app = "postgres" + } + } + + template { + metadata { + labels = { + app = "postgres" + } + } + + spec { + dynamic "init_container" { + for_each = var.postgres_volume_permissions ? [1] : [] + content { + name = "volume-permissions" + image = "busybox:latest" + command = [ + "sh", + "-c", + "chown -R 999:999 /var/lib/postgresql/data" + ] + volume_mount { + name = "postgres-storage" + mount_path = "/var/lib/postgresql/data" + } + } + } + + container { + name = "postgres" + image = var.postgres_image + + env { + name = "POSTGRES_USER" + value_from { + secret_key_ref { + name = kubernetes_secret.postgres[0].metadata[0].name + key = "username" + } + } + } + + env { + name = "POSTGRES_PASSWORD" + value_from { + secret_key_ref { + name = kubernetes_secret.postgres[0].metadata[0].name + key = "password" + } + } + } + + env { + name = "POSTGRES_DB" + value_from { + secret_key_ref { + name = kubernetes_secret.postgres[0].metadata[0].name + key = "database" + } + } + } + + port { + container_port = 5432 + name = "postgres" + } + + volume_mount { + name = "postgres-storage" + mount_path = "/var/lib/postgresql/data" + } + + resources { + requests = { + cpu = "250m" + memory = "512Mi" + } + limits = { + cpu = "500m" + memory = "1Gi" + } + } + } + + volume { + name = "postgres-storage" + persistent_volume_claim { + claim_name = kubernetes_persistent_volume_claim.postgres[0].metadata[0].name + } + } + } + } + } + + depends_on = [ + kubernetes_persistent_volume_claim.postgres + ] +} + +resource "kubernetes_service" "postgres" { + count = var.postgres_enabled ? 1 : 0 + + metadata { + name = "postgres" + namespace = kubernetes_namespace.keycloak.metadata[0].name + } + + spec { + selector = { + app = "postgres" + } + + port { + port = 5432 + target_port = 5432 + protocol = "TCP" + } + + type = "ClusterIP" + } +} + +resource "kubernetes_secret" "keycloak_admin" { + metadata { + name = "keycloak-initial-admin" + namespace = kubernetes_namespace.keycloak.metadata[0].name + } + + data = { + username = var.keycloak_admin_username + password = var.keycloak_admin_password + } + + type = "Opaque" +} + +locals { + tls_secret_name = var.ingress_tls_secret_name != "" ? var.ingress_tls_secret_name : "${var.hostname}-tls" + + keycloak_spec = var.postgres_enabled ? { + instances = var.keycloak_replicas + http = { + httpEnabled = true + httpPort = 8080 + tlsSecret = var.ingress_tls_enabled ? local.tls_secret_name : null + } + hostname = { + hostname = var.hostname + strict = false + } + http-relative-path = var.keycloak_http_relative_path + db = { + vendor = "postgres" + host = kubernetes_service.postgres[0].metadata[0].name + port = 5432 + database = var.postgres_database + usernameSecret = { + name = kubernetes_secret.postgres[0].metadata[0].name + key = "username" + } + passwordSecret = { + name = kubernetes_secret.postgres[0].metadata[0].name + key = "password" + } + } + resources = { + requests = { + cpu = var.keycloak_resource_requests_cpu + memory = var.keycloak_resource_requests_memory + } + limits = { + cpu = var.keycloak_resource_limits_cpu + memory = var.keycloak_resource_limits_memory + } + } + } : { + instances = var.keycloak_replicas + http = { + httpEnabled = true + httpPort = 8080 + tlsSecret = var.ingress_tls_enabled ? local.tls_secret_name : null + } + hostname = { + hostname = var.hostname + strict = false + } + http-relative-path = var.keycloak_http_relative_path + resources = { + requests = { + cpu = var.keycloak_resource_requests_cpu + memory = var.keycloak_resource_requests_memory + } + limits = { + cpu = var.keycloak_resource_limits_cpu + memory = var.keycloak_resource_limits_memory + } + } + } +} + +resource "kubectl_manifest" "keycloak_instance" { + yaml_body = yamlencode({ + apiVersion = "k8s.keycloak.org/v2alpha1" + kind = "Keycloak" + metadata = { + name = "keycloak" + namespace = kubernetes_namespace.keycloak.metadata[0].name + } + spec = local.keycloak_spec + }) + + depends_on = [ + kubectl_manifest.keycloak_operator, + kubernetes_secret.keycloak_admin, + kubernetes_service.postgres + ] +} + +resource "kubernetes_ingress_v1" "keycloak" { + count = var.ingress_enabled ? 1 : 0 + + metadata { + name = "keycloak" + namespace = kubernetes_namespace.keycloak.metadata[0].name + annotations = merge( + { + "nginx.ingress.kubernetes.io/proxy-buffer-size" = "128k" + "nginx.ingress.kubernetes.io/proxy-busy-buffers-size" = "128k" + "cert-manager.io/cluster-issuer" = var.ingress_cert_manager_cluster_issuer + "cert-manager.io/common-name" = var.ingress_cert_manager_common_name + "acme.cert-manager.io/http01-edit-in-place" = "true" + "acme.cert-manager.io/http01-ingress-path-type" = "ImplementationSpecific" + }, + var.ingress_annotations + ) + } + + spec { + ingress_class_name = var.ingress_class_name + + dynamic "tls" { + for_each = var.ingress_tls_enabled ? [1] : [] + content { + hosts = [var.hostname] + secret_name = local.tls_secret_name + } + } + + rule { + host = var.hostname + + http { + path { + path = var.keycloak_http_relative_path + path_type = "ImplementationSpecific" + + backend { + service { + name = "keycloak-service" + port { + number = 8080 + } + } + } + } + } + } + } + + depends_on = [ + kubectl_manifest.keycloak_instance + ] +} diff --git a/terraform/modules/keycloak-setup/outputs.tf b/terraform/modules/keycloak-setup/outputs.tf new file mode 100644 index 000000000..01fa1ce00 --- /dev/null +++ b/terraform/modules/keycloak-setup/outputs.tf @@ -0,0 +1,29 @@ +output "namespace" { + description = "Keycloak namespace" + value = kubernetes_namespace.keycloak.metadata[0].name +} + +output "keycloak_url" { + description = "Full URL to access Keycloak" + value = var.ingress_enabled ? "https://${var.hostname}${var.keycloak_http_relative_path}" : "http://${var.hostname}:8080${var.keycloak_http_relative_path}" +} + +output "admin_username" { + description = "Keycloak admin username" + value = var.keycloak_admin_username +} + +output "postgres_service_name" { + description = "PostgreSQL service name" + value = var.postgres_enabled ? kubernetes_service.postgres[0].metadata[0].name : null +} + +output "keycloak_service_name" { + description = "Keycloak service name (created by operator)" + value = "keycloak-service" +} + +output "tls_secret_name" { + description = "TLS certificate secret name" + value = var.ingress_tls_enabled ? local.tls_secret_name : null +} diff --git a/terraform/modules/keycloak-setup/variables.tf b/terraform/modules/keycloak-setup/variables.tf new file mode 100644 index 000000000..c986c7e3e --- /dev/null +++ b/terraform/modules/keycloak-setup/variables.tf @@ -0,0 +1,167 @@ +variable "hostname" { + description = "Hostname for Keycloak ingress" + type = string +} + +variable "keycloak_admin_username" { + description = "Keycloak admin username" + type = string + default = "admin" +} + +variable "keycloak_admin_password" { + description = "Keycloak admin password" + type = string + sensitive = true +} + +variable "postgres_enabled" { + description = "Whether to deploy PostgreSQL database" + type = bool + default = true +} + +variable "postgres_database" { + description = "PostgreSQL database name" + type = string + default = "keycloak" +} + +variable "postgres_username" { + description = "PostgreSQL username" + type = string + default = "keycloak" +} + +variable "postgres_password" { + description = "PostgreSQL password" + type = string + sensitive = true +} + +variable "postgres_storage_class" { + description = "Storage class for PostgreSQL PVC" + type = string + default = "" +} + +variable "postgres_storage_size" { + description = "Storage size for PostgreSQL PVC" + type = string + default = "10Gi" +} + +variable "postgres_volume_permissions" { + description = "Enable init container that changes the owner and group of the persistent volume" + type = bool + default = false +} + +variable "postgres_image" { + description = "PostgreSQL Docker image. See Keycloak database compatibility at https://www.keycloak.org/server/db#_supported_databases" + type = string + default = "postgres:17" +} + +variable "keycloak_namespace" { + description = "Kubernetes namespace for Keycloak" + type = string + default = "keycloak" +} + +variable "keycloak_version" { + description = "Keycloak operator version (tag from keycloak-k8s-resources repository)" + type = string + default = "26.4.5" +} + +variable "keycloak_http_relative_path" { + description = "HTTP relative path for Keycloak" + type = string + default = "/keycloak/" +} + +variable "keycloak_replicas" { + description = "Number of Keycloak replicas" + type = number + default = 1 +} + +variable "keycloak_resource_requests_cpu" { + description = "CPU resource requests for Keycloak" + type = string + default = "500m" +} + +variable "keycloak_resource_requests_memory" { + description = "Memory resource requests for Keycloak" + type = string + default = "1Gi" +} + +variable "keycloak_resource_limits_cpu" { + description = "CPU resource limits for Keycloak" + type = string + default = "1" +} + +variable "keycloak_resource_limits_memory" { + description = "Memory resource limits for Keycloak" + type = string + default = "2Gi" +} + +variable "ingress_enabled" { + description = "Whether to create Kubernetes Ingress" + type = bool + default = true +} + +variable "ingress_class_name" { + description = "Ingress class name" + type = string + default = "nginx" +} + +variable "ingress_tls_enabled" { + description = "Whether to enable TLS for ingress" + type = bool + default = true +} + +variable "ingress_cert_manager_cluster_issuer" { + description = "Cert-manager cluster issuer for TLS certificate" + type = string + + validation { + condition = length(regexall("^(letsencrypt-prod|theia-cloud-selfsigned-issuer|keycloak-selfsigned-issuer)$", var.ingress_cert_manager_cluster_issuer)) > 0 + error_message = "ERROR: Valid values are \"letsencrypt-prod\", \"theia-cloud-selfsigned-issuer\", and \"keycloak-selfsigned-issuer\"!" + } +} + +variable "ingress_cert_manager_common_name" { + description = "The common name for the certificate" + default = "" +} + +variable "ingress_annotations" { + description = "Additional annotations for ingress" + type = map(string) + default = {} +} + +variable "ingress_tls_secret_name" { + description = "Name of TLS secret (auto-generated if not specified)" + type = string + default = "" +} + +variable "cloud_provider" { + description = "Cloud provider type" + type = string + default = "K8S" + validation { + condition = contains(["MINIKUBE", "GKE", "K8S"], var.cloud_provider) + error_message = "Valid values are: MINIKUBE, GKE, K8S" + } +} diff --git a/terraform/modules/keycloak-setup/versions.tf b/terraform/modules/keycloak-setup/versions.tf new file mode 100644 index 000000000..113df5e65 --- /dev/null +++ b/terraform/modules/keycloak-setup/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.0.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.19.0" + } + http = { + source = "hashicorp/http" + version = ">= 3.0.0" + } + } + required_version = ">= 1.12.2" +} From d02772e4edbbd863f36f8cf43ae043fe8c0862dc Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 20 Nov 2025 16:29:33 +0100 Subject: [PATCH 02/37] terraform: add cluster issuer install to keycloak-setup --- terraform/modules/keycloak-setup/README.md | 49 +++++++++++++++++-- terraform/modules/keycloak-setup/main.tf | 43 ++++++++++++++-- terraform/modules/keycloak-setup/variables.tf | 30 ++++++++++++ terraform/modules/keycloak-setup/versions.tf | 4 ++ 4 files changed, 117 insertions(+), 9 deletions(-) diff --git a/terraform/modules/keycloak-setup/README.md b/terraform/modules/keycloak-setup/README.md index 83721635f..cee7a6ee6 100644 --- a/terraform/modules/keycloak-setup/README.md +++ b/terraform/modules/keycloak-setup/README.md @@ -9,7 +9,9 @@ This Terraform module deploys Keycloak in a Kubernetes cluster using the officia - Deploys Keycloak with configurable resources and replicas - Optional integrated PostgreSQL database deployment - Kubernetes Ingress support with TLS +- **Optional cert-manager installation** (can be disabled if already installed) - Cert-manager integration for automatic certificate generation +- Optional self-signed ClusterIssuer for local development - Support for Minikube, GKE, and generic Kubernetes clusters - Configurable HTTP relative path (e.g., `/keycloak/`) @@ -17,13 +19,14 @@ This Terraform module deploys Keycloak in a Kubernetes cluster using the officia The following components must be installed in your Kubernetes cluster before using this module: -1. **cert-manager** (if using TLS): For automatic certificate generation -2. **nginx-ingress-controller** (if using ingress): For routing traffic to Keycloak -3. **Persistent Volume provisioner**: For PostgreSQL data persistence (if using integrated database) +1. **nginx-ingress-controller** (if using ingress): For routing traffic to Keycloak +2. **Persistent Volume provisioner**: For PostgreSQL data persistence (if using integrated database) + +Note: cert-manager can be installed automatically by this module (default) or you can disable it if already present in your cluster. ## Usage -### Minikube Example +### Minikube Example (with cert-manager installation) ```hcl module "keycloak" { @@ -33,6 +36,10 @@ module "keycloak" { keycloak_admin_password = "admin" postgres_password = "admin" + # Cert-manager installation + install_cert_manager = true + install_selfsigned_issuer = true + # Minikube-specific configuration postgres_storage_class = "manual" postgres_volume_permissions = true @@ -41,7 +48,7 @@ module "keycloak" { } ``` -### GKE Example +### GKE Example (with Let's Encrypt) ```hcl module "keycloak" { @@ -51,6 +58,10 @@ module "keycloak" { keycloak_admin_password = var.keycloak_admin_password postgres_password = var.postgres_password + # Cert-manager installation + install_cert_manager = true + cert_manager_issuer_email = "admin@example.com" + # GKE-specific configuration postgres_storage_class = "standard-rwo" ingress_cert_manager_cluster_issuer = "letsencrypt-prod" @@ -65,6 +76,24 @@ module "keycloak" { } ``` +### Using Existing cert-manager Installation + +```hcl +module "keycloak" { + source = "../../modules/keycloak-setup" + + hostname = "keycloak.example.com" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = var.postgres_password + + # Use existing cert-manager + install_cert_manager = false + ingress_cert_manager_cluster_issuer = "my-existing-issuer" + + postgres_storage_class = "standard" +} +``` + ### Using External PostgreSQL Database ```hcl @@ -130,6 +159,16 @@ module "keycloak" { | `ingress_annotations` | `map(string)` | `{}` | Additional annotations for ingress | | `ingress_tls_secret_name` | `string` | `""` | Name of TLS secret (auto-generated if empty) | +### Cert-Manager Configuration + +| Name | Type | Default | Description | +| -------------------------- | -------- | ---------------- | -------------------------------------------------------------------- | +| `install_cert_manager` | `bool` | `true` | Whether to install cert-manager | +| `cert_manager_version` | `string` | `"v1.17.4"` | Version of cert-manager to install | +| `cert_manager_namespace` | `string` | `"cert-manager"` | Namespace for cert-manager installation | +| `install_selfsigned_issuer`| `bool` | `false` | Whether to install self-signed ClusterIssuer for Keycloak | +| `cert_manager_issuer_email`| `string` | `""` | Email address for certificates (required for letsencrypt-prod) | + ### Other Configuration | Name | Type | Default | Description | diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/keycloak-setup/main.tf index 3dda7ce96..493d728f2 100644 --- a/terraform/modules/keycloak-setup/main.tf +++ b/terraform/modules/keycloak-setup/main.tf @@ -1,7 +1,40 @@ +resource "helm_release" "cert_manager" { + count = var.install_cert_manager ? 1 : 0 + name = "cert-manager" + repository = "https://charts.jetstack.io" + chart = "cert-manager" + version = var.cert_manager_version + namespace = var.cert_manager_namespace + create_namespace = true + + set { + name = "installCRDs" + value = "true" + } +} + +resource "kubectl_manifest" "keycloak_selfsigned_issuer" { + count = var.install_selfsigned_issuer ? 1 : 0 + depends_on = [helm_release.cert_manager] + + yaml_body = yamlencode({ + apiVersion = "cert-manager.io/v1" + kind = "ClusterIssuer" + metadata = { + name = "keycloak-selfsigned-issuer" + } + spec = { + selfSigned = {} + } + }) +} + resource "kubernetes_namespace" "keycloak" { metadata { name = var.keycloak_namespace } + + depends_on = [helm_release.cert_manager] } data "http" "keycloak_crd" { @@ -334,11 +367,13 @@ resource "kubernetes_ingress_v1" "keycloak" { { "nginx.ingress.kubernetes.io/proxy-buffer-size" = "128k" "nginx.ingress.kubernetes.io/proxy-busy-buffers-size" = "128k" - "cert-manager.io/cluster-issuer" = var.ingress_cert_manager_cluster_issuer - "cert-manager.io/common-name" = var.ingress_cert_manager_common_name - "acme.cert-manager.io/http01-edit-in-place" = "true" - "acme.cert-manager.io/http01-ingress-path-type" = "ImplementationSpecific" }, + var.ingress_tls_enabled ? { + "cert-manager.io/cluster-issuer" = var.ingress_cert_manager_cluster_issuer + "cert-manager.io/common-name" = var.ingress_cert_manager_common_name != "" ? var.ingress_cert_manager_common_name : var.hostname + "acme.cert-manager.io/http01-edit-in-place" = "true" + "acme.cert-manager.io/http01-ingress-path-type" = "ImplementationSpecific" + } : {}, var.ingress_annotations ) } diff --git a/terraform/modules/keycloak-setup/variables.tf b/terraform/modules/keycloak-setup/variables.tf index c986c7e3e..e60d475d6 100644 --- a/terraform/modules/keycloak-setup/variables.tf +++ b/terraform/modules/keycloak-setup/variables.tf @@ -165,3 +165,33 @@ variable "cloud_provider" { error_message = "Valid values are: MINIKUBE, GKE, K8S" } } + +variable "install_cert_manager" { + description = "Whether to install cert-manager" + type = bool + default = true +} + +variable "cert_manager_version" { + description = "Version of cert-manager to install" + type = string + default = "v1.17.4" +} + +variable "cert_manager_namespace" { + description = "Namespace for cert-manager installation" + type = string + default = "cert-manager" +} + +variable "install_selfsigned_issuer" { + description = "Whether to install an additional self-signed ClusterIssuer for Keycloak" + type = bool + default = false +} + +variable "cert_manager_issuer_email" { + description = "Email address used to create certificates (required for letsencrypt-prod issuer)" + type = string + default = "" +} diff --git a/terraform/modules/keycloak-setup/versions.tf b/terraform/modules/keycloak-setup/versions.tf index 113df5e65..c9dad80bf 100644 --- a/terraform/modules/keycloak-setup/versions.tf +++ b/terraform/modules/keycloak-setup/versions.tf @@ -12,6 +12,10 @@ terraform { source = "hashicorp/http" version = ">= 3.0.0" } + helm = { + source = "hashicorp/helm" + version = ">= 2.0.0" + } } required_version = ">= 1.12.2" } From 727af81195c6bd1e5afd650d415c9e2cf4c1e58d Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 20 Nov 2025 17:09:03 +0100 Subject: [PATCH 03/37] managed to get a keycloak instance running --- terraform/modules/keycloak-setup/main.tf | 89 ++++++++++-------------- 1 file changed, 36 insertions(+), 53 deletions(-) diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/keycloak-setup/main.tf index 493d728f2..c7732f570 100644 --- a/terraform/modules/keycloak-setup/main.tf +++ b/terraform/modules/keycloak-setup/main.tf @@ -7,10 +7,12 @@ resource "helm_release" "cert_manager" { namespace = var.cert_manager_namespace create_namespace = true - set { - name = "installCRDs" - value = "true" - } + set = [ + { + name = "installCRDs" + value = "true" + } + ] } resource "kubectl_manifest" "keycloak_selfsigned_issuer" { @@ -261,24 +263,12 @@ resource "kubernetes_service" "postgres" { } } -resource "kubernetes_secret" "keycloak_admin" { - metadata { - name = "keycloak-initial-admin" - namespace = kubernetes_namespace.keycloak.metadata[0].name - } - data = { - username = var.keycloak_admin_username - password = var.keycloak_admin_password - } - - type = "Opaque" -} locals { tls_secret_name = var.ingress_tls_secret_name != "" ? var.ingress_tls_secret_name : "${var.hostname}-tls" - keycloak_spec = var.postgres_enabled ? { + keycloak_spec_base = { instances = var.keycloak_replicas http = { httpEnabled = true @@ -290,42 +280,16 @@ locals { strict = false } http-relative-path = var.keycloak_http_relative_path - db = { - vendor = "postgres" - host = kubernetes_service.postgres[0].metadata[0].name - port = 5432 - database = var.postgres_database - usernameSecret = { - name = kubernetes_secret.postgres[0].metadata[0].name - key = "username" - } - passwordSecret = { - name = kubernetes_secret.postgres[0].metadata[0].name - key = "password" - } - } - resources = { - requests = { - cpu = var.keycloak_resource_requests_cpu - memory = var.keycloak_resource_requests_memory - } - limits = { - cpu = var.keycloak_resource_limits_cpu - memory = var.keycloak_resource_limits_memory + additionalOptions = [ + { + name = "admin" + value = var.keycloak_admin_username + }, + { + name = "admin-password" + value = var.keycloak_admin_password } - } - } : { - instances = var.keycloak_replicas - http = { - httpEnabled = true - httpPort = 8080 - tlsSecret = var.ingress_tls_enabled ? local.tls_secret_name : null - } - hostname = { - hostname = var.hostname - strict = false - } - http-relative-path = var.keycloak_http_relative_path + ] resources = { requests = { cpu = var.keycloak_resource_requests_cpu @@ -337,6 +301,26 @@ locals { } } } + + keycloak_spec = merge( + local.keycloak_spec_base, + var.postgres_enabled ? { + db = { + vendor = "postgres" + host = kubernetes_service.postgres[0].metadata[0].name + port = 5432 + database = var.postgres_database + usernameSecret = { + name = kubernetes_secret.postgres[0].metadata[0].name + key = "username" + } + passwordSecret = { + name = kubernetes_secret.postgres[0].metadata[0].name + key = "password" + } + } + } : { db = null } + ) } resource "kubectl_manifest" "keycloak_instance" { @@ -352,7 +336,6 @@ resource "kubectl_manifest" "keycloak_instance" { depends_on = [ kubectl_manifest.keycloak_operator, - kubernetes_secret.keycloak_admin, kubernetes_service.postgres ] } From 6776a62eec1494178acb439fa1aef49634237b64 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 20 Nov 2025 17:54:44 +0100 Subject: [PATCH 04/37] fix relative path setting --- terraform/modules/keycloak-setup/main.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/keycloak-setup/main.tf index c7732f570..1af432787 100644 --- a/terraform/modules/keycloak-setup/main.tf +++ b/terraform/modules/keycloak-setup/main.tf @@ -279,8 +279,11 @@ locals { hostname = var.hostname strict = false } - http-relative-path = var.keycloak_http_relative_path additionalOptions = [ + { + name = "http-relative-path" + value = var.keycloak_http_relative_path + }, { name = "admin" value = var.keycloak_admin_username From ce0f21f534c2d1ca93b548e99fc379e0cded3fae Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Fri, 21 Nov 2025 10:01:51 +0100 Subject: [PATCH 05/37] small readme adjustments --- terraform/modules/keycloak-setup/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/modules/keycloak-setup/README.md b/terraform/modules/keycloak-setup/README.md index cee7a6ee6..d1ed9a38e 100644 --- a/terraform/modules/keycloak-setup/README.md +++ b/terraform/modules/keycloak-setup/README.md @@ -145,7 +145,7 @@ module "keycloak" { | `postgres_storage_class` | `string` | `""` | Storage class for PostgreSQL PVC (empty = default) | | `postgres_storage_size` | `string` | `"10Gi"` | Storage size for PostgreSQL PVC | | `postgres_volume_permissions` | `bool` | `false` | Enable init container for volume permissions | -| `postgres_image` | `string` | `"postgres:16"` | PostgreSQL Docker image | +| `postgres_image` | `string` | `"postgres:17"` | PostgreSQL Docker image | ### Ingress Configuration @@ -161,13 +161,13 @@ module "keycloak" { ### Cert-Manager Configuration -| Name | Type | Default | Description | -| -------------------------- | -------- | ---------------- | -------------------------------------------------------------------- | -| `install_cert_manager` | `bool` | `true` | Whether to install cert-manager | -| `cert_manager_version` | `string` | `"v1.17.4"` | Version of cert-manager to install | -| `cert_manager_namespace` | `string` | `"cert-manager"` | Namespace for cert-manager installation | -| `install_selfsigned_issuer`| `bool` | `false` | Whether to install self-signed ClusterIssuer for Keycloak | -| `cert_manager_issuer_email`| `string` | `""` | Email address for certificates (required for letsencrypt-prod) | +| Name | Type | Default | Description | +| --------------------------- | -------- | ---------------- | -------------------------------------------------------------- | +| `install_cert_manager` | `bool` | `true` | Whether to install cert-manager | +| `cert_manager_version` | `string` | `"v1.17.4"` | Version of cert-manager to install | +| `cert_manager_namespace` | `string` | `"cert-manager"` | Namespace for cert-manager installation | +| `install_selfsigned_issuer` | `bool` | `false` | Whether to install self-signed ClusterIssuer for Keycloak | +| `cert_manager_issuer_email` | `string` | `""` | Email address for certificates (required for letsencrypt-prod) | ### Other Configuration From a0e2d98e5405aeecc62d44edef7db5ac070ac4eb Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Fri, 21 Nov 2025 12:50:11 +0100 Subject: [PATCH 06/37] fix hostname config to work with own ingress terminating https --- terraform/modules/keycloak-setup/main.tf | 36 ++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/keycloak-setup/main.tf index 1af432787..f421a276c 100644 --- a/terraform/modules/keycloak-setup/main.tf +++ b/terraform/modules/keycloak-setup/main.tf @@ -76,6 +76,16 @@ locals { for idx, doc in local.operator_manifests : "${doc.kind}-${doc.metadata.name}-${idx}" => doc } + + # local_exec_quotes is a helper function to deal with different handling of + # quotes between linux and windows. On linux, it will output "'". On windows, + # it will output "". + local_exec_quotes = startswith(abspath(path.module), "/") ? "'" : "" + jsonpatch = jsonencode([{ + "op" = "add", + "path" = "/spec/template/spec/containers/0/args/-", + "value" = "--default-ssl-certificate=keycloak/${var.hostname}-tls" + }]) } resource "kubectl_manifest" "keycloak_operator" { @@ -268,18 +278,28 @@ resource "kubernetes_service" "postgres" { locals { tls_secret_name = var.ingress_tls_secret_name != "" ? var.ingress_tls_secret_name : "${var.hostname}-tls" + keycloak_protocol = var.ingress_tls_enabled ? "https://" : "http://" + keycloak_spec_base = { instances = var.keycloak_replicas http = { httpEnabled = true httpPort = 8080 - tlsSecret = var.ingress_tls_enabled ? local.tls_secret_name : null + } + ingress = { + enabled = false } hostname = { - hostname = var.hostname - strict = false + # hostname v2 including protocol and path + hostname = "${local.keycloak_protocol}${var.hostname}${var.keycloak_http_relative_path}" + strict = true } additionalOptions = [ + # Tell Keycloak to use X-Forwarded-* from nginx + { + name = "proxy-headers" + value = "xforwarded" + }, { name = "http-relative-path" value = var.keycloak_http_relative_path @@ -396,6 +416,16 @@ resource "kubernetes_ingress_v1" "keycloak" { } } + + # We expect that kubectl context was configured by a previous module. + # After keycloak was set up with tls enabled, we use the created tls secret as the default ssl-secret of the nginx-ingress-controller. + # Below command connects to the cluster in the local environment and patches the ingress-controller accordingly. + # Theia Cloud is then installed with path based hosts reusing the same certificate. + # Sleep 5 seconds at the end as there might be a brief delay between the ingress controller reporting available and it actually being ready to serve traffic + provisioner "local-exec" { + command = "kubectl patch deploy ingress-nginx-controller --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-nginx -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-nginx wait --for condition=available deploy/ingress-nginx-controller --timeout=90s && kubectl wait certificate -n keycloak ${var.hostname}-tls --for condition=Ready --timeout=90s && sleep 5" + } + depends_on = [ kubectl_manifest.keycloak_instance ] From 3119bb1e3f4d5fa378fd18050bb54f37476a6a53 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Fri, 28 Nov 2025 18:38:33 +0100 Subject: [PATCH 07/37] add wait --- terraform/modules/keycloak-setup/main.tf | 35 ++++++++++++++++--- terraform/modules/keycloak-setup/outputs.tf | 2 ++ terraform/modules/keycloak-setup/variables.tf | 2 +- 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/keycloak-setup/main.tf index f421a276c..026cdfb51 100644 --- a/terraform/modules/keycloak-setup/main.tf +++ b/terraform/modules/keycloak-setup/main.tf @@ -363,6 +363,33 @@ resource "kubectl_manifest" "keycloak_instance" { ] } +resource "terraform_data" "wait_for_keycloak_instance" { + provisioner "local-exec" { + command = "kubectl wait keycloak/keycloak -n ${kubernetes_namespace.keycloak.metadata[0].name} --for=condition=Ready --timeout=3m" + } + + depends_on = [ + kubectl_manifest.keycloak_instance + ] +} + +resource "terraform_data" "wait_for_keycloak_http" { + provisioner "local-exec" { + command = <<-EOT + echo "Waiting for Keycloak pods to be ready..." + kubectl wait pods -n ${kubernetes_namespace.keycloak.metadata[0].name} -l app=keycloak --for=condition=Ready --timeout=5m + echo "Waiting for Keycloak service endpoint..." + kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${kubernetes_namespace.keycloak.metadata[0].name} --timeout=2m + echo "Keycloak is ready!" + EOT + } + + depends_on = [ + terraform_data.wait_for_keycloak_instance, + kubernetes_ingress_v1.keycloak + ] +} + resource "kubernetes_ingress_v1" "keycloak" { count = var.ingress_enabled ? 1 : 0 @@ -418,15 +445,15 @@ resource "kubernetes_ingress_v1" "keycloak" { # We expect that kubectl context was configured by a previous module. - # After keycloak was set up with tls enabled, we use the created tls secret as the default ssl-secret of the nginx-ingress-controller. - # Below command connects to the cluster in the local environment and patches the ingress-controller accordingly. - # Theia Cloud is then installed with path based hosts reusing the same certificate. + # After keycloak was set up with tls enabled, we use the created tls secret as the default ssl-secret of the nginx-ingress-controller. + # Below command connects to the cluster in the local environment and patches the ingress-controller accordingly. + # Theia Cloud is then installed with path based hosts reusing the same certificate. # Sleep 5 seconds at the end as there might be a brief delay between the ingress controller reporting available and it actually being ready to serve traffic provisioner "local-exec" { command = "kubectl patch deploy ingress-nginx-controller --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-nginx -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-nginx wait --for condition=available deploy/ingress-nginx-controller --timeout=90s && kubectl wait certificate -n keycloak ${var.hostname}-tls --for condition=Ready --timeout=90s && sleep 5" } depends_on = [ - kubectl_manifest.keycloak_instance + terraform_data.wait_for_keycloak_instance ] } diff --git a/terraform/modules/keycloak-setup/outputs.tf b/terraform/modules/keycloak-setup/outputs.tf index 01fa1ce00..eff627d7e 100644 --- a/terraform/modules/keycloak-setup/outputs.tf +++ b/terraform/modules/keycloak-setup/outputs.tf @@ -1,11 +1,13 @@ output "namespace" { description = "Keycloak namespace" value = kubernetes_namespace.keycloak.metadata[0].name + depends_on = [terraform_data.wait_for_keycloak_http] } output "keycloak_url" { description = "Full URL to access Keycloak" value = var.ingress_enabled ? "https://${var.hostname}${var.keycloak_http_relative_path}" : "http://${var.hostname}:8080${var.keycloak_http_relative_path}" + depends_on = [terraform_data.wait_for_keycloak_http] } output "admin_username" { diff --git a/terraform/modules/keycloak-setup/variables.tf b/terraform/modules/keycloak-setup/variables.tf index e60d475d6..50530862a 100644 --- a/terraform/modules/keycloak-setup/variables.tf +++ b/terraform/modules/keycloak-setup/variables.tf @@ -78,7 +78,7 @@ variable "keycloak_version" { variable "keycloak_http_relative_path" { description = "HTTP relative path for Keycloak" type = string - default = "/keycloak/" + default = "/keycloak" } variable "keycloak_replicas" { From 440a1a4d896dbf20a330fd723e8ae6ca99486edb Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Tue, 2 Dec 2025 09:44:08 +0100 Subject: [PATCH 08/37] keycloak setup with new minikube keycloak setup finally working --- terraform/modules/keycloak-setup/main.tf | 37 +++- .../.terraform.lock.hcl | 168 ++++++++++++++ .../0_minikube-keycloak-setup/README.md | 191 ++++++++++++++++ .../minikube_keycloak_test.tf | 207 ++++++++++++++++++ .../0_minikube-keycloak-setup/outputs.tf | 15 ++ .../0_minikube-keycloak-setup/versions.tf | 34 +++ 6 files changed, 643 insertions(+), 9 deletions(-) create mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/.terraform.lock.hcl create mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/README.md create mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf create mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/outputs.tf create mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/versions.tf diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/keycloak-setup/main.tf index 026cdfb51..83105e775 100644 --- a/terraform/modules/keycloak-setup/main.tf +++ b/terraform/modules/keycloak-setup/main.tf @@ -274,7 +274,6 @@ resource "kubernetes_service" "postgres" { } - locals { tls_secret_name = var.ingress_tls_secret_name != "" ? var.ingress_tls_secret_name : "${var.hostname}-tls" @@ -294,6 +293,32 @@ locals { hostname = "${local.keycloak_protocol}${var.hostname}${var.keycloak_http_relative_path}" strict = true } + # Use "unsupported" pod template to set admin credentials via environment variables. + # Despite the name "unsupported", this is officially supported by the Keycloak Operator, + # see https://www.keycloak.org/operator/advanced-configuration#_pod_template + # For the admin credentials see https://www.keycloak.org/server/configuration#_creating_the_initial_admin_user + unsupported = { + podTemplate = { + spec = { + containers = [ + { + name = "keycloak" + env = [ + { + name = "KC_BOOTSTRAP_ADMIN_USERNAME" + value = var.keycloak_admin_username + }, + { + name = "KC_BOOTSTRAP_ADMIN_PASSWORD" + value = var.keycloak_admin_password + } + ] + } + ] + } + } + } + additionalOptions = [ # Tell Keycloak to use X-Forwarded-* from nginx { @@ -303,14 +328,6 @@ locals { { name = "http-relative-path" value = var.keycloak_http_relative_path - }, - { - name = "admin" - value = var.keycloak_admin_username - }, - { - name = "admin-password" - value = var.keycloak_admin_password } ] resources = { @@ -381,6 +398,8 @@ resource "terraform_data" "wait_for_keycloak_http" { echo "Waiting for Keycloak service endpoint..." kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${kubernetes_namespace.keycloak.metadata[0].name} --timeout=2m echo "Keycloak is ready!" + echo "Waiting additional time for Keycloak authentication to be fully initialized..." + sleep 10 EOT } diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/.terraform.lock.hcl b/terraform/test-configurations/0_minikube-keycloak-setup/.terraform.lock.hcl new file mode 100644 index 000000000..f8f6ec48b --- /dev/null +++ b/terraform/test-configurations/0_minikube-keycloak-setup/.terraform.lock.hcl @@ -0,0 +1,168 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = ">= 1.19.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.5" + hashes = [ + "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", + "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", + "zh:a2ce38fda83a62fa5fb5a70e6ca8453b168575feb3459fa39803f6f40bd42154", + "zh:a6c72798f4a9a36d1d1433c0372006cc9b904e8cfd60a2ae03ac5b7d2abd2398", + "zh:a8a3141d2fc71c86bf7f3c13b0b3be8a1b0f0144a47572a15af4dfafc051e28a", + "zh:aa20a1242eb97445ad26ebcfb9babf2cd675bdb81cac5f989268ebefa4ef278c", + "zh:b58a22445fb8804e933dcf835ab06c29a0f33148dce61316814783ee7f4e4332", + "zh:cb5626a661ee761e0576defb2a2d75230a3244799d380864f3089c66e99d0dcc", + "zh:d1acb00d20445f682c4e705c965e5220530209c95609194c2dc39324f3d4fcce", + "zh:d91a254ba77b69a29d8eae8ed0e9367cbf0ea6ac1a85b58e190f8cb096a40871", + "zh:f6592327673c9f85cdb6f20336faef240abae7621b834f189c4a62276ea5db41", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "3.1.1" + constraints = ">= 2.0.0, >= 3.0.2" + hashes = [ + "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", + "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", + "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a", + "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29", + "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104", + "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990", + "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34", + "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8", + "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1", + "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b", + "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903", + "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/http" { + version = "3.5.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=", + "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7", + "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736", + "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476", + "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90", + "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a", + "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6", + "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6", + "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee", + "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926", + "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = ">= 2.0.0, >= 2.38.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.13.1" + constraints = ">= 0.9.0" + hashes = [ + "h1:+W+DMrVoVnoXo3f3M4W+OpZbkCrUn6PnqDF33D2Cuf0=", + "zh:02cb9aab1002f0f2a94a4f85acec8893297dc75915f7404c165983f720a54b74", + "zh:04429b2b31a492d19e5ecf999b116d396dac0b24bba0d0fb19ecaefe193fdb8f", + "zh:26f8e51bb7c275c404ba6028c1b530312066009194db721a8427a7bc5cdbc83a", + "zh:772ff8dbdbef968651ab3ae76d04afd355c32f8a868d03244db3f8496e462690", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:898db5d2b6bd6ca5457dccb52eedbc7c5b1a71e4a4658381bcbb38cedbbda328", + "zh:8de913bf09a3fa7bedc29fec18c47c571d0c7a3d0644322c46f3aa648cf30cd8", + "zh:9402102c86a87bdfe7e501ffbb9c685c32bbcefcfcf897fd7d53df414c36877b", + "zh:b18b9bb1726bb8cfbefc0a29cf3657c82578001f514bcf4c079839b6776c47f0", + "zh:b9d31fdc4faecb909d7c5ce41d2479dd0536862a963df434be4b16e8e4edc94d", + "zh:c951e9f39cca3446c060bd63933ebb89cedde9523904813973fbc3d11863ba75", + "zh:e5b773c0d07e962291be0e9b413c7a22c044b8c7b58c76e8aa91d1659990dfb5", + ] +} + +provider "registry.terraform.io/mrparkers/keycloak" { + version = "4.4.0" + constraints = ">= 4.4.0" + hashes = [ + "h1:FH9j76zRv05qxk7I/w0mycmBEuew/+XP+Qx+Ptz/onw=", + "zh:0116d63fb4a4436d67cc793038899e0de23c3a5c78f5bf3cf76ee006ad886979", + "zh:0fa399fcdeef21dd914ff7413b8489e47900cbe7bc65b50eeb0d75b71a2b561d", + "zh:30371fee6d0ae438908b1bf03278f6d0a0cb2992a97814028676a05a55d92f19", + "zh:39218a95fe6430ac2b44470cb991dbb98f57c5306017a80b81d3a319855094f4", + "zh:3b436c471cde4eb9120f609e3aecf12d383e8032aeb9cd12c7476faa7c8b4afb", + "zh:9a2a5cc77332e6cd9f6d101d3aff35520a2361fc02f4d436fe176dbd5351f24b", + "zh:9a89cc61c303100174cda3783b13fa4f6e2648eb436c1259d1c72264998534e8", + "zh:b588cd78d9939523de1fa8202c2757c497a20dcf2bf67cf4daf61836194bfe3a", + "zh:c04e6ac2367f55d9cd0893ebebbecb9da685312077e8a7fff299b8d8009955d5", + "zh:c23286693edf2024272219f6728bb7eded5ee087956fc527a63f10ea9ec9c9e4", + "zh:d7a29a2023f17b24236079789931d53662a2696b13d30140cb75dc0e693a1f94", + "zh:ddc0cad0a8ec9e5afc4f4502aed75089c3e9e0bc6da9d4b796728ef5580b94ef", + "zh:de8833a1a0a726401380e52302892de782dddb7efa51122c33104dde8e119561", + "zh:dee864f90327b149d126d603c5ed58cc196682153ebd1bfa73dd67398f6cbe38", + "zh:f63ef9950ebb06fa1daad784a3d0f342803f65404107186bdadb3198ce4d03b2", + "zh:f6d2414fec3fcaefc80cbe8e49647221dbbcfd2fe1b0f7619bd68d06c93c30f4", + "zh:fb659b5a21ba0ad9ec1c7484f167c51c752abea84dd27e726cc3567e7006e99e", + ] +} + +provider "registry.terraform.io/scott-the-programmer/minikube" { + version = "0.6.0" + constraints = "0.6.0" + hashes = [ + "h1:b2DJdavTUmUbOLsHrw+A9Q/yfn4ZAUjvcGL8vi9wWbk=", + "zh:07384be2c110a8727f8a42abb387c5bb715e984ce5394e947a628ac62d9a6288", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:2aa27ced99cf412f48b6f0893542133b2d35107d3863b883025ee5ed316728dd", + "zh:354893a90285a9f8fe59bb14ee91df6eefb9bf83efafedef48b6965d1a454213", + "zh:700d1b78f4bab6591e4e418c989bc4c2e73d3ab403929961a227f133f00fa070", + "zh:9f58563aa5847f2f65ac2f0a6a5e1b38beb9a1ae3bd58a580c3d8eeb411fa11a", + "zh:ac097e1f714aa14c255a62caf8e5022c95765e75a161ca562ccedf52db95dd79", + "zh:c0a75a6886c647a67ae37c9abcb98cd55728435da8142b0711e6f1c6323440a0", + "zh:c7d0bbc8c4aa6cd962214fe1cb24126830f1b836bf49af776a06b06410bdc767", + "zh:ce1a20714dc4a7ef3775e64bd1ab420b92ed59ff782a1fc1e5d9315df32c858e", + "zh:d35cc2226d41a30522331fde97e5dd22bf1fc9cb55773fcfe6e6cdba6687aea3", + ] +} diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/README.md b/terraform/test-configurations/0_minikube-keycloak-setup/README.md new file mode 100644 index 000000000..94e32cc89 --- /dev/null +++ b/terraform/test-configurations/0_minikube-keycloak-setup/README.md @@ -0,0 +1,191 @@ +# Minikube Keycloak Setup Test Configuration + +This test configuration demonstrates the use of the `keycloak-setup` module without the deprecated `helm` module. It provides a complete, standalone Keycloak deployment on Minikube. + +## What This Configuration Includes + +1. **Minikube Cluster Creation**: Sets up a local Kubernetes cluster +2. **Nginx Ingress Controller**: Deployed directly via Helm (not through the helm module) +3. **Cert-Manager**: Installed by the keycloak-setup module +4. **Self-Signed ClusterIssuer**: For local TLS certificates +5. **Keycloak**: Deployed using the official Keycloak Operator +6. **PostgreSQL**: Integrated database deployment +7. **Keycloak Realm Configuration**: Test realm with users and groups + +## Key Differences from Old Configuration + +| Old (0_minikube-setup) | New (0_minikube-keycloak-setup) | +| ---------------------------------- | ------------------------------------------ | +| Uses `modules/helm` for everything | Uses `modules/keycloak-setup` for Keycloak | +| Bitnami Helm chart for Keycloak | Official Keycloak Operator | +| Cert-manager in helm module | Cert-manager in keycloak-setup module | +| nginx-ingress via helm module | nginx-ingress deployed separately | + +## Prerequisites + +1. Minikube installed +2. KVM2 driver (or adjust the `driver` variable in the configuration) +3. Terraform >= 1.12.2 + +## Usage + +### Initialize and Apply + +```bash +cd terraform/test-configurations/0_minikube-keycloak-setup +terraform init +terraform apply +``` + +### Access Keycloak + +After successful deployment: + +1. Get the hostname: + + ```bash + terraform output hostname + ``` + +2. Access Keycloak at: + + ``` + https:///keycloak/ + ``` + +3. Login with: + - Username: `admin` + - Password: `admin` (or the value set in `keycloak_admin_password` variable) + +### Test Users + +The configuration creates a test realm with two users: + +- **foo** (password: `foo`) - Member of admin group +- **bar** (password: `bar`) + +### Verify Installation + +Check all components are running: + +```bash +# Cert-manager +kubectl get pods -n cert-manager + +# Keycloak operator +kubectl get pods -n keycloak -l app=keycloak-operator + +# Keycloak instance +kubectl get keycloak -n keycloak + +# PostgreSQL +kubectl get pods -n keycloak -l app=postgres + +# Ingress +kubectl get ingress -n keycloak + +# Certificate +kubectl get certificate -n keycloak +``` + +### Cleanup + +```bash +terraform destroy +``` + +## Configuration Variables + +You can customize the deployment by setting these variables: + +```hcl +# In terraform.tfvars +kubernetes_version = "v1.26.3" +cert_manager_issuer_email = "your-email@example.com" +keycloak_admin_password = "your-secure-password" +``` + +## Troubleshooting + +### Keycloak Not Accessible + +1. Check if the ingress controller is ready: + + ```bash + kubectl get pods -n ingress-nginx + ``` + +2. Verify Keycloak pods are running: + + ```bash + kubectl get pods -n keycloak + ``` + +3. Check certificate status: + + ```bash + kubectl get certificate -n keycloak + kubectl describe certificate -n keycloak + ``` + +### Self-Signed Certificate Warning + +This is expected for local development. The browser will show a certificate warning. You can safely proceed by accepting the self-signed certificate. + +### 401 Unauthorized When Configuring Keycloak Realm + +If you get a 401 error during `terraform apply`, this is likely due to: + +1. **Keycloak URL format**: Keycloak 26 changed the admin console path structure. Check the actual URL: + + ```bash + kubectl get ingress -n keycloak -o yaml + ``` + +2. **Verify Keycloak admin credentials**: Test login manually: + + ```bash + # Get the Keycloak URL + terraform output keycloak_url + + # Test authentication + curl -k -X POST \ + "$(terraform output -raw keycloak_url)/realms/master/protocol/openid-connect/token" \ + -d "client_id=admin-cli" \ + -d "username=admin" \ + -d "password=admin" \ + -d "grant_type=password" + ``` + +3. **Keycloak not fully initialized**: Even after pods are ready, Keycloak's admin console might need more time. Wait 1-2 minutes after the module completes, then run `terraform apply` again. + +### Database Connection Issues + +Check PostgreSQL logs: + +```bash +kubectl logs -n keycloak -l app=postgres +``` + +Check Keycloak operator logs: + +```bash +kubectl logs -n keycloak -l app=keycloak-operator +``` + +## Benefits of This Approach + +1. **No Deprecated Dependencies**: Uses official Keycloak Operator instead of Bitnami chart +2. **Modular**: Keycloak setup is independent of other components +3. **Self-Contained**: All cert-manager setup included in keycloak-setup module +4. **Production-Ready**: Same pattern can be used for production deployments +5. **Easier to Update**: Module can be updated independently + +## Next Steps + +This configuration can be extended to: + +1. Install Theia Cloud components +2. Add additional Keycloak realms and clients +3. Configure external PostgreSQL database +4. Use Let's Encrypt for production TLS certificates diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf new file mode 100644 index 000000000..df9dc1b64 --- /dev/null +++ b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf @@ -0,0 +1,207 @@ +variable "kubernetes_version" { + description = "Kubernetes version to use" + default = "v1.33.6" +} + +variable "cert_manager_issuer_email" { + description = "EMail address used to create certificates." + default = "tester@theia-cloud.io" +} + +variable "keycloak_admin_password" { + description = "Keycloak Admin Password" + sensitive = true + default = "admin" +} + +provider "minikube" { + kubernetes_version = var.kubernetes_version +} + +module "cluster" { + source = "../../modules/cluster_creation/minikube/" + + cluster_name = "minikube" + cpus = 4 + disk_size = "51200mb" + memory = "8192mb" + driver = "kvm2" +} + +provider "kubernetes" { + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate +} + +provider "helm" { + kubernetes = { + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate + } +} + +resource "kubernetes_persistent_volume" "minikube" { + depends_on = [module.cluster] + + metadata { + name = "minikube-volume" + } + spec { + storage_class_name = "manual" + capacity = { + storage = "16Gi" + } + access_modes = ["ReadWriteOnce"] + persistent_volume_source { + host_path { + path = "/data/theia-cloud" + } + } + } +} + +provider "kubectl" { + load_config_file = false + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate +} + +provider "http" { +} + +module "host" { + depends_on = [module.cluster] + + source = "matti/urlparse/external" + url = module.cluster.cluster_host +} + +# resource "helm_release" "nginx_ingress_controller" { +# depends_on = [module.cluster] +# name = "nginx-ingress-controller" +# repository = "https://kubernetes.github.io/ingress-nginx" +# chart = "ingress-nginx" +# version = "4.13.0" +# namespace = "ingress-nginx" +# create_namespace = true + +# set { +# name = "fullnameOverride" +# value = "ingress-nginx" +# } + +# set { +# name = "controller.allowSnippetAnnotations" +# value = true +# } + +# set { +# name = "controller.admissionWebhooks.enabled" +# value = false +# } + +# set { +# name = "controller.config.enable-snippet" +# value = "true" +# } +# } + +module "keycloak_setup" { + source = "../../modules/keycloak-setup" + + hostname = "${module.host.host}.nip.io" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + ingress_cert_manager_common_name = "${module.host.host}.nip.io" + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" +} + +# Output the Keycloak URL for debugging +output "debug_keycloak_url" { + value = module.keycloak_setup.keycloak_url +} + +# Wait for Keycloak to be fully ready before configuring provider +resource "time_sleep" "wait_for_keycloak" { + depends_on = [module.keycloak_setup] + + create_duration = "30s" +} + +# Test Keycloak availability before proceeding +resource "terraform_data" "verify_keycloak_auth" { + depends_on = [time_sleep.wait_for_keycloak] + + provisioner "local-exec" { + command = <<-EOT + echo "Testing Keycloak authentication..." + echo "Attempting to retrieve admin credentials from Keycloak..." + + # Check if Keycloak created an initial admin secret + kubectl get secret -n keycloak keycloak-initial-admin 2>/dev/null && \ + echo "Found keycloak-initial-admin secret" || \ + echo "No keycloak-initial-admin secret found" + + # Try authentication with provided credentials + sleep 10 + RESPONSE=$(curl -k -s -X POST \ + "https://${module.host.host}.nip.io/keycloak/realms/master/protocol/openid-connect/token" \ + -d "client_id=admin-cli" \ + -d "username=admin" \ + -d "password=${var.keycloak_admin_password}" \ + -d "grant_type=password") + + echo "Keycloak response: $RESPONSE" + + if echo "$RESPONSE" | grep -q "access_token"; then + echo "SUCCESS: Keycloak authentication successful" + else + echo "WARNING: Keycloak authentication test failed. Response: $RESPONSE" + echo "This might be expected on first run. Terraform will retry..." + fi + EOT + } +} + +provider "keycloak" { + client_id = "admin-cli" + username = "admin" + password = var.keycloak_admin_password + url = module.keycloak_setup.keycloak_url + tls_insecure_skip_verify = true + initial_login = false + client_timeout = 60 +} + +module "keycloak" { + source = "../../modules/keycloak" + + depends_on = [ + terraform_data.verify_keycloak_auth + ] + + hostname = "${module.host.host}.nip.io" + keycloak_test_user_foo_password = "foo" + keycloak_test_user_bar_password = "bar" + valid_redirect_uri = "*" +} + +resource "keycloak_group_memberships" "admin_group_memberships" { + realm_id = module.keycloak.realm.id + group_id = module.keycloak.admin_group.id + members = [ + module.keycloak.test_users.foo.username + ] +} diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/outputs.tf b/terraform/test-configurations/0_minikube-keycloak-setup/outputs.tf new file mode 100644 index 000000000..199bbafe7 --- /dev/null +++ b/terraform/test-configurations/0_minikube-keycloak-setup/outputs.tf @@ -0,0 +1,15 @@ +output "cluster_host" { + value = module.cluster.cluster_host +} + +output "keycloak_url" { + value = module.keycloak_setup.keycloak_url +} + +output "keycloak_admin_username" { + value = module.keycloak_setup.admin_username +} + +output "hostname" { + value = "${module.host.host}.nip.io" +} diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/versions.tf b/terraform/test-configurations/0_minikube-keycloak-setup/versions.tf new file mode 100644 index 000000000..da419125a --- /dev/null +++ b/terraform/test-configurations/0_minikube-keycloak-setup/versions.tf @@ -0,0 +1,34 @@ +terraform { + required_providers { + minikube = { + source = "scott-the-programmer/minikube" + version = "0.6.0" + } + helm = { + source = "hashicorp/helm" + version = ">= 3.0.2" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.38.0" + } + keycloak = { + source = "mrparkers/keycloak" + version = ">= 4.4.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.19.0" + } + http = { + source = "hashicorp/http" + version = ">= 3.0.0" + } + time = { + source = "hashicorp/time" + version = ">= 0.9.0" + } + } + + required_version = ">= 1.12.2" +} From fa08bca2622439279ab9b12a3bc2f268b03e0e8e Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Tue, 2 Dec 2025 10:54:33 +0100 Subject: [PATCH 09/37] consolidate waiting for keycloak instance --- terraform/modules/keycloak-setup/main.tf | 77 ++++++++++--------- terraform/modules/keycloak-setup/outputs.tf | 4 +- .../minikube_keycloak_test.tf | 49 +----------- 3 files changed, 44 insertions(+), 86 deletions(-) diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/keycloak-setup/main.tf index 83105e775..6bd1b43ea 100644 --- a/terraform/modules/keycloak-setup/main.tf +++ b/terraform/modules/keycloak-setup/main.tf @@ -380,35 +380,6 @@ resource "kubectl_manifest" "keycloak_instance" { ] } -resource "terraform_data" "wait_for_keycloak_instance" { - provisioner "local-exec" { - command = "kubectl wait keycloak/keycloak -n ${kubernetes_namespace.keycloak.metadata[0].name} --for=condition=Ready --timeout=3m" - } - - depends_on = [ - kubectl_manifest.keycloak_instance - ] -} - -resource "terraform_data" "wait_for_keycloak_http" { - provisioner "local-exec" { - command = <<-EOT - echo "Waiting for Keycloak pods to be ready..." - kubectl wait pods -n ${kubernetes_namespace.keycloak.metadata[0].name} -l app=keycloak --for=condition=Ready --timeout=5m - echo "Waiting for Keycloak service endpoint..." - kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${kubernetes_namespace.keycloak.metadata[0].name} --timeout=2m - echo "Keycloak is ready!" - echo "Waiting additional time for Keycloak authentication to be fully initialized..." - sleep 10 - EOT - } - - depends_on = [ - terraform_data.wait_for_keycloak_instance, - kubernetes_ingress_v1.keycloak - ] -} - resource "kubernetes_ingress_v1" "keycloak" { count = var.ingress_enabled ? 1 : 0 @@ -462,17 +433,51 @@ resource "kubernetes_ingress_v1" "keycloak" { } } + depends_on = [ + kubernetes_namespace.keycloak + ] +} + +resource "terraform_data" "wait_for_keycloak_instance" { + provisioner "local-exec" { + command = <<-EOT + echo "Waiting for Keycloak resource to report ready..." + kubectl wait keycloak/keycloak -n ${kubernetes_namespace.keycloak.metadata[0].name} --for=condition=Ready --timeout=3m + echo "Waiting for Keycloak pods to be ready..." + kubectl wait pods -n ${kubernetes_namespace.keycloak.metadata[0].name} -l app=keycloak --for=condition=Ready --timeout=3m + echo "Waiting for Keycloak service endpoint..." + kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${kubernetes_namespace.keycloak.metadata[0].name} --timeout=2m + echo "Keycloak is ready!" + echo "Waiting additional 5 for Keycloak authentication to be fully initialized..." + sleep 5 + EOT + } + + depends_on = [ + kubectl_manifest.keycloak_instance + ] +} + +resource "terraform_data" "wait_for_certificate" { + count = var.ingress_enabled && var.ingress_tls_enabled ? 1 : 0 + + provisioner "local-exec" { + command = "kubectl wait certificate -n ${kubernetes_namespace.keycloak.metadata[0].name} ${local.tls_secret_name} --for=condition=Ready --timeout=3m" + } + + depends_on = [ + kubernetes_ingress_v1.keycloak + ] +} + +resource "terraform_data" "patch_ingress_controller" { + count = var.ingress_enabled && var.ingress_tls_enabled ? 1 : 0 - # We expect that kubectl context was configured by a previous module. - # After keycloak was set up with tls enabled, we use the created tls secret as the default ssl-secret of the nginx-ingress-controller. - # Below command connects to the cluster in the local environment and patches the ingress-controller accordingly. - # Theia Cloud is then installed with path based hosts reusing the same certificate. - # Sleep 5 seconds at the end as there might be a brief delay between the ingress controller reporting available and it actually being ready to serve traffic provisioner "local-exec" { - command = "kubectl patch deploy ingress-nginx-controller --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-nginx -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-nginx wait --for condition=available deploy/ingress-nginx-controller --timeout=90s && kubectl wait certificate -n keycloak ${var.hostname}-tls --for condition=Ready --timeout=90s && sleep 5" + command = "kubectl patch deploy ingress-nginx-controller --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-nginx -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-nginx wait --for condition=available deploy/ingress-nginx-controller --timeout=90s" } depends_on = [ - terraform_data.wait_for_keycloak_instance + terraform_data.wait_for_certificate ] } diff --git a/terraform/modules/keycloak-setup/outputs.tf b/terraform/modules/keycloak-setup/outputs.tf index eff627d7e..ef7a9e09c 100644 --- a/terraform/modules/keycloak-setup/outputs.tf +++ b/terraform/modules/keycloak-setup/outputs.tf @@ -1,13 +1,13 @@ output "namespace" { description = "Keycloak namespace" value = kubernetes_namespace.keycloak.metadata[0].name - depends_on = [terraform_data.wait_for_keycloak_http] + depends_on = [terraform_data.wait_for_keycloak_instance] } output "keycloak_url" { description = "Full URL to access Keycloak" value = var.ingress_enabled ? "https://${var.hostname}${var.keycloak_http_relative_path}" : "http://${var.hostname}:8080${var.keycloak_http_relative_path}" - depends_on = [terraform_data.wait_for_keycloak_http] + depends_on = [terraform_data.wait_for_keycloak_instance] } output "admin_username" { diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf index df9dc1b64..c1ef2bf79 100644 --- a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf +++ b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf @@ -128,53 +128,6 @@ module "keycloak_setup" { cloud_provider = "MINIKUBE" } -# Output the Keycloak URL for debugging -output "debug_keycloak_url" { - value = module.keycloak_setup.keycloak_url -} - -# Wait for Keycloak to be fully ready before configuring provider -resource "time_sleep" "wait_for_keycloak" { - depends_on = [module.keycloak_setup] - - create_duration = "30s" -} - -# Test Keycloak availability before proceeding -resource "terraform_data" "verify_keycloak_auth" { - depends_on = [time_sleep.wait_for_keycloak] - - provisioner "local-exec" { - command = <<-EOT - echo "Testing Keycloak authentication..." - echo "Attempting to retrieve admin credentials from Keycloak..." - - # Check if Keycloak created an initial admin secret - kubectl get secret -n keycloak keycloak-initial-admin 2>/dev/null && \ - echo "Found keycloak-initial-admin secret" || \ - echo "No keycloak-initial-admin secret found" - - # Try authentication with provided credentials - sleep 10 - RESPONSE=$(curl -k -s -X POST \ - "https://${module.host.host}.nip.io/keycloak/realms/master/protocol/openid-connect/token" \ - -d "client_id=admin-cli" \ - -d "username=admin" \ - -d "password=${var.keycloak_admin_password}" \ - -d "grant_type=password") - - echo "Keycloak response: $RESPONSE" - - if echo "$RESPONSE" | grep -q "access_token"; then - echo "SUCCESS: Keycloak authentication successful" - else - echo "WARNING: Keycloak authentication test failed. Response: $RESPONSE" - echo "This might be expected on first run. Terraform will retry..." - fi - EOT - } -} - provider "keycloak" { client_id = "admin-cli" username = "admin" @@ -189,7 +142,7 @@ module "keycloak" { source = "../../modules/keycloak" depends_on = [ - terraform_data.verify_keycloak_auth + module.keycloak_setup ] hostname = "${module.host.host}.nip.io" From a1982deaddf45ffbee4333b319bb0c407ee19cc6 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Tue, 2 Dec 2025 14:51:55 +0100 Subject: [PATCH 10/37] add license --- terraform/modules/keycloak-setup/LICENSE | 277 +++++++++++++++++++++++ 1 file changed, 277 insertions(+) create mode 100644 terraform/modules/keycloak-setup/LICENSE diff --git a/terraform/modules/keycloak-setup/LICENSE b/terraform/modules/keycloak-setup/LICENSE new file mode 100644 index 000000000..e48e09634 --- /dev/null +++ b/terraform/modules/keycloak-setup/LICENSE @@ -0,0 +1,277 @@ +Eclipse Public License - v 2.0 + + THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE + PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION + OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. + +1. DEFINITIONS + +"Contribution" means: + + a) in the case of the initial Contributor, the initial content + Distributed under this Agreement, and + + b) in the case of each subsequent Contributor: + i) changes to the Program, and + ii) additions to the Program; + where such changes and/or additions to the Program originate from + and are Distributed by that particular Contributor. A Contribution + "originates" from a Contributor if it was added to the Program by + such Contributor itself or anyone acting on such Contributor's behalf. + Contributions do not include changes or additions to the Program that + are not Modified Works. + +"Contributor" means any person or entity that Distributes the Program. + +"Licensed Patents" mean patent claims licensable by a Contributor which +are necessarily infringed by the use or sale of its Contribution alone +or when combined with the Program. + +"Program" means the Contributions Distributed in accordance with this +Agreement. + +"Recipient" means anyone who receives the Program under this Agreement +or any Secondary License (as applicable), including Contributors. + +"Derivative Works" shall mean any work, whether in Source Code or other +form, that is based on (or derived from) the Program and for which the +editorial revisions, annotations, elaborations, or other modifications +represent, as a whole, an original work of authorship. + +"Modified Works" shall mean any work in Source Code or other form that +results from an addition to, deletion from, or modification of the +contents of the Program, including, for purposes of clarity any new file +in Source Code form that contains any contents of the Program. Modified +Works shall not include works that contain only declarations, +interfaces, types, classes, structures, or files of the Program solely +in each case in order to link to, bind by name, or subclass the Program +or Modified Works thereof. + +"Distribute" means the acts of a) distributing or b) making available +in any manner that enables the transfer of a copy. + +"Source Code" means the form of a Program preferred for making +modifications, including but not limited to software source code, +documentation source, and configuration files. + +"Secondary License" means either the GNU General Public License, +Version 2.0, or any later versions of that license, including any +exceptions or additional permissions as identified by the initial +Contributor. + +2. GRANT OF RIGHTS + + a) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free copyright + license to reproduce, prepare Derivative Works of, publicly display, + publicly perform, Distribute and sublicense the Contribution of such + Contributor, if any, and such Derivative Works. + + b) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free patent + license under Licensed Patents to make, use, sell, offer to sell, + import and otherwise transfer the Contribution of such Contributor, + if any, in Source Code or other form. This patent license shall + apply to the combination of the Contribution and the Program if, at + the time the Contribution is added by the Contributor, such addition + of the Contribution causes such combination to be covered by the + Licensed Patents. The patent license shall not apply to any other + combinations which include the Contribution. No hardware per se is + licensed hereunder. + + c) Recipient understands that although each Contributor grants the + licenses to its Contributions set forth herein, no assurances are + provided by any Contributor that the Program does not infringe the + patent or other intellectual property rights of any other entity. + Each Contributor disclaims any liability to Recipient for claims + brought by any other entity based on infringement of intellectual + property rights or otherwise. As a condition to exercising the + rights and licenses granted hereunder, each Recipient hereby + assumes sole responsibility to secure any other intellectual + property rights needed, if any. For example, if a third party + patent license is required to allow Recipient to Distribute the + Program, it is Recipient's responsibility to acquire that license + before distributing the Program. + + d) Each Contributor represents that to its knowledge it has + sufficient copyright rights in its Contribution, if any, to grant + the copyright license set forth in this Agreement. + + e) Notwithstanding the terms of any Secondary License, no + Contributor makes additional grants to any Recipient (other than + those set forth in this Agreement) as a result of such Recipient's + receipt of the Program under the terms of a Secondary License + (if permitted under the terms of Section 3). + +3. REQUIREMENTS + +3.1 If a Contributor Distributes the Program in any form, then: + + a) the Program must also be made available as Source Code, in + accordance with section 3.2, and the Contributor must accompany + the Program with a statement that the Source Code for the Program + is available under this Agreement, and informs Recipients how to + obtain it in a reasonable manner on or through a medium customarily + used for software exchange; and + + b) the Contributor may Distribute the Program under a license + different than this Agreement, provided that such license: + i) effectively disclaims on behalf of all other Contributors all + warranties and conditions, express and implied, including + warranties or conditions of title and non-infringement, and + implied warranties or conditions of merchantability and fitness + for a particular purpose; + + ii) effectively excludes on behalf of all other Contributors all + liability for damages, including direct, indirect, special, + incidental and consequential damages, such as lost profits; + + iii) does not attempt to limit or alter the recipients' rights + in the Source Code under section 3.2; and + + iv) requires any subsequent distribution of the Program by any + party to be under a license that satisfies the requirements + of this section 3. + +3.2 When the Program is Distributed as Source Code: + + a) it must be made available under this Agreement, or if the + Program (i) is combined with other material in a separate file or + files made available under a Secondary License, and (ii) the initial + Contributor attached to the Source Code the notice described in + Exhibit A of this Agreement, then the Program may be made available + under the terms of such Secondary Licenses, and + + b) a copy of this Agreement must be included with each copy of + the Program. + +3.3 Contributors may not remove or alter any copyright, patent, +trademark, attribution notices, disclaimers of warranty, or limitations +of liability ("notices") contained within the Program from any copy of +the Program which they Distribute, provided that Contributors may add +their own appropriate notices. + +4. COMMERCIAL DISTRIBUTION + +Commercial distributors of software may accept certain responsibilities +with respect to end users, business partners and the like. While this +license is intended to facilitate the commercial use of the Program, +the Contributor who includes the Program in a commercial product +offering should do so in a manner which does not create potential +liability for other Contributors. Therefore, if a Contributor includes +the Program in a commercial product offering, such Contributor +("Commercial Contributor") hereby agrees to defend and indemnify every +other Contributor ("Indemnified Contributor") against any losses, +damages and costs (collectively "Losses") arising from claims, lawsuits +and other legal actions brought by a third party against the Indemnified +Contributor to the extent caused by the acts or omissions of such +Commercial Contributor in connection with its distribution of the Program +in a commercial product offering. The obligations in this section do not +apply to any claims or Losses relating to any actual or alleged +intellectual property infringement. In order to qualify, an Indemnified +Contributor must: a) promptly notify the Commercial Contributor in +writing of such claim, and b) allow the Commercial Contributor to control, +and cooperate with the Commercial Contributor in, the defense and any +related settlement negotiations. The Indemnified Contributor may +participate in any such claim at its own expense. + +For example, a Contributor might include the Program in a commercial +product offering, Product X. That Contributor is then a Commercial +Contributor. If that Commercial Contributor then makes performance +claims, or offers warranties related to Product X, those performance +claims and warranties are such Commercial Contributor's responsibility +alone. Under this section, the Commercial Contributor would have to +defend claims against the other Contributors related to those performance +claims and warranties, and if a court requires any other Contributor to +pay any damages as a result, the Commercial Contributor must pay +those damages. + +5. NO WARRANTY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT +PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS" +BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR +IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF +TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR +PURPOSE. Each Recipient is solely responsible for determining the +appropriateness of using and distributing the Program and assumes all +risks associated with its exercise of rights under this Agreement, +including but not limited to the risks and costs of program errors, +compliance with applicable laws, damage to or loss of data, programs +or equipment, and unavailability or interruption of operations. + +6. DISCLAIMER OF LIABILITY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT +PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS +SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST +PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE +EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + +7. GENERAL + +If any provision of this Agreement is invalid or unenforceable under +applicable law, it shall not affect the validity or enforceability of +the remainder of the terms of this Agreement, and without further +action by the parties hereto, such provision shall be reformed to the +minimum extent necessary to make such provision valid and enforceable. + +If Recipient institutes patent litigation against any entity +(including a cross-claim or counterclaim in a lawsuit) alleging that the +Program itself (excluding combinations of the Program with other software +or hardware) infringes such Recipient's patent(s), then such Recipient's +rights granted under Section 2(b) shall terminate as of the date such +litigation is filed. + +All Recipient's rights under this Agreement shall terminate if it +fails to comply with any of the material terms or conditions of this +Agreement and does not cure such failure in a reasonable period of +time after becoming aware of such noncompliance. If all Recipient's +rights under this Agreement terminate, Recipient agrees to cease use +and distribution of the Program as soon as reasonably practicable. +However, Recipient's obligations under this Agreement and any licenses +granted by Recipient relating to the Program shall continue and survive. + +Everyone is permitted to copy and distribute copies of this Agreement, +but in order to avoid inconsistency the Agreement is copyrighted and +may only be modified in the following manner. The Agreement Steward +reserves the right to publish new versions (including revisions) of +this Agreement from time to time. No one other than the Agreement +Steward has the right to modify this Agreement. The Eclipse Foundation +is the initial Agreement Steward. The Eclipse Foundation may assign the +responsibility to serve as the Agreement Steward to a suitable separate +entity. Each new version of the Agreement will be given a distinguishing +version number. The Program (including Contributions) may always be +Distributed subject to the version of the Agreement under which it was +received. In addition, after a new version of the Agreement is published, +Contributor may elect to Distribute the Program (including its +Contributions) under the new version. + +Except as expressly stated in Sections 2(a) and 2(b) above, Recipient +receives no rights or licenses to the intellectual property of any +Contributor under this Agreement, whether expressly, by implication, +estoppel or otherwise. All rights in the Program not expressly granted +under this Agreement are reserved. Nothing in this Agreement is intended +to be enforceable by any entity that is not a Contributor or Recipient. +No third-party beneficiary rights are created under this Agreement. + +Exhibit A - Form of Secondary Licenses Notice + +"This Source Code may also be made available under the following +Secondary Licenses when the conditions for such availability set forth +in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), +version(s), and exceptions or additional permissions here}." + + Simply including a copy of this Agreement, including this Exhibit A + is not sufficient to license the Source Code under Secondary Licenses. + + If it is not possible or desirable to put the notice in a particular + file, then You may include the notice in a location (such as a LICENSE + file in a relevant directory) where a recipient would be likely to + look for such a notice. + + You may add additional accurate notices of copyright ownership. From a2d5e3524b9c7a921a05cf618ef816b9ec3e9ed9 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Tue, 2 Dec 2025 17:11:26 +0100 Subject: [PATCH 11/37] add theia cloud module only installing theia cloud --- terraform/modules/keycloak-setup/variables.tf | 2 +- .../modules/theia-cloud/.terraform.lock.hcl | 22 ++ terraform/modules/theia-cloud/LICENSE | 277 ++++++++++++++++++ terraform/modules/theia-cloud/README.md | 45 +++ terraform/modules/theia-cloud/main.tf | 64 ++++ .../modules/theia-cloud/theia-cloud.yaml | 52 ++++ terraform/modules/theia-cloud/variables.tf | 32 ++ terraform/modules/theia-cloud/versions.tf | 10 + 8 files changed, 503 insertions(+), 1 deletion(-) create mode 100644 terraform/modules/theia-cloud/.terraform.lock.hcl create mode 100644 terraform/modules/theia-cloud/LICENSE create mode 100644 terraform/modules/theia-cloud/README.md create mode 100644 terraform/modules/theia-cloud/main.tf create mode 100644 terraform/modules/theia-cloud/theia-cloud.yaml create mode 100644 terraform/modules/theia-cloud/variables.tf create mode 100644 terraform/modules/theia-cloud/versions.tf diff --git a/terraform/modules/keycloak-setup/variables.tf b/terraform/modules/keycloak-setup/variables.tf index 50530862a..e60d475d6 100644 --- a/terraform/modules/keycloak-setup/variables.tf +++ b/terraform/modules/keycloak-setup/variables.tf @@ -78,7 +78,7 @@ variable "keycloak_version" { variable "keycloak_http_relative_path" { description = "HTTP relative path for Keycloak" type = string - default = "/keycloak" + default = "/keycloak/" } variable "keycloak_replicas" { diff --git a/terraform/modules/theia-cloud/.terraform.lock.hcl b/terraform/modules/theia-cloud/.terraform.lock.hcl new file mode 100644 index 000000000..6c3aabe8d --- /dev/null +++ b/terraform/modules/theia-cloud/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/helm" { + version = "3.0.2" + constraints = ">= 3.0.2" + hashes = [ + "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", + "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", + "zh:3b4c436a41e4fbae5f152852a9bd5c97db4460af384e26977477a40adf036690", + "zh:617a372f5bb2288f3faf5fd4c878a68bf08541cf418a3dbb8a19bc41ad4a0bf2", + "zh:84de431479548c96cb61c495278e320f361e80ab4f8835a5425ece24a9b6d310", + "zh:8b4cf5f81d10214e5e1857d96cff60a382a22b9caded7f5d7a92e5537fc166c1", + "zh:baeb26a00ffbcf3d507cdd940b2a2887eee723af5d3319a53eec69048d5e341e", + "zh:ca05a8814e9bf5fbffcd642df3a8d9fae9549776c7057ceae6d6f56471bae80f", + "zh:ca4bf3f94dedb5c5b1a73568f2dad7daf0ef3f85e688bc8bc2d0e915ec148366", + "zh:d331f2129fd3165c4bda875c84a65555b22eb007801522b9e017d065ac69b67e", + "zh:e583b2b478dde67da28e605ab4ef6521c2e390299b471d7d8ef05a0b608dcdad", + "zh:f238b86611647c108c073d265f8891a2738d3158c247468ae0ff5b1a3ac4122a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/modules/theia-cloud/LICENSE b/terraform/modules/theia-cloud/LICENSE new file mode 100644 index 000000000..e48e09634 --- /dev/null +++ b/terraform/modules/theia-cloud/LICENSE @@ -0,0 +1,277 @@ +Eclipse Public License - v 2.0 + + THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE + PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION + OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. + +1. DEFINITIONS + +"Contribution" means: + + a) in the case of the initial Contributor, the initial content + Distributed under this Agreement, and + + b) in the case of each subsequent Contributor: + i) changes to the Program, and + ii) additions to the Program; + where such changes and/or additions to the Program originate from + and are Distributed by that particular Contributor. A Contribution + "originates" from a Contributor if it was added to the Program by + such Contributor itself or anyone acting on such Contributor's behalf. + Contributions do not include changes or additions to the Program that + are not Modified Works. + +"Contributor" means any person or entity that Distributes the Program. + +"Licensed Patents" mean patent claims licensable by a Contributor which +are necessarily infringed by the use or sale of its Contribution alone +or when combined with the Program. + +"Program" means the Contributions Distributed in accordance with this +Agreement. + +"Recipient" means anyone who receives the Program under this Agreement +or any Secondary License (as applicable), including Contributors. + +"Derivative Works" shall mean any work, whether in Source Code or other +form, that is based on (or derived from) the Program and for which the +editorial revisions, annotations, elaborations, or other modifications +represent, as a whole, an original work of authorship. + +"Modified Works" shall mean any work in Source Code or other form that +results from an addition to, deletion from, or modification of the +contents of the Program, including, for purposes of clarity any new file +in Source Code form that contains any contents of the Program. Modified +Works shall not include works that contain only declarations, +interfaces, types, classes, structures, or files of the Program solely +in each case in order to link to, bind by name, or subclass the Program +or Modified Works thereof. + +"Distribute" means the acts of a) distributing or b) making available +in any manner that enables the transfer of a copy. + +"Source Code" means the form of a Program preferred for making +modifications, including but not limited to software source code, +documentation source, and configuration files. + +"Secondary License" means either the GNU General Public License, +Version 2.0, or any later versions of that license, including any +exceptions or additional permissions as identified by the initial +Contributor. + +2. GRANT OF RIGHTS + + a) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free copyright + license to reproduce, prepare Derivative Works of, publicly display, + publicly perform, Distribute and sublicense the Contribution of such + Contributor, if any, and such Derivative Works. + + b) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free patent + license under Licensed Patents to make, use, sell, offer to sell, + import and otherwise transfer the Contribution of such Contributor, + if any, in Source Code or other form. This patent license shall + apply to the combination of the Contribution and the Program if, at + the time the Contribution is added by the Contributor, such addition + of the Contribution causes such combination to be covered by the + Licensed Patents. The patent license shall not apply to any other + combinations which include the Contribution. No hardware per se is + licensed hereunder. + + c) Recipient understands that although each Contributor grants the + licenses to its Contributions set forth herein, no assurances are + provided by any Contributor that the Program does not infringe the + patent or other intellectual property rights of any other entity. + Each Contributor disclaims any liability to Recipient for claims + brought by any other entity based on infringement of intellectual + property rights or otherwise. As a condition to exercising the + rights and licenses granted hereunder, each Recipient hereby + assumes sole responsibility to secure any other intellectual + property rights needed, if any. For example, if a third party + patent license is required to allow Recipient to Distribute the + Program, it is Recipient's responsibility to acquire that license + before distributing the Program. + + d) Each Contributor represents that to its knowledge it has + sufficient copyright rights in its Contribution, if any, to grant + the copyright license set forth in this Agreement. + + e) Notwithstanding the terms of any Secondary License, no + Contributor makes additional grants to any Recipient (other than + those set forth in this Agreement) as a result of such Recipient's + receipt of the Program under the terms of a Secondary License + (if permitted under the terms of Section 3). + +3. REQUIREMENTS + +3.1 If a Contributor Distributes the Program in any form, then: + + a) the Program must also be made available as Source Code, in + accordance with section 3.2, and the Contributor must accompany + the Program with a statement that the Source Code for the Program + is available under this Agreement, and informs Recipients how to + obtain it in a reasonable manner on or through a medium customarily + used for software exchange; and + + b) the Contributor may Distribute the Program under a license + different than this Agreement, provided that such license: + i) effectively disclaims on behalf of all other Contributors all + warranties and conditions, express and implied, including + warranties or conditions of title and non-infringement, and + implied warranties or conditions of merchantability and fitness + for a particular purpose; + + ii) effectively excludes on behalf of all other Contributors all + liability for damages, including direct, indirect, special, + incidental and consequential damages, such as lost profits; + + iii) does not attempt to limit or alter the recipients' rights + in the Source Code under section 3.2; and + + iv) requires any subsequent distribution of the Program by any + party to be under a license that satisfies the requirements + of this section 3. + +3.2 When the Program is Distributed as Source Code: + + a) it must be made available under this Agreement, or if the + Program (i) is combined with other material in a separate file or + files made available under a Secondary License, and (ii) the initial + Contributor attached to the Source Code the notice described in + Exhibit A of this Agreement, then the Program may be made available + under the terms of such Secondary Licenses, and + + b) a copy of this Agreement must be included with each copy of + the Program. + +3.3 Contributors may not remove or alter any copyright, patent, +trademark, attribution notices, disclaimers of warranty, or limitations +of liability ("notices") contained within the Program from any copy of +the Program which they Distribute, provided that Contributors may add +their own appropriate notices. + +4. COMMERCIAL DISTRIBUTION + +Commercial distributors of software may accept certain responsibilities +with respect to end users, business partners and the like. While this +license is intended to facilitate the commercial use of the Program, +the Contributor who includes the Program in a commercial product +offering should do so in a manner which does not create potential +liability for other Contributors. Therefore, if a Contributor includes +the Program in a commercial product offering, such Contributor +("Commercial Contributor") hereby agrees to defend and indemnify every +other Contributor ("Indemnified Contributor") against any losses, +damages and costs (collectively "Losses") arising from claims, lawsuits +and other legal actions brought by a third party against the Indemnified +Contributor to the extent caused by the acts or omissions of such +Commercial Contributor in connection with its distribution of the Program +in a commercial product offering. The obligations in this section do not +apply to any claims or Losses relating to any actual or alleged +intellectual property infringement. In order to qualify, an Indemnified +Contributor must: a) promptly notify the Commercial Contributor in +writing of such claim, and b) allow the Commercial Contributor to control, +and cooperate with the Commercial Contributor in, the defense and any +related settlement negotiations. The Indemnified Contributor may +participate in any such claim at its own expense. + +For example, a Contributor might include the Program in a commercial +product offering, Product X. That Contributor is then a Commercial +Contributor. If that Commercial Contributor then makes performance +claims, or offers warranties related to Product X, those performance +claims and warranties are such Commercial Contributor's responsibility +alone. Under this section, the Commercial Contributor would have to +defend claims against the other Contributors related to those performance +claims and warranties, and if a court requires any other Contributor to +pay any damages as a result, the Commercial Contributor must pay +those damages. + +5. NO WARRANTY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT +PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS" +BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR +IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF +TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR +PURPOSE. Each Recipient is solely responsible for determining the +appropriateness of using and distributing the Program and assumes all +risks associated with its exercise of rights under this Agreement, +including but not limited to the risks and costs of program errors, +compliance with applicable laws, damage to or loss of data, programs +or equipment, and unavailability or interruption of operations. + +6. DISCLAIMER OF LIABILITY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT +PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS +SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST +PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE +EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + +7. GENERAL + +If any provision of this Agreement is invalid or unenforceable under +applicable law, it shall not affect the validity or enforceability of +the remainder of the terms of this Agreement, and without further +action by the parties hereto, such provision shall be reformed to the +minimum extent necessary to make such provision valid and enforceable. + +If Recipient institutes patent litigation against any entity +(including a cross-claim or counterclaim in a lawsuit) alleging that the +Program itself (excluding combinations of the Program with other software +or hardware) infringes such Recipient's patent(s), then such Recipient's +rights granted under Section 2(b) shall terminate as of the date such +litigation is filed. + +All Recipient's rights under this Agreement shall terminate if it +fails to comply with any of the material terms or conditions of this +Agreement and does not cure such failure in a reasonable period of +time after becoming aware of such noncompliance. If all Recipient's +rights under this Agreement terminate, Recipient agrees to cease use +and distribution of the Program as soon as reasonably practicable. +However, Recipient's obligations under this Agreement and any licenses +granted by Recipient relating to the Program shall continue and survive. + +Everyone is permitted to copy and distribute copies of this Agreement, +but in order to avoid inconsistency the Agreement is copyrighted and +may only be modified in the following manner. The Agreement Steward +reserves the right to publish new versions (including revisions) of +this Agreement from time to time. No one other than the Agreement +Steward has the right to modify this Agreement. The Eclipse Foundation +is the initial Agreement Steward. The Eclipse Foundation may assign the +responsibility to serve as the Agreement Steward to a suitable separate +entity. Each new version of the Agreement will be given a distinguishing +version number. The Program (including Contributions) may always be +Distributed subject to the version of the Agreement under which it was +received. In addition, after a new version of the Agreement is published, +Contributor may elect to Distribute the Program (including its +Contributions) under the new version. + +Except as expressly stated in Sections 2(a) and 2(b) above, Recipient +receives no rights or licenses to the intellectual property of any +Contributor under this Agreement, whether expressly, by implication, +estoppel or otherwise. All rights in the Program not expressly granted +under this Agreement are reserved. Nothing in this Agreement is intended +to be enforceable by any entity that is not a Contributor or Recipient. +No third-party beneficiary rights are created under this Agreement. + +Exhibit A - Form of Secondary Licenses Notice + +"This Source Code may also be made available under the following +Secondary Licenses when the conditions for such availability set forth +in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), +version(s), and exceptions or additional permissions here}." + + Simply including a copy of this Agreement, including this Exhibit A + is not sufficient to license the Source Code under Secondary Licenses. + + If it is not possible or desirable to put the notice in a particular + file, then You may include the notice in a location (such as a LICENSE + file in a relevant directory) where a recipient would be likely to + look for such a notice. + + You may add additional accurate notices of copyright ownership. diff --git a/terraform/modules/theia-cloud/README.md b/terraform/modules/theia-cloud/README.md new file mode 100644 index 000000000..098d7f32d --- /dev/null +++ b/terraform/modules/theia-cloud/README.md @@ -0,0 +1,45 @@ +# Theia Cloud Installation Module + +This module installs Theia Cloud components in a Kubernetes cluster via Helm. + +## Prerequisites + +Before using this module, ensure the following are already installed in your cluster: + +- **Cert Manager** (v1.17.4 or compatible) - Required for certificate management +- **Nginx Ingress Controller** (v4.13.0 or compatible) - Required for ingress routing +- **Keycloak** (v26.4.5 or compatible) - Required for authentication + +## What This Module Installs + +This module will install: + +1. **theia-cloud-base** - Cluster-wide resources including cert issuers +2. **theia-cloud-crds** - Custom resource definitions for Theia Cloud +3. **theia-cloud** - The Theia Cloud operators, service, and landing page + +## Usage + +We expect users to be familiar with Helm and that `kubectl` points to the cluster where Theia Cloud will be installed. + +### Basic Example + +```terraform +module "theia_cloud" { + source = "./modules/theia-cloud" + + hostname = "theia.example.com" + cert_manager_issuer_email = "admin@example.com" + cloudProvider = "K8S" +} +``` + +## Variables + +- `install_theia_cloud_base` (optional, default: `true`) - Whether to install theia-cloud-base chart +- `install_theia_cloud_crds` (optional, default: `true`) - Whether to install theia-cloud-crds chart +- `install_theia_cloud` (optional, default: `true`) - Whether to install theia-cloud chart +- `hostname` (required) - The hostname for Theia Cloud services +- `keycloak_url` (optional) - The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/. +- `cert_manager_issuer_email` (required) - Email address used for certificate management +- `cloudProvider` (optional, default: `"K8S"`) - The cloud provider (e.g., "K8S", "MINIKUBE", "GKE") diff --git a/terraform/modules/theia-cloud/main.tf b/terraform/modules/theia-cloud/main.tf new file mode 100644 index 000000000..43e8f7d89 --- /dev/null +++ b/terraform/modules/theia-cloud/main.tf @@ -0,0 +1,64 @@ +locals { + # base_keycloak: use provided URL or build from hostname + base_keycloak = var.keycloak_url != "" ? var.keycloak_url : "https://${var.hostname}/keycloak" + # normalized_keycloak_url: ensure a single trailing slash as required by the Theia Cloud Helm chart. + normalized_keycloak_url = endswith(local.base_keycloak, "/") ? local.base_keycloak : "${local.base_keycloak}/" +} + +resource "helm_release" "theia-cloud-base" { + count = var.install_theia_cloud_base ? 1 : 0 + name = "theia-cloud-base" + repository = "https://eclipse-theia.github.io/theia-cloud-helm" + chart = "theia-cloud-base" + version = "1.1.2" + namespace = "theia-cloud" + create_namespace = true + + set = [ + { + name = "issuer.email" + value = var.cert_manager_issuer_email + } + ] +} + +resource "helm_release" "theia-cloud-crds" { + count = var.install_theia_cloud_crds ? 1 : 0 + depends_on = [helm_release.theia-cloud-base] + name = "theia-cloud-crds" + repository = "https://eclipse-theia.github.io/theia-cloud-helm" + chart = "theia-cloud-crds" + version = "1.1.2" + namespace = "theia-cloud" + create_namespace = true +} + +resource "helm_release" "theia-cloud" { + count = var.install_theia_cloud ? 1 : 0 + depends_on = [helm_release.theia-cloud-crds] + name = "theia-cloud" + repository = "https://eclipse-theia.github.io/theia-cloud-helm" + chart = "theia-cloud" + version = "1.1.3" + namespace = "theia-cloud" + create_namespace = true + + values = [ + "${file("${path.module}/theia-cloud.yaml")}" + ] + + set = [ + { + name = "hosts.configuration.baseHost" + value = var.hostname + }, + { + name = "keycloak.authUrl" + value = local.normalized_keycloak_url + }, + { + name = "operator.cloudProvider" + value = var.cloudProvider + } + ] +} diff --git a/terraform/modules/theia-cloud/theia-cloud.yaml b/terraform/modules/theia-cloud/theia-cloud.yaml new file mode 100644 index 000000000..fe2550e2f --- /dev/null +++ b/terraform/modules/theia-cloud/theia-cloud.yaml @@ -0,0 +1,52 @@ +imagePullPolicy: Always + +# Service configuration +service: + authToken: asdfghjkl + +# Legacy app configuration (deprecated - use service.authToken instead) +app: + id: asdfghjkl + name: Theia Cloud + +demoApplication: + pullSecret: "" + timeoutStrategy: "FIXEDTIME" + timeoutLimit: "30" + imagePullPolicy: IfNotPresent + # This overrides the default value and does not write the default values to the app definition + monitor: null + +hosts: + usePaths: true + configuration: + service: servicex + landing: trynow + instance: instances + +landingPage: + appDefinition: "theia-cloud-demo" + ephemeralStorage: false + +keycloak: + enable: true + realm: "TheiaCloud" + clientId: "theia-cloud" + clientSecret: "publicbutoauth2proxywantsasecret" + cookieSecret: "OQINaROshtE9TcZkNAm5Zs2Pv3xaWytBmc5W7sPX7ws=" + +operator: + eagerStart: false + bandwidthLimiter: "WONDERSHAPER" + sessionsPerUser: "1" + storageClassName: "" + +ingress: + clusterIssuer: letsencrypt-prod + theiaCloudCommonName: false + addTLSSecretName: false + instances: + name: "theia-cloud-demo-ws-ingress" + +monitor: + enable: false diff --git a/terraform/modules/theia-cloud/variables.tf b/terraform/modules/theia-cloud/variables.tf new file mode 100644 index 000000000..ae4246b81 --- /dev/null +++ b/terraform/modules/theia-cloud/variables.tf @@ -0,0 +1,32 @@ +variable "install_theia_cloud_base" { + description = "Whether to install theia cloud base" + default = true +} + +variable "install_theia_cloud_crds" { + description = "Whether to install theia cloud crds" + default = true +} + +variable "install_theia_cloud" { + description = "Whether to install theia cloud" + default = true +} + +variable "hostname" { + description = "The hostname for all installed services" +} + +variable "keycloak_url" { + description = "The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/." + default = "" +} + +variable "cloudProvider" { + description = "The cloud provider to use" + default = "K8S" +} + +variable "cert_manager_issuer_email" { + description = "EMail address used to create certificates." +} diff --git a/terraform/modules/theia-cloud/versions.tf b/terraform/modules/theia-cloud/versions.tf new file mode 100644 index 000000000..2cc802279 --- /dev/null +++ b/terraform/modules/theia-cloud/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_providers { + helm = { + source = "hashicorp/helm" + version = ">= 3.0.2" + } + } + + required_version = ">= 1.12.2" +} From a566bb89683ce82861c6be1d4555c74d3aef329f Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Tue, 2 Dec 2025 17:37:43 +0100 Subject: [PATCH 12/37] Rename module keycloak-setup to cluster-prerequisites --- .../LICENSE | 0 .../README.md | 19 ++++++++---------- .../main.tf | 0 .../outputs.tf | 0 .../variables.tf | 0 .../versions.tf | 0 .../0_minikube-keycloak-setup/README.md | 20 +++++++++---------- .../minikube_keycloak_test.tf | 11 +++++----- 8 files changed, 24 insertions(+), 26 deletions(-) rename terraform/modules/{keycloak-setup => cluster-prerequisites}/LICENSE (100%) rename terraform/modules/{keycloak-setup => cluster-prerequisites}/README.md (95%) rename terraform/modules/{keycloak-setup => cluster-prerequisites}/main.tf (100%) rename terraform/modules/{keycloak-setup => cluster-prerequisites}/outputs.tf (100%) rename terraform/modules/{keycloak-setup => cluster-prerequisites}/variables.tf (100%) rename terraform/modules/{keycloak-setup => cluster-prerequisites}/versions.tf (100%) diff --git a/terraform/modules/keycloak-setup/LICENSE b/terraform/modules/cluster-prerequisites/LICENSE similarity index 100% rename from terraform/modules/keycloak-setup/LICENSE rename to terraform/modules/cluster-prerequisites/LICENSE diff --git a/terraform/modules/keycloak-setup/README.md b/terraform/modules/cluster-prerequisites/README.md similarity index 95% rename from terraform/modules/keycloak-setup/README.md rename to terraform/modules/cluster-prerequisites/README.md index d1ed9a38e..e10ec5727 100644 --- a/terraform/modules/keycloak-setup/README.md +++ b/terraform/modules/cluster-prerequisites/README.md @@ -1,6 +1,7 @@ -# Keycloak Setup Module +# Cluster Prerequisites Setup Module -This Terraform module deploys Keycloak in a Kubernetes cluster using the official Keycloak Operator. It replaces the deprecated Bitnami Helm chart approach with a native Kubernetes operator installation. +This Terraform module sets up various prerequisites of Theia Cloud in a running cluster. +The module offers various customization options via variables including skipping some of the prerequisites (e.g. Keycloak) if they are already installed another way. ## Features @@ -30,7 +31,7 @@ Note: cert-manager can be installed automatically by this module (default) or yo ```hcl module "keycloak" { - source = "../../modules/keycloak-setup" + source = "../../modules/cluster-prerequisites" hostname = "192.168.49.2.nip.io" keycloak_admin_password = "admin" @@ -52,7 +53,7 @@ module "keycloak" { ```hcl module "keycloak" { - source = "../../modules/keycloak-setup" + source = "../../modules/cluster-prerequisites" hostname = "keycloak.example.com" keycloak_admin_password = var.keycloak_admin_password @@ -80,7 +81,7 @@ module "keycloak" { ```hcl module "keycloak" { - source = "../../modules/keycloak-setup" + source = "../../modules/cluster-prerequisites" hostname = "keycloak.example.com" keycloak_admin_password = var.keycloak_admin_password @@ -98,7 +99,7 @@ module "keycloak" { ```hcl module "keycloak" { - source = "../../modules/keycloak-setup" + source = "../../modules/cluster-prerequisites" hostname = "keycloak.example.com" keycloak_admin_password = var.keycloak_admin_password @@ -200,7 +201,7 @@ This module replaces the deprecated Bitnami Helm chart with the official Keycloa ### Migration Steps 1. **Backup Data**: Export realms and data from existing Keycloak instance -2. **Update Module Reference**: Change from `helm` module to `keycloak-setup` module +2. **Update Module Reference**: Change from `helm` module to `cluster-prerequisites` module 3. **Update Variables**: Some variable names have changed (see mapping below) 4. **Apply Changes**: Run `terraform apply` to deploy new Keycloak 5. **Restore Data**: Import realms and data into new instance @@ -289,7 +290,3 @@ postgres_volume_permissions = true - [Keycloak Operator Documentation](https://www.keycloak.org/operator/installation) - [Keycloak on Kubernetes Guide](https://www.keycloak.org/operator/basic-deployment) - [Keycloak K8s Resources Repository](https://github.com/keycloak/keycloak-k8s-resources) - -## License - -This module follows the same license as the parent project. diff --git a/terraform/modules/keycloak-setup/main.tf b/terraform/modules/cluster-prerequisites/main.tf similarity index 100% rename from terraform/modules/keycloak-setup/main.tf rename to terraform/modules/cluster-prerequisites/main.tf diff --git a/terraform/modules/keycloak-setup/outputs.tf b/terraform/modules/cluster-prerequisites/outputs.tf similarity index 100% rename from terraform/modules/keycloak-setup/outputs.tf rename to terraform/modules/cluster-prerequisites/outputs.tf diff --git a/terraform/modules/keycloak-setup/variables.tf b/terraform/modules/cluster-prerequisites/variables.tf similarity index 100% rename from terraform/modules/keycloak-setup/variables.tf rename to terraform/modules/cluster-prerequisites/variables.tf diff --git a/terraform/modules/keycloak-setup/versions.tf b/terraform/modules/cluster-prerequisites/versions.tf similarity index 100% rename from terraform/modules/keycloak-setup/versions.tf rename to terraform/modules/cluster-prerequisites/versions.tf diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/README.md b/terraform/test-configurations/0_minikube-keycloak-setup/README.md index 94e32cc89..8645f0f28 100644 --- a/terraform/test-configurations/0_minikube-keycloak-setup/README.md +++ b/terraform/test-configurations/0_minikube-keycloak-setup/README.md @@ -1,12 +1,12 @@ # Minikube Keycloak Setup Test Configuration -This test configuration demonstrates the use of the `keycloak-setup` module without the deprecated `helm` module. It provides a complete, standalone Keycloak deployment on Minikube. +This test configuration demonstrates the use of the `cluster-prerequisites` module without the deprecated `helm` module. It provides a complete, standalone Keycloak deployment on Minikube. ## What This Configuration Includes 1. **Minikube Cluster Creation**: Sets up a local Kubernetes cluster 2. **Nginx Ingress Controller**: Deployed directly via Helm (not through the helm module) -3. **Cert-Manager**: Installed by the keycloak-setup module +3. **Cert-Manager**: Installed by the cluster-prerequisites module 4. **Self-Signed ClusterIssuer**: For local TLS certificates 5. **Keycloak**: Deployed using the official Keycloak Operator 6. **PostgreSQL**: Integrated database deployment @@ -14,12 +14,12 @@ This test configuration demonstrates the use of the `keycloak-setup` module with ## Key Differences from Old Configuration -| Old (0_minikube-setup) | New (0_minikube-keycloak-setup) | -| ---------------------------------- | ------------------------------------------ | -| Uses `modules/helm` for everything | Uses `modules/keycloak-setup` for Keycloak | -| Bitnami Helm chart for Keycloak | Official Keycloak Operator | -| Cert-manager in helm module | Cert-manager in keycloak-setup module | -| nginx-ingress via helm module | nginx-ingress deployed separately | +| Old (0_minikube-setup) | New (0_minikube-cluster-prerequisites) | +| ---------------------------------- | ------------------------------------------------- | +| Uses `modules/helm` for everything | Uses `modules/cluster-prerequisites` for Keycloak | +| Bitnami Helm chart for Keycloak | Official Keycloak Operator | +| Cert-manager in helm module | Cert-manager in cluster-prerequisites module | +| nginx-ingress via helm module | nginx-ingress deployed separately | ## Prerequisites @@ -32,7 +32,7 @@ This test configuration demonstrates the use of the `keycloak-setup` module with ### Initialize and Apply ```bash -cd terraform/test-configurations/0_minikube-keycloak-setup +cd terraform/test-configurations/0_minikube-cluster-prerequisites terraform init terraform apply ``` @@ -177,7 +177,7 @@ kubectl logs -n keycloak -l app=keycloak-operator 1. **No Deprecated Dependencies**: Uses official Keycloak Operator instead of Bitnami chart 2. **Modular**: Keycloak setup is independent of other components -3. **Self-Contained**: All cert-manager setup included in keycloak-setup module +3. **Self-Contained**: All cert-manager setup included in cluster-prerequisites module 4. **Production-Ready**: Same pattern can be used for production deployments 5. **Easier to Update**: Module can be updated independently diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf index c1ef2bf79..8fa4d8461 100644 --- a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf +++ b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf @@ -113,7 +113,7 @@ module "host" { # } module "keycloak_setup" { - source = "../../modules/keycloak-setup" + source = "../../modules/cluster-prerequisites" hostname = "${module.host.host}.nip.io" keycloak_admin_password = var.keycloak_admin_password @@ -129,10 +129,11 @@ module "keycloak_setup" { } provider "keycloak" { - client_id = "admin-cli" - username = "admin" - password = var.keycloak_admin_password - url = module.keycloak_setup.keycloak_url + client_id = "admin-cli" + username = "admin" + password = var.keycloak_admin_password + # Normalize URL: strip a trailing slash "/" if present because this URL should not end with a slash + url = trimsuffix(module.keycloak_setup.keycloak_url, "/") tls_insecure_skip_verify = true initial_login = false client_timeout = 60 From 9509fad4ee981cf7f51a2b7ec5ee5a71643be73a Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Mon, 26 Jan 2026 11:57:43 +0100 Subject: [PATCH 13/37] Add nginx ingress controller to cluster-prerequisites module - Add helm_release for nginx ingress controller with configurable installation, version, namespace, and load balancer IP - Update deprecated kubernetes resources to v1 versions: kubernetes_namespace, kubernetes_secret, kubernetes_persistent_volume_claim, kubernetes_deployment, kubernetes_service --- .../modules/cluster-prerequisites/main.tf | 91 +++++++++++++------ .../modules/cluster-prerequisites/outputs.tf | 4 +- .../cluster-prerequisites/variables.tf | 24 +++++ 3 files changed, 89 insertions(+), 30 deletions(-) diff --git a/terraform/modules/cluster-prerequisites/main.tf b/terraform/modules/cluster-prerequisites/main.tf index 6bd1b43ea..bee337f20 100644 --- a/terraform/modules/cluster-prerequisites/main.tf +++ b/terraform/modules/cluster-prerequisites/main.tf @@ -15,9 +15,43 @@ resource "helm_release" "cert_manager" { ] } +resource "helm_release" "ingress_nginx" { + count = var.install_ingress_controller ? 1 : 0 + name = "nginx-ingress-controller" + repository = "https://kubernetes.github.io/ingress-nginx" + chart = "ingress-nginx" + version = var.ingress_controller_version + namespace = var.ingress_controller_namespace + create_namespace = true + + set = [ + { + name = "fullnameOverride" + value = "ingress-nginx" + }, + { + name = "controller.service.loadBalancerIP" + value = var.load_balancer_ip + }, + { + name = "controller.allowSnippetAnnotations" + value = true + }, + # Below two are added for backward compatibility with 1.1.1 which used Prefix pathType at some places. After 1.2.0 we should check if we may remove them again + { + name = "controller.admissionWebhooks.enabled" + value = false + }, + { + name = "controller.config.enable-snippet" + value = "true" + } + ] +} + resource "kubectl_manifest" "keycloak_selfsigned_issuer" { count = var.install_selfsigned_issuer ? 1 : 0 - depends_on = [helm_release.cert_manager] + depends_on = [helm_release.cert_manager, helm_release.ingress_nginx] yaml_body = yamlencode({ apiVersion = "cert-manager.io/v1" @@ -31,7 +65,7 @@ resource "kubectl_manifest" "keycloak_selfsigned_issuer" { }) } -resource "kubernetes_namespace" "keycloak" { +resource "kubernetes_namespace_v1" "keycloak" { metadata { name = var.keycloak_namespace } @@ -46,7 +80,7 @@ data "http" "keycloak_crd" { resource "kubectl_manifest" "keycloak_crd" { yaml_body = data.http.keycloak_crd.response_body depends_on = [ - kubernetes_namespace.keycloak + kubernetes_namespace_v1.keycloak ] } @@ -57,7 +91,7 @@ data "http" "keycloak_realm_import_crd" { resource "kubectl_manifest" "keycloak_realm_import_crd" { yaml_body = data.http.keycloak_realm_import_crd.response_body depends_on = [ - kubernetes_namespace.keycloak + kubernetes_namespace_v1.keycloak ] } @@ -98,12 +132,12 @@ resource "kubectl_manifest" "keycloak_operator" { ] } -resource "kubernetes_secret" "postgres" { +resource "kubernetes_secret_v1" "postgres" { count = var.postgres_enabled ? 1 : 0 metadata { name = "postgres-credentials" - namespace = kubernetes_namespace.keycloak.metadata[0].name + namespace = kubernetes_namespace_v1.keycloak.metadata[0].name } data = { @@ -115,12 +149,12 @@ resource "kubernetes_secret" "postgres" { type = "Opaque" } -resource "kubernetes_persistent_volume_claim" "postgres" { +resource "kubernetes_persistent_volume_claim_v1" "postgres" { count = var.postgres_enabled ? 1 : 0 metadata { name = "postgres-pvc" - namespace = kubernetes_namespace.keycloak.metadata[0].name + namespace = kubernetes_namespace_v1.keycloak.metadata[0].name } spec { @@ -134,12 +168,12 @@ resource "kubernetes_persistent_volume_claim" "postgres" { } } -resource "kubernetes_deployment" "postgres" { +resource "kubernetes_deployment_v1" "postgres" { count = var.postgres_enabled ? 1 : 0 metadata { name = "postgres" - namespace = kubernetes_namespace.keycloak.metadata[0].name + namespace = kubernetes_namespace_v1.keycloak.metadata[0].name labels = { app = "postgres" } @@ -187,7 +221,7 @@ resource "kubernetes_deployment" "postgres" { name = "POSTGRES_USER" value_from { secret_key_ref { - name = kubernetes_secret.postgres[0].metadata[0].name + name = kubernetes_secret_v1.postgres[0].metadata[0].name key = "username" } } @@ -197,7 +231,7 @@ resource "kubernetes_deployment" "postgres" { name = "POSTGRES_PASSWORD" value_from { secret_key_ref { - name = kubernetes_secret.postgres[0].metadata[0].name + name = kubernetes_secret_v1.postgres[0].metadata[0].name key = "password" } } @@ -207,7 +241,7 @@ resource "kubernetes_deployment" "postgres" { name = "POSTGRES_DB" value_from { secret_key_ref { - name = kubernetes_secret.postgres[0].metadata[0].name + name = kubernetes_secret_v1.postgres[0].metadata[0].name key = "database" } } @@ -238,7 +272,7 @@ resource "kubernetes_deployment" "postgres" { volume { name = "postgres-storage" persistent_volume_claim { - claim_name = kubernetes_persistent_volume_claim.postgres[0].metadata[0].name + claim_name = kubernetes_persistent_volume_claim_v1.postgres[0].metadata[0].name } } } @@ -246,16 +280,16 @@ resource "kubernetes_deployment" "postgres" { } depends_on = [ - kubernetes_persistent_volume_claim.postgres + kubernetes_persistent_volume_claim_v1.postgres ] } -resource "kubernetes_service" "postgres" { +resource "kubernetes_service_v1" "postgres" { count = var.postgres_enabled ? 1 : 0 metadata { name = "postgres" - namespace = kubernetes_namespace.keycloak.metadata[0].name + namespace = kubernetes_namespace_v1.keycloak.metadata[0].name } spec { @@ -347,15 +381,15 @@ locals { var.postgres_enabled ? { db = { vendor = "postgres" - host = kubernetes_service.postgres[0].metadata[0].name + host = kubernetes_service_v1.postgres[0].metadata[0].name port = 5432 database = var.postgres_database usernameSecret = { - name = kubernetes_secret.postgres[0].metadata[0].name + name = kubernetes_secret_v1.postgres[0].metadata[0].name key = "username" } passwordSecret = { - name = kubernetes_secret.postgres[0].metadata[0].name + name = kubernetes_secret_v1.postgres[0].metadata[0].name key = "password" } } @@ -369,14 +403,14 @@ resource "kubectl_manifest" "keycloak_instance" { kind = "Keycloak" metadata = { name = "keycloak" - namespace = kubernetes_namespace.keycloak.metadata[0].name + namespace = kubernetes_namespace_v1.keycloak.metadata[0].name } spec = local.keycloak_spec }) depends_on = [ kubectl_manifest.keycloak_operator, - kubernetes_service.postgres + kubernetes_service_v1.postgres ] } @@ -385,7 +419,7 @@ resource "kubernetes_ingress_v1" "keycloak" { metadata { name = "keycloak" - namespace = kubernetes_namespace.keycloak.metadata[0].name + namespace = kubernetes_namespace_v1.keycloak.metadata[0].name annotations = merge( { "nginx.ingress.kubernetes.io/proxy-buffer-size" = "128k" @@ -434,7 +468,8 @@ resource "kubernetes_ingress_v1" "keycloak" { } depends_on = [ - kubernetes_namespace.keycloak + kubernetes_namespace_v1.keycloak, + helm_release.ingress_nginx ] } @@ -442,11 +477,11 @@ resource "terraform_data" "wait_for_keycloak_instance" { provisioner "local-exec" { command = <<-EOT echo "Waiting for Keycloak resource to report ready..." - kubectl wait keycloak/keycloak -n ${kubernetes_namespace.keycloak.metadata[0].name} --for=condition=Ready --timeout=3m + kubectl wait keycloak/keycloak -n ${kubernetes_namespace_v1.keycloak.metadata[0].name} --for=condition=Ready --timeout=3m echo "Waiting for Keycloak pods to be ready..." - kubectl wait pods -n ${kubernetes_namespace.keycloak.metadata[0].name} -l app=keycloak --for=condition=Ready --timeout=3m + kubectl wait pods -n ${kubernetes_namespace_v1.keycloak.metadata[0].name} -l app=keycloak --for=condition=Ready --timeout=3m echo "Waiting for Keycloak service endpoint..." - kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${kubernetes_namespace.keycloak.metadata[0].name} --timeout=2m + kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${kubernetes_namespace_v1.keycloak.metadata[0].name} --timeout=2m echo "Keycloak is ready!" echo "Waiting additional 5 for Keycloak authentication to be fully initialized..." sleep 5 @@ -462,7 +497,7 @@ resource "terraform_data" "wait_for_certificate" { count = var.ingress_enabled && var.ingress_tls_enabled ? 1 : 0 provisioner "local-exec" { - command = "kubectl wait certificate -n ${kubernetes_namespace.keycloak.metadata[0].name} ${local.tls_secret_name} --for=condition=Ready --timeout=3m" + command = "kubectl wait certificate -n ${kubernetes_namespace_v1.keycloak.metadata[0].name} ${local.tls_secret_name} --for=condition=Ready --timeout=3m" } depends_on = [ diff --git a/terraform/modules/cluster-prerequisites/outputs.tf b/terraform/modules/cluster-prerequisites/outputs.tf index ef7a9e09c..a9cfd07d0 100644 --- a/terraform/modules/cluster-prerequisites/outputs.tf +++ b/terraform/modules/cluster-prerequisites/outputs.tf @@ -1,6 +1,6 @@ output "namespace" { description = "Keycloak namespace" - value = kubernetes_namespace.keycloak.metadata[0].name + value = kubernetes_namespace_v1.keycloak.metadata[0].name depends_on = [terraform_data.wait_for_keycloak_instance] } @@ -17,7 +17,7 @@ output "admin_username" { output "postgres_service_name" { description = "PostgreSQL service name" - value = var.postgres_enabled ? kubernetes_service.postgres[0].metadata[0].name : null + value = var.postgres_enabled ? kubernetes_service_v1.postgres[0].metadata[0].name : null } output "keycloak_service_name" { diff --git a/terraform/modules/cluster-prerequisites/variables.tf b/terraform/modules/cluster-prerequisites/variables.tf index e60d475d6..dae14ad38 100644 --- a/terraform/modules/cluster-prerequisites/variables.tf +++ b/terraform/modules/cluster-prerequisites/variables.tf @@ -195,3 +195,27 @@ variable "cert_manager_issuer_email" { type = string default = "" } + +variable "install_ingress_controller" { + description = "Whether to install the nginx ingress controller" + type = bool + default = false +} + +variable "ingress_controller_version" { + description = "Version of nginx ingress controller to install" + type = string + default = "4.13.0" +} + +variable "ingress_controller_namespace" { + description = "Namespace for nginx ingress controller installation" + type = string + default = "ingress-nginx" +} + +variable "load_balancer_ip" { + description = "External IP for the nginx ingress controller service" + type = string + default = "" +} From 47744d9235e1496cd63229ac35de5d82695e4246 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Mon, 26 Jan 2026 11:59:42 +0100 Subject: [PATCH 14/37] add terraform lock file for cluster-prerequisites module --- .../cluster-prerequisites/.terraform.lock.hcl | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 terraform/modules/cluster-prerequisites/.terraform.lock.hcl diff --git a/terraform/modules/cluster-prerequisites/.terraform.lock.hcl b/terraform/modules/cluster-prerequisites/.terraform.lock.hcl new file mode 100644 index 000000000..90bec6736 --- /dev/null +++ b/terraform/modules/cluster-prerequisites/.terraform.lock.hcl @@ -0,0 +1,85 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = ">= 1.19.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "3.1.1" + constraints = ">= 2.0.0" + hashes = [ + "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", + "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", + "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a", + "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29", + "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104", + "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990", + "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34", + "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8", + "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1", + "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b", + "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903", + "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/http" { + version = "3.5.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=", + "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7", + "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736", + "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476", + "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90", + "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a", + "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6", + "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6", + "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee", + "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926", + "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "3.0.1" + constraints = ">= 2.0.0" + hashes = [ + "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=", + "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281", + "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba", + "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7", + "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6", + "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4", + "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249", + "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090", + "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97", + "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8", + "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119", + "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} From 6f16fc80c6b421ef46224d2e1b8900625b9d4d5e Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Mon, 26 Jan 2026 12:35:38 +0100 Subject: [PATCH 15/37] Remove keycloak and prerequisites from helm module The helm module now only installs theia-cloud components (base, crds, theia-cloud). Cert-manager, nginx-ingress-controller, and keycloak are now handled by the cluster-prerequisites module which should be installed first. Removed resources: - helm_release.cert-manager - helm_release.nginx-ingress-controller - helm_release.keycloak - kubectl_manifest.selfsigned_issuer Deleted files: - keycloak.yaml - clusterissuer-selfsigned.yaml --- .../helm/clusterissuer-selfsigned.yaml | 6 - terraform/modules/helm/main.tf | 117 +----------------- 2 files changed, 3 insertions(+), 120 deletions(-) delete mode 100644 terraform/modules/helm/clusterissuer-selfsigned.yaml diff --git a/terraform/modules/helm/clusterissuer-selfsigned.yaml b/terraform/modules/helm/clusterissuer-selfsigned.yaml deleted file mode 100644 index b3a81958f..000000000 --- a/terraform/modules/helm/clusterissuer-selfsigned.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: keycloak-selfsigned-issuer -spec: - selfSigned: {} diff --git a/terraform/modules/helm/main.tf b/terraform/modules/helm/main.tf index 1efeb3349..8e6246c63 100644 --- a/terraform/modules/helm/main.tf +++ b/terraform/modules/helm/main.tf @@ -1,7 +1,3 @@ -variable "install_ingress_controller" { - description = "Whether to install the nginx ingress controller" -} - variable "ingress_controller_type" { description = "Type of ingress controller to use (nginx or haproxy)" type = string @@ -28,129 +24,21 @@ variable "install_theia_cloud" { default = true } -variable "install_selfsigned_issuer" { - description = "Whether to install an additional self signed issuer" - default = false -} - variable "cert_manager_issuer_email" { description = "EMail address used to create certificates." } -variable "cert_manager_cluster_issuer" { - type = string - - validation { - condition = length(regexall("^(letsencrypt-prod|theia-cloud-selfsigned-issuer|keycloak-selfsigned-issuer)$", var.cert_manager_cluster_issuer)) > 0 - error_message = "ERROR: Valid values are \"letsencrypt-prod\", \"theia-cloud-selfsigned-issuer\", and \"keycloak-selfsigned-issuer\"!" - } -} - -variable "cert_manager_common_name" { - description = "The common name for the certificate" - default = "" -} - variable "hostname" { description = "The hostname for all installed services" } -variable "service_type" { - description = "Kubernetes service type" - default = "LoadBalancer" - -} - -variable "postgresql_storageClass" { - description = "StorageClass for Persistent Volume(s)" - default = "" -} - -variable "postgresql_volumePermissions" { - description = "Enable init container that changes the owner and group of the persistent volume" - default = false -} - -variable "keycloak_admin_password" { - description = "Keycloak Admin Password" - sensitive = true -} - -variable "postgresql_enabled" { - description = "Whether to enable postgreswl" - default = true -} - -variable "postgres_postgres_password" { - description = "Keycloak Postgres DB Postgres (Admin) Password" - sensitive = true -} - -variable "postgres_password" { - description = "Keycloak Postgres DB Password" - sensitive = true -} - -variable "loadBalancerIP" { - description = "External IP for the nginx ingress controller" - default = "" -} - variable "cloudProvider" { description = "The cloud provider to use" default = "K8S" } -resource "helm_release" "cert-manager" { - name = "cert-manager" - repository = "https://charts.jetstack.io" - chart = "cert-manager" - version = "v1.17.4" - namespace = "cert-manager" - create_namespace = true - - set = [ - { - name = "installCRDs" - value = "true" - } - ] -} - -resource "helm_release" "nginx-ingress-controller" { +# Note: cert-manager and nginx-ingress must be installed via cluster-prerequisites module first count = var.install_ingress_controller && var.ingress_controller_type == "nginx" ? 1 : 0 - name = "nginx-ingress-controller" - repository = "https://kubernetes.github.io/ingress-nginx" - chart = "ingress-nginx" - version = "4.13.0" - namespace = "ingress-nginx" - create_namespace = true - - set = [ - { - name = "fullnameOverride" - value = "ingress-nginx" - }, - { - name = "controller.service.loadBalancerIP" - value = var.loadBalancerIP - }, - { - name = "controller.allowSnippetAnnotations" - value = true - }, - # Below two are added for backward compatibility with 1.1.1 which used Prefix pythType at some places. After 1.2.0 we should check if we may remove them again - { - name = "controller.admissionWebhooks.enabled" - value = false - }, - { - name = "controller.config.enable-snippet" - value = "true" - } - ] -} - resource "helm_release" "haproxy-ingress-controller" { count = var.install_ingress_controller && var.ingress_controller_type == "haproxy" ? 1 : 0 name = "haproxy-ingress" @@ -219,6 +107,7 @@ locals { }]) } +# TODO remove keycloak here resource "helm_release" "keycloak" { depends_on = [helm_release.theia-cloud-base, kubectl_manifest.selfsigned_issuer, helm_release.nginx-ingress-controller, helm_release.haproxy-ingress-controller] # we need an existing issuer name = "keycloak" @@ -281,7 +170,7 @@ resource "helm_release" "keycloak" { resource "helm_release" "theia-cloud" { count = var.install_theia_cloud ? 1 : 0 - depends_on = [helm_release.keycloak, helm_release.theia-cloud-crds] # wait for keycloak to make the default cert available + depends_on = [helm_release.theia-cloud-crds] name = "theia-cloud" repository = "https://eclipse-theia.github.io/theia-cloud-helm" chart = "theia-cloud" From 56beb417a888b7bf6c8c59dd4a44a802d6c9a5b2 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Mon, 26 Jan 2026 12:55:24 +0100 Subject: [PATCH 16/37] Update configurations to use cluster-prerequisites module Replace helm module usage with cluster-prerequisites for keycloak, cert-manager, and nginx-ingress setup in all configurations: - gke_getting_started - minikube_getting_started - 0_minikube-setup/minikube_test_cluster - 0_minikube-keycloak-setup (removed redundant http provider) - ci-configurations/e2e_tests The helm module now only handles theia-cloud components (base, crds, theia-cloud), while cluster-prerequisites handles the infrastructure. --- terraform/ci-configurations/e2e_tests.tf | 7 +- .../gke_getting_started.tf | 43 +++-- .../minikube_getting_started.tf | 148 ++++++++++++++++++ .../minikube_keycloak_test.tf | 33 ---- .../0_minikube-setup/minikube_test_cluster.tf | 100 ++++++++++++ 5 files changed, 278 insertions(+), 53 deletions(-) create mode 100644 terraform/configurations/minikube_getting_started/minikube_getting_started.tf diff --git a/terraform/ci-configurations/e2e_tests.tf b/terraform/ci-configurations/e2e_tests.tf index e3ea050a5..69a2a9f1f 100644 --- a/terraform/ci-configurations/e2e_tests.tf +++ b/terraform/ci-configurations/e2e_tests.tf @@ -88,7 +88,7 @@ provider "keycloak" { client_id = "admin-cli" username = "admin" password = "admin" - url = "https://${var.ingress_ip}.nip.io/keycloak" + url = trimsuffix(module.cluster_prerequisites.keycloak_url, "/") tls_insecure_skip_verify = true # only for minikube self signed initial_login = false client_timeout = 60 @@ -97,7 +97,7 @@ provider "keycloak" { module "keycloak" { source = "../modules/keycloak" - depends_on = [module.helm] + depends_on = [module.cluster_prerequisites] hostname = "${var.ingress_ip}.nip.io" keycloak_test_user_foo_password = "foo" @@ -315,7 +315,6 @@ resource "kubectl_manifest" "theia-cloud-monitor-vscode-timeout" { notifyAfter: 15 EOF } - resource "kubectl_manifest" "theia-cloud-demo" { depends_on = [helm_release.theia-cloud] yaml_body = <<-EOF @@ -349,5 +348,3 @@ resource "kubectl_manifest" "theia-cloud-demo" { notifyAfter: 30 EOF } - - diff --git a/terraform/configurations/gke_getting_started/gke_getting_started.tf b/terraform/configurations/gke_getting_started/gke_getting_started.tf index 7ae5b1a44..6e1735f9e 100644 --- a/terraform/configurations/gke_getting_started/gke_getting_started.tf +++ b/terraform/configurations/gke_getting_started/gke_getting_started.tf @@ -16,11 +16,6 @@ variable "keycloak_admin_password" { sensitive = true } -variable "postgres_postgres_password" { - description = "Keycloak Postgres DB Postgres (Admin) Password" - sensitive = true -} - variable "postgres_password" { description = "Keycloak Postgres DB Password" sensitive = true @@ -50,6 +45,12 @@ resource "google_compute_address" "host_ip" { name = "theia-cloud-ingress-ip" } +provider "kubernetes" { + host = module.cluster.cluster_host + token = module.cluster.cluster_token + cluster_ca_certificate = module.cluster.cluster_ca_certificate +} + provider "helm" { kubernetes = { host = module.cluster.cluster_host @@ -65,27 +66,39 @@ provider "kubectl" { cluster_ca_certificate = module.cluster.cluster_ca_certificate } +module "cluster_prerequisites" { + source = "../../modules/cluster-prerequisites" + + hostname = "${google_compute_address.host_ip.address}.sslip.io" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = var.postgres_password + install_cert_manager = true + install_ingress_controller = true + install_selfsigned_issuer = false + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_cert_manager_cluster_issuer = "letsencrypt-prod" + load_balancer_ip = google_compute_address.host_ip.address + cloud_provider = "GKE" +} + module "helm" { source = "../../modules/helm" - install_ingress_controller = true + depends_on = [module.cluster_prerequisites] ingress_controller_type = var.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email + cert_manager_issuer_email = var.cert_manager_issuer_email cert_manager_cluster_issuer = "letsencrypt-prod" cert_manager_common_name = "${google_compute_address.host_ip.address}.sslip.io" - hostname = "${google_compute_address.host_ip.address}.sslip.io" - keycloak_admin_password = var.keycloak_admin_password - postgresql_enabled = true - postgres_postgres_password = var.postgres_postgres_password - postgres_password = var.postgres_password - loadBalancerIP = google_compute_address.host_ip.address + hostname = "${google_compute_address.host_ip.address}.sslip.io" + cloudProvider = "GKE" + loadBalancerIP = google_compute_address.host_ip.address } provider "keycloak" { client_id = "admin-cli" username = "admin" password = var.keycloak_admin_password - url = "https://${google_compute_address.host_ip.address}.sslip.io/keycloak" + url = trimsuffix(module.cluster_prerequisites.keycloak_url, "/") initial_login = false client_timeout = 60 } @@ -93,7 +106,7 @@ provider "keycloak" { module "keycloak" { source = "../../modules/keycloak" - depends_on = [module.helm] + depends_on = [module.cluster_prerequisites] hostname = "${google_compute_address.host_ip.address}.sslip.io" keycloak_test_user_foo_password = "foo" diff --git a/terraform/configurations/minikube_getting_started/minikube_getting_started.tf b/terraform/configurations/minikube_getting_started/minikube_getting_started.tf new file mode 100644 index 000000000..7fe3e5748 --- /dev/null +++ b/terraform/configurations/minikube_getting_started/minikube_getting_started.tf @@ -0,0 +1,148 @@ +variable "kubernetes_version" { + description = "Kubernetes version to use" + default = "v1.34.0" +} + +variable "cert_manager_issuer_email" { + description = "EMail address used to create certificates." +} + +variable "keycloak_admin_password" { + description = "Keycloak Admin Password" + sensitive = true + default = "admin" +} + +variable "ingress_controller_type" { + description = "Type of ingress controller to use (nginx or haproxy)" + type = string + default = "nginx" +} + +provider "minikube" { + kubernetes_version = var.kubernetes_version +} + +module "cluster" { + source = "../../modules/cluster_creation/minikube/" + + # adjust values below + cluster_name = "minikube" + cpus = 4 + disk_size = "51200mb" + memory = "8192mb" + driver = "virtualbox" + ingress_controller_type = var.ingress_controller_type +} + +provider "kubernetes" { + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate +} + +provider "kubectl" { + load_config_file = false + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate +} + +resource "kubernetes_persistent_volume_v1" "minikube" { + + depends_on = [module.cluster] + + metadata { + name = "minikube-volume" + } + spec { + storage_class_name = "manual" + capacity = { + storage = "16Gi" + } + access_modes = ["ReadWriteOnce"] + persistent_volume_source { + host_path { + path = "/data/theia-cloud" + } + } + } +} + +provider "helm" { + kubernetes = { + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate + } +} + +module "host" { + depends_on = [module.cluster] + + source = "matti/urlparse/external" + url = module.cluster.cluster_host +} + +module "helm" { + source = "../../modules/helm" + + depends_on = [module.host] + + install_ingress_controller = var.ingress_controller_type == "haproxy" ? true : false + ingress_controller_type = var.ingress_controller_type + cert_manager_issuer_email = var.cert_manager_issuer_email + cert_manager_cluster_issuer = "theia-cloud-selfsigned-issuer" + cert_manager_common_name = "${module.host.host}.nip.io" + hostname = "${module.host.host}.nip.io" + keycloak_admin_password = var.keycloak_admin_password + postgresql_enabled = true + postgres_postgres_password = "admin" + postgres_password = "admin" + postgresql_storageClass = "manual" + postgresql_volumePermissions = true + service_type = "ClusterIP" + cloudProvider = "MINIKUBE" +} + +module "cluster_prerequisites" { + source = "../../modules/cluster-prerequisites" + + depends_on = [kubernetes_persistent_volume.minikube] + + hostname = "${module.host.host}.nip.io" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_cert_manager_cluster_issuer = "theia-cloud-selfsigned-issuer" + ingress_cert_manager_common_name = "${module.host.host}.nip.io" + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" +} + +provider "keycloak" { + client_id = "admin-cli" + username = "admin" + password = var.keycloak_admin_password + url = trimsuffix(module.cluster_prerequisites.keycloak_url, "/") + tls_insecure_skip_verify = true # only for minikube self signed + initial_login = false + client_timeout = 60 +} + +module "keycloak" { + source = "../../modules/keycloak" + + depends_on = [module.cluster_prerequisites] + + hostname = "${module.host.host}.nip.io" + keycloak_test_user_foo_password = "foo" + keycloak_test_user_bar_password = "bar" + valid_redirect_uri = "https://${module.host.host}.nip.io/*" +} diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf index 8fa4d8461..06ee23412 100644 --- a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf +++ b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf @@ -72,9 +72,6 @@ provider "kubectl" { cluster_ca_certificate = module.cluster.cluster_ca_certificate } -provider "http" { -} - module "host" { depends_on = [module.cluster] @@ -82,36 +79,6 @@ module "host" { url = module.cluster.cluster_host } -# resource "helm_release" "nginx_ingress_controller" { -# depends_on = [module.cluster] -# name = "nginx-ingress-controller" -# repository = "https://kubernetes.github.io/ingress-nginx" -# chart = "ingress-nginx" -# version = "4.13.0" -# namespace = "ingress-nginx" -# create_namespace = true - -# set { -# name = "fullnameOverride" -# value = "ingress-nginx" -# } - -# set { -# name = "controller.allowSnippetAnnotations" -# value = true -# } - -# set { -# name = "controller.admissionWebhooks.enabled" -# value = false -# } - -# set { -# name = "controller.config.enable-snippet" -# value = "true" -# } -# } - module "keycloak_setup" { source = "../../modules/cluster-prerequisites" diff --git a/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf b/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf index 2bee48f73..50b51ece0 100644 --- a/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf +++ b/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf @@ -24,3 +24,103 @@ module "cluster" { driver = "kvm2" ingress_controller_type = var.ingress_controller_type } + +provider "kubernetes" { + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate +} + +resource "kubernetes_persistent_volume" "minikube" { + + depends_on = [module.cluster] + + metadata { + name = "minikube-volume" + } + spec { + storage_class_name = "manual" + capacity = { + storage = "16Gi" + } + access_modes = ["ReadWriteOnce"] + persistent_volume_source { + host_path { + path = "/data/theia-cloud" + } + } + } +} + +provider "helm" { + kubernetes = { + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate + } +} + +provider "kubectl" { + load_config_file = false + host = module.cluster.cluster_host + client_certificate = module.cluster.cluster_client_certificate + client_key = module.cluster.cluster_client_key + cluster_ca_certificate = module.cluster.cluster_ca_certificate +} + +module "host" { + depends_on = [module.cluster] + + source = "matti/urlparse/external" + url = module.cluster.cluster_host +} + +module "cluster_prerequisites" { + source = "../../modules/cluster-prerequisites" + + depends_on = [kubernetes_persistent_volume.minikube] + + hostname = "${module.host.host}.nip.io" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + ingress_cert_manager_common_name = "${module.host.host}.nip.io" + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" +} + +provider "keycloak" { + client_id = "admin-cli" + username = "admin" + password = var.keycloak_admin_password + url = trimsuffix(module.cluster_prerequisites.keycloak_url, "/") + tls_insecure_skip_verify = true # only for minikube self signed + initial_login = false + client_timeout = 60 +} + +module "keycloak" { + source = "../../modules/keycloak" + + depends_on = [module.cluster_prerequisites] + + hostname = "${module.host.host}.nip.io" + keycloak_test_user_foo_password = "foo" + keycloak_test_user_bar_password = "bar" + valid_redirect_uri = "*" +} + +# Configure user foo as admin by adding it to the admin group +resource "keycloak_group_memberships" "admin_group_memberships" { + realm_id = module.keycloak.realm.id + group_id = module.keycloak.admin_group.id + members = [ + module.keycloak.test_users.foo.username + ] +} \ No newline at end of file From 5646269d0f171380c8fa281936ac9bd145d6a4d0 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Mon, 26 Jan 2026 13:07:32 +0100 Subject: [PATCH 17/37] Normalize keycloak_url output to exclude trailing slash Move trimsuffix() into the cluster-prerequisites module output so consumers don't need to handle URL normalization. This follows URL conventions and meets the Keycloak provider's requirement directly. --- terraform/ci-configurations/e2e_tests.tf | 2 +- .../gke_getting_started/gke_getting_started.tf | 2 +- .../minikube_getting_started.tf | 2 +- terraform/modules/cluster-prerequisites/README.md | 2 +- terraform/modules/cluster-prerequisites/outputs.tf | 13 ++++++++++--- .../minikube_keycloak_test.tf | 3 +-- .../0_minikube-setup/minikube_test_cluster.tf | 2 +- 7 files changed, 16 insertions(+), 10 deletions(-) diff --git a/terraform/ci-configurations/e2e_tests.tf b/terraform/ci-configurations/e2e_tests.tf index 69a2a9f1f..19a70456d 100644 --- a/terraform/ci-configurations/e2e_tests.tf +++ b/terraform/ci-configurations/e2e_tests.tf @@ -88,7 +88,7 @@ provider "keycloak" { client_id = "admin-cli" username = "admin" password = "admin" - url = trimsuffix(module.cluster_prerequisites.keycloak_url, "/") + url = module.cluster_prerequisites.keycloak_url tls_insecure_skip_verify = true # only for minikube self signed initial_login = false client_timeout = 60 diff --git a/terraform/configurations/gke_getting_started/gke_getting_started.tf b/terraform/configurations/gke_getting_started/gke_getting_started.tf index 6e1735f9e..16ff8ab31 100644 --- a/terraform/configurations/gke_getting_started/gke_getting_started.tf +++ b/terraform/configurations/gke_getting_started/gke_getting_started.tf @@ -98,7 +98,7 @@ provider "keycloak" { client_id = "admin-cli" username = "admin" password = var.keycloak_admin_password - url = trimsuffix(module.cluster_prerequisites.keycloak_url, "/") + url = module.cluster_prerequisites.keycloak_url initial_login = false client_timeout = 60 } diff --git a/terraform/configurations/minikube_getting_started/minikube_getting_started.tf b/terraform/configurations/minikube_getting_started/minikube_getting_started.tf index 7fe3e5748..a53a5e4cc 100644 --- a/terraform/configurations/minikube_getting_started/minikube_getting_started.tf +++ b/terraform/configurations/minikube_getting_started/minikube_getting_started.tf @@ -130,7 +130,7 @@ provider "keycloak" { client_id = "admin-cli" username = "admin" password = var.keycloak_admin_password - url = trimsuffix(module.cluster_prerequisites.keycloak_url, "/") + url = module.cluster_prerequisites.keycloak_url tls_insecure_skip_verify = true # only for minikube self signed initial_login = false client_timeout = 60 diff --git a/terraform/modules/cluster-prerequisites/README.md b/terraform/modules/cluster-prerequisites/README.md index e10ec5727..72d0e065e 100644 --- a/terraform/modules/cluster-prerequisites/README.md +++ b/terraform/modules/cluster-prerequisites/README.md @@ -181,7 +181,7 @@ module "keycloak" { | Name | Description | | ----------------------- | -------------------------------------------- | | `namespace` | Keycloak namespace | -| `keycloak_url` | Full URL to access Keycloak | +| `keycloak_url` | Full URL to access Keycloak (without trailing slash) | | `admin_username` | Keycloak admin username | | `postgres_service_name` | PostgreSQL service name (if deployed) | | `keycloak_service_name` | Keycloak service name | diff --git a/terraform/modules/cluster-prerequisites/outputs.tf b/terraform/modules/cluster-prerequisites/outputs.tf index a9cfd07d0..01cdea35b 100644 --- a/terraform/modules/cluster-prerequisites/outputs.tf +++ b/terraform/modules/cluster-prerequisites/outputs.tf @@ -5,9 +5,16 @@ output "namespace" { } output "keycloak_url" { - description = "Full URL to access Keycloak" - value = var.ingress_enabled ? "https://${var.hostname}${var.keycloak_http_relative_path}" : "http://${var.hostname}:8080${var.keycloak_http_relative_path}" - depends_on = [terraform_data.wait_for_keycloak_instance] + description = "Full URL to access Keycloak (without trailing slash)" + // Trim trailing slash if present to ensure consistent format + //and avoid issues with downstream usage of keycloak provider. + value = trimsuffix( + var.ingress_enabled + ? "https://${var.hostname}${var.keycloak_http_relative_path}" + : "http://${var.hostname}:8080${var.keycloak_http_relative_path}", + "/" + ) + depends_on = [terraform_data.wait_for_keycloak_instance] } output "admin_username" { diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf index 06ee23412..af83ddf58 100644 --- a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf +++ b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf @@ -99,8 +99,7 @@ provider "keycloak" { client_id = "admin-cli" username = "admin" password = var.keycloak_admin_password - # Normalize URL: strip a trailing slash "/" if present because this URL should not end with a slash - url = trimsuffix(module.keycloak_setup.keycloak_url, "/") + url = module.keycloak_setup.keycloak_url tls_insecure_skip_verify = true initial_login = false client_timeout = 60 diff --git a/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf b/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf index 50b51ece0..854fbff41 100644 --- a/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf +++ b/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf @@ -99,7 +99,7 @@ provider "keycloak" { client_id = "admin-cli" username = "admin" password = var.keycloak_admin_password - url = trimsuffix(module.cluster_prerequisites.keycloak_url, "/") + url = module.cluster_prerequisites.keycloak_url tls_insecure_skip_verify = true # only for minikube self signed initial_login = false client_timeout = 60 From 462d5fa291a6edbc53df1a4f0aa9bd1f7297d89b Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Mon, 26 Jan 2026 15:48:42 +0100 Subject: [PATCH 18/37] Fix for_each error in keycloak operator deployment Replace kubectl_manifest with terraform_data and local-exec to avoid the "for_each value depends on resource attributes that cannot be determined until apply" error. The previous approach parsed YAML from an HTTP response to construct dynamic map keys, which Terraform cannot evaluate at plan time. --- .../modules/cluster-prerequisites/main.tf | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/terraform/modules/cluster-prerequisites/main.tf b/terraform/modules/cluster-prerequisites/main.tf index bee337f20..f0a9b00d9 100644 --- a/terraform/modules/cluster-prerequisites/main.tf +++ b/terraform/modules/cluster-prerequisites/main.tf @@ -95,22 +95,7 @@ resource "kubectl_manifest" "keycloak_realm_import_crd" { ] } -data "http" "keycloak_operator" { - url = "https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${var.keycloak_version}/kubernetes/kubernetes.yml" -} - locals { - operator_manifests_raw = split("---", data.http.keycloak_operator.response_body) - operator_manifests = [ - for doc in local.operator_manifests_raw : - yamldecode(doc) - if trimspace(doc) != "" && can(yamldecode(doc)) - ] - operator_resources = { - for idx, doc in local.operator_manifests : - "${doc.kind}-${doc.metadata.name}-${idx}" => doc - } - # local_exec_quotes is a helper function to deal with different handling of # quotes between linux and windows. On linux, it will output "'". On windows, # it will output "". @@ -122,11 +107,28 @@ locals { }]) } -resource "kubectl_manifest" "keycloak_operator" { - for_each = local.operator_resources - yaml_body = yamlencode(each.value) - override_namespace = var.keycloak_namespace +resource "terraform_data" "keycloak_operator" { + input = { + namespace = var.keycloak_namespace + version = var.keycloak_version + } + + provisioner "local-exec" { + command = <<-EOT + kubectl apply -n ${var.keycloak_namespace} -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${var.keycloak_version}/kubernetes/kubernetes.yml + kubectl patch clusterrolebinding keycloak-operator-clusterrole-binding --type='json' -p='[{"op": "replace", "path": "/subjects/0/namespace", "value":"${var.keycloak_namespace}"}]' + EOT + } + + provisioner "local-exec" { + when = destroy + command = <<-EOT + kubectl delete -n ${self.input.namespace} -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${self.input.version}/kubernetes/kubernetes.yml --ignore-not-found=true || true + EOT + } + depends_on = [ + kubernetes_namespace_v1.keycloak, kubectl_manifest.keycloak_crd, kubectl_manifest.keycloak_realm_import_crd ] @@ -409,7 +411,7 @@ resource "kubectl_manifest" "keycloak_instance" { }) depends_on = [ - kubectl_manifest.keycloak_operator, + terraform_data.keycloak_operator, kubernetes_service_v1.postgres ] } From ee2475ac778e247bbc66f0ea48e8c49631a9eec7 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Mon, 26 Jan 2026 16:16:39 +0100 Subject: [PATCH 19/37] node: Update keycloak-js dependency to Keycloak 26 --- node/landing-page/package.json | 2 +- node/landing-page/src/App.tsx | 40 ++++++++++++++++++------- node/package-lock.json | 53 +++++----------------------------- node/testing-page/package.json | 2 +- 4 files changed, 40 insertions(+), 57 deletions(-) diff --git a/node/landing-page/package.json b/node/landing-page/package.json index b17137eea..25cd09f2b 100644 --- a/node/landing-page/package.json +++ b/node/landing-page/package.json @@ -12,7 +12,7 @@ }, "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "20.0.5", + "keycloak-js": "26.2.2", "react": "^18.2.0", "react-dom": "^18.2.0" }, diff --git a/node/landing-page/src/App.tsx b/node/landing-page/src/App.tsx index f71abc783..affd992fc 100644 --- a/node/landing-page/src/App.tsx +++ b/node/landing-page/src/App.tsx @@ -1,6 +1,13 @@ import './App.css'; -import { AppDefinition, getTheiaCloudConfig, LaunchRequest, PingRequest, TheiaCloud, TheiaCloudConfig } from '@eclipse-theiacloud/common'; +import { + AppDefinition, + getTheiaCloudConfig, + LaunchRequest, + PingRequest, + TheiaCloud, + TheiaCloudConfig +} from '@eclipse-theiacloud/common'; import Keycloak, { KeycloakConfig } from 'keycloak-js'; import { useEffect, useState } from 'react'; @@ -78,11 +85,11 @@ function App(): JSX.Element { } if (config.useKeycloak) { keycloakConfig = { - url: config.keycloakAuthUrl, + url: config.keycloakAuthUrl!, realm: config.keycloakRealm!, clientId: config.keycloakClientId! }; - const keycloak = Keycloak(keycloakConfig); + const keycloak = new Keycloak(keycloakConfig!); keycloak .init({ onLoad: 'check-sso', @@ -100,8 +107,8 @@ function App(): JSX.Element { } } }) - .catch(() => { - console.error('Authentication Failed'); + .catch((err: any) => { + console.error('Authentication Failed', err); }); } } @@ -112,7 +119,7 @@ function App(): JSX.Element { document.title = `${selectedAppName} - Try Now`; const authenticate = (): void => { - const keycloak = Keycloak(keycloakConfig); + const keycloak = new Keycloak(keycloakConfig!); keycloak .init({ onLoad: 'login-required', @@ -132,8 +139,8 @@ function App(): JSX.Element { } } }) - .catch(() => { - console.error('Authentication Failed'); + .catch((err: any) => { + console.error('Authentication Failed', err); setError('Authentication failed'); }); }; @@ -152,8 +159,21 @@ function App(): JSX.Element { : 'ws-' + TheiaCloudConfig.getServiceAuthToken(config) + '-' + selectedAppDefinition + '-' + email; TheiaCloud.launchAndRedirect( config.useEphemeralStorage - ? LaunchRequest.ephemeral(config.serviceUrl, TheiaCloudConfig.getServiceAuthToken(config), appDefinition, 5, email) - : LaunchRequest.createWorkspace(config.serviceUrl, TheiaCloudConfig.getServiceAuthToken(config), appDefinition, 5, email, workspace), + ? LaunchRequest.ephemeral( + config.serviceUrl, + TheiaCloudConfig.getServiceAuthToken(config), + appDefinition, + 5, + email + ) + : LaunchRequest.createWorkspace( + config.serviceUrl, + TheiaCloudConfig.getServiceAuthToken(config), + appDefinition, + 5, + email, + workspace + ), { timeout: 60000, retries: 5, accessToken: token } ) .catch((err: Error) => { diff --git a/node/package-lock.json b/node/package-lock.json index ef2f51762..99af9a6ea 100644 --- a/node/package-lock.json +++ b/node/package-lock.json @@ -60,7 +60,7 @@ "license": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "20.0.5", + "keycloak-js": "26.2.2", "react": "^18.2.0", "react-dom": "^18.2.0" }, @@ -7102,26 +7102,6 @@ "bare-path": "^3.0.0" } }, - "node_modules/base64-js": { - "version": "1.5.1", - "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", - "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/feross" - }, - { - "type": "patreon", - "url": "https://www.patreon.com/feross" - }, - { - "type": "consulting", - "url": "https://feross.org/support" - } - ], - "license": "MIT" - }, "node_modules/baseline-browser-mapping": { "version": "2.8.20", "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.20.tgz", @@ -13503,12 +13483,6 @@ "url": "https://github.com/sponsors/panva" } }, - "node_modules/js-sha256": { - "version": "0.9.0", - "resolved": "https://registry.npmjs.org/js-sha256/-/js-sha256-0.9.0.tgz", - "integrity": "sha512-sga3MHh9sgQN2+pJ9VYZ+1LPwXOxuBJBA5nrR5/ofPfuiJBE2hnjsaN8se8JznOmGLN2p49Pe5U/ttafcs/apA==", - "license": "MIT" - }, "node_modules/js-tokens": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", @@ -13775,14 +13749,13 @@ } }, "node_modules/keycloak-js": { - "version": "20.0.5", - "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-20.0.5.tgz", - "integrity": "sha512-7+M5Uni4oNlAmbjM/lDJzFHu2+PGqU6/bvmTBuQssE1fJ7ZyNeCRHgFoaVfFpIU3m6aAFwPUko4lVcn4kPXP5Q==", + "version": "26.2.2", + "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-26.2.2.tgz", + "integrity": "sha512-ug7pNZ1xNkd7PPkerOJCEU2VnUhS7CYStDOCFJgqCNQ64h53ppxaKrh4iXH0xM8hFu5b1W6e6lsyYWqBMvaQFg==", "license": "Apache-2.0", - "dependencies": { - "base64-js": "^1.5.1", - "js-sha256": "^0.9.0" - } + "workspaces": [ + "test" + ] }, "node_modules/keyv": { "version": "4.5.4", @@ -20802,7 +20775,7 @@ "license": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "^17.0.1", + "keycloak-js": "26.2.2", "react": "^18.2.0", "react-dom": "^18.2.0", "react-scripts": "5.0.1", @@ -20831,16 +20804,6 @@ "node": ">=12" } }, - "testing-page/node_modules/keycloak-js": { - "version": "17.0.1", - "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-17.0.1.tgz", - "integrity": "sha512-mbLBSoogCBX5VYeKCdEz8BaRWVL9twzSqArRU3Mo3Z7vEO1mghGZJ5IzREfiMEi7kTUZtk5i9mu+Yc0koGkK6g==", - "license": "Apache-2.0", - "dependencies": { - "base64-js": "^1.5.1", - "js-sha256": "^0.9.0" - } - }, "testing-page/node_modules/react-refresh": { "version": "0.11.0", "resolved": "https://registry.npmjs.org/react-refresh/-/react-refresh-0.11.0.tgz", diff --git a/node/testing-page/package.json b/node/testing-page/package.json index e2647f4ee..0f7154763 100644 --- a/node/testing-page/package.json +++ b/node/testing-page/package.json @@ -5,7 +5,7 @@ "private": true, "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "^17.0.1", + "keycloak-js": "26.2.2", "react": "^18.2.0", "react-dom": "^18.2.0", "react-scripts": "5.0.1", From bdba9a71797ac8c27379cf7f9397e6245c4b4ac5 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Wed, 28 Jan 2026 13:28:21 +0100 Subject: [PATCH 20/37] remove invalid cloud provider option GKE use K8S instead --- .../configurations/gke_getting_started/gke_getting_started.tf | 2 -- terraform/modules/cluster-prerequisites/README.md | 3 +-- terraform/modules/cluster-prerequisites/variables.tf | 4 ++-- terraform/modules/theia-cloud/README.md | 2 +- 4 files changed, 4 insertions(+), 7 deletions(-) diff --git a/terraform/configurations/gke_getting_started/gke_getting_started.tf b/terraform/configurations/gke_getting_started/gke_getting_started.tf index 16ff8ab31..bfd898f38 100644 --- a/terraform/configurations/gke_getting_started/gke_getting_started.tf +++ b/terraform/configurations/gke_getting_started/gke_getting_started.tf @@ -78,7 +78,6 @@ module "cluster_prerequisites" { cert_manager_issuer_email = var.cert_manager_issuer_email ingress_cert_manager_cluster_issuer = "letsencrypt-prod" load_balancer_ip = google_compute_address.host_ip.address - cloud_provider = "GKE" } module "helm" { @@ -90,7 +89,6 @@ module "helm" { cert_manager_cluster_issuer = "letsencrypt-prod" cert_manager_common_name = "${google_compute_address.host_ip.address}.sslip.io" hostname = "${google_compute_address.host_ip.address}.sslip.io" - cloudProvider = "GKE" loadBalancerIP = google_compute_address.host_ip.address } diff --git a/terraform/modules/cluster-prerequisites/README.md b/terraform/modules/cluster-prerequisites/README.md index 72d0e065e..ae0b709d5 100644 --- a/terraform/modules/cluster-prerequisites/README.md +++ b/terraform/modules/cluster-prerequisites/README.md @@ -13,7 +13,7 @@ The module offers various customization options via variables including skipping - **Optional cert-manager installation** (can be disabled if already installed) - Cert-manager integration for automatic certificate generation - Optional self-signed ClusterIssuer for local development -- Support for Minikube, GKE, and generic Kubernetes clusters +- Support for Minikube and generic Kubernetes clusters - Configurable HTTP relative path (e.g., `/keycloak/`) ## Prerequisites @@ -66,7 +66,6 @@ module "keycloak" { # GKE-specific configuration postgres_storage_class = "standard-rwo" ingress_cert_manager_cluster_issuer = "letsencrypt-prod" - cloud_provider = "GKE" # Production resources keycloak_replicas = 2 diff --git a/terraform/modules/cluster-prerequisites/variables.tf b/terraform/modules/cluster-prerequisites/variables.tf index dae14ad38..ce262b9b3 100644 --- a/terraform/modules/cluster-prerequisites/variables.tf +++ b/terraform/modules/cluster-prerequisites/variables.tf @@ -161,8 +161,8 @@ variable "cloud_provider" { type = string default = "K8S" validation { - condition = contains(["MINIKUBE", "GKE", "K8S"], var.cloud_provider) - error_message = "Valid values are: MINIKUBE, GKE, K8S" + condition = contains(["MINIKUBE", "K8S"], var.cloud_provider) + error_message = "Valid values are: MINIKUBE, K8S" } } diff --git a/terraform/modules/theia-cloud/README.md b/terraform/modules/theia-cloud/README.md index 098d7f32d..316b6dde2 100644 --- a/terraform/modules/theia-cloud/README.md +++ b/terraform/modules/theia-cloud/README.md @@ -42,4 +42,4 @@ module "theia_cloud" { - `hostname` (required) - The hostname for Theia Cloud services - `keycloak_url` (optional) - The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/. - `cert_manager_issuer_email` (required) - Email address used for certificate management -- `cloudProvider` (optional, default: `"K8S"`) - The cloud provider (e.g., "K8S", "MINIKUBE", "GKE") +- `cloudProvider` (optional, default: `"K8S"`) - The cloud provider (e.g., "K8S", "MINIKUBE") From 906f32c8fbc9f9538a9d66a28968a21f8b13f790 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Wed, 28 Jan 2026 15:58:07 +0100 Subject: [PATCH 21/37] Ensure postgres pvc creation does not block next steps Do not make it wait until a pod is bound because the pod is only created in the next step --- terraform/modules/cluster-prerequisites/main.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/terraform/modules/cluster-prerequisites/main.tf b/terraform/modules/cluster-prerequisites/main.tf index f0a9b00d9..aead2664a 100644 --- a/terraform/modules/cluster-prerequisites/main.tf +++ b/terraform/modules/cluster-prerequisites/main.tf @@ -168,6 +168,10 @@ resource "kubernetes_persistent_volume_claim_v1" "postgres" { } storage_class_name = var.postgres_storage_class != "" ? var.postgres_storage_class : null } + + # Don't wait for the PVC to be bound - with WaitForFirstConsumer storage classes + # (like GKE's standard-rwo), the PVC won't bind until a pod is scheduled to use it + wait_until_bound = false } resource "kubernetes_deployment_v1" "postgres" { @@ -249,6 +253,13 @@ resource "kubernetes_deployment_v1" "postgres" { } } + # Use a subdirectory for PGDATA to avoid issues with lost+found directory + # on freshly formatted volumes (common on cloud providers like GKE) + env { + name = "PGDATA" + value = "/var/lib/postgresql/data/pgdata" + } + port { container_port = 5432 name = "postgres" From 7ed48acb4019436cff57fd4ae4eb50e7955932e8 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Tue, 31 Mar 2026 17:52:34 +0200 Subject: [PATCH 22/37] fix cluster-prerequisites and test-configurations after rebase --- .../modules/cluster-prerequisites/main.tf | 33 +++++- .../cluster-prerequisites/variables.tf | 11 ++ terraform/modules/helm/main.tf | 112 ------------------ .../0_minikube-setup/minikube_test_cluster.tf | 93 --------------- .../1_dependencies/.terraform.lock.hcl | 24 +++- .../1_dependencies/dependencies.tf | 45 ++++--- .../1_dependencies/outputs.tf | 2 +- 7 files changed, 83 insertions(+), 237 deletions(-) diff --git a/terraform/modules/cluster-prerequisites/main.tf b/terraform/modules/cluster-prerequisites/main.tf index aead2664a..6deba0af3 100644 --- a/terraform/modules/cluster-prerequisites/main.tf +++ b/terraform/modules/cluster-prerequisites/main.tf @@ -16,7 +16,7 @@ resource "helm_release" "cert_manager" { } resource "helm_release" "ingress_nginx" { - count = var.install_ingress_controller ? 1 : 0 + count = var.install_ingress_controller && var.ingress_controller_type == "nginx" ? 1 : 0 name = "nginx-ingress-controller" repository = "https://kubernetes.github.io/ingress-nginx" chart = "ingress-nginx" @@ -49,6 +49,27 @@ resource "helm_release" "ingress_nginx" { ] } +resource "helm_release" "haproxy-ingress-controller" { + count = var.install_ingress_controller && var.ingress_controller_type == "haproxy" ? 1 : 0 + name = "haproxy-ingress" + repository = "https://haproxy-ingress.github.io/charts" + chart = "haproxy-ingress" + version = "0.15.1" + namespace = "ingress-haproxy" + create_namespace = true + + set = [ + { + name = "controller.ingressClassResource.enabled" + value = true + }, + { + name = "controller.service.loadBalancerIP" + value = var.load_balancer_ip + } + ] +} + resource "kubectl_manifest" "keycloak_selfsigned_issuer" { count = var.install_selfsigned_issuer ? 1 : 0 depends_on = [helm_release.cert_manager, helm_release.ingress_nginx] @@ -434,10 +455,14 @@ resource "kubernetes_ingress_v1" "keycloak" { name = "keycloak" namespace = kubernetes_namespace_v1.keycloak.metadata[0].name annotations = merge( - { + var.ingress_controller_type == "nginx" ? { "nginx.ingress.kubernetes.io/proxy-buffer-size" = "128k" "nginx.ingress.kubernetes.io/proxy-busy-buffers-size" = "128k" - }, + } : {}, + var.ingress_controller_type == "haproxy" ? { + "haproxy-ingress.github.io/proxy-body-size" = "128k" + "haproxy-ingress.github.io/timeout-http-request" = "30s" + } : {}, var.ingress_tls_enabled ? { "cert-manager.io/cluster-issuer" = var.ingress_cert_manager_cluster_issuer "cert-manager.io/common-name" = var.ingress_cert_manager_common_name != "" ? var.ingress_cert_manager_common_name : var.hostname @@ -519,7 +544,7 @@ resource "terraform_data" "wait_for_certificate" { } resource "terraform_data" "patch_ingress_controller" { - count = var.ingress_enabled && var.ingress_tls_enabled ? 1 : 0 + count = var.ingress_enabled && var.ingress_tls_enabled && var.ingress_controller_type == "nginx" ? 1 : 0 provisioner "local-exec" { command = "kubectl patch deploy ingress-nginx-controller --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-nginx -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-nginx wait --for condition=available deploy/ingress-nginx-controller --timeout=90s" diff --git a/terraform/modules/cluster-prerequisites/variables.tf b/terraform/modules/cluster-prerequisites/variables.tf index ce262b9b3..ca10e05d1 100644 --- a/terraform/modules/cluster-prerequisites/variables.tf +++ b/terraform/modules/cluster-prerequisites/variables.tf @@ -111,6 +111,17 @@ variable "keycloak_resource_limits_memory" { default = "2Gi" } +variable "ingress_controller_type" { + description = "Type of ingress controller to use (nginx or haproxy)" + type = string + default = "nginx" + + validation { + condition = contains(["nginx", "haproxy"], var.ingress_controller_type) + error_message = "Valid values are 'nginx' or 'haproxy'." + } +} + variable "ingress_enabled" { description = "Whether to create Kubernetes Ingress" type = bool diff --git a/terraform/modules/helm/main.tf b/terraform/modules/helm/main.tf index 8e6246c63..a04c7c421 100644 --- a/terraform/modules/helm/main.tf +++ b/terraform/modules/helm/main.tf @@ -1,14 +1,3 @@ -variable "ingress_controller_type" { - description = "Type of ingress controller to use (nginx or haproxy)" - type = string - default = "nginx" - - validation { - condition = contains(["nginx", "haproxy"], var.ingress_controller_type) - error_message = "Valid values are 'nginx' or 'haproxy'." - } -} - variable "install_theia_cloud_base" { description = "Whether to install theia cloud base" default = true @@ -38,28 +27,6 @@ variable "cloudProvider" { } # Note: cert-manager and nginx-ingress must be installed via cluster-prerequisites module first - count = var.install_ingress_controller && var.ingress_controller_type == "nginx" ? 1 : 0 -resource "helm_release" "haproxy-ingress-controller" { - count = var.install_ingress_controller && var.ingress_controller_type == "haproxy" ? 1 : 0 - name = "haproxy-ingress" - repository = "https://haproxy-ingress.github.io/charts" - chart = "haproxy-ingress" - version = "0.15.1" - namespace = "ingress-haproxy" - create_namespace = true - - set = [ - { - name = "controller.ingressClassResource.enabled" - value = true - }, - { - name = "controller.service.loadBalancerIP" - value = var.loadBalancerIP - } - ] -} - resource "helm_release" "theia-cloud-base" { count = var.install_theia_cloud_base ? 1 : 0 depends_on = [helm_release.cert-manager, helm_release.nginx-ingress-controller, helm_release.haproxy-ingress-controller] # we need to install cert issuers @@ -89,85 +56,6 @@ resource "helm_release" "theia-cloud-crds" { create_namespace = true } -resource "kubectl_manifest" "selfsigned_issuer" { - count = var.install_selfsigned_issuer ? 1 : 0 - depends_on = [helm_release.cert-manager, helm_release.nginx-ingress-controller, helm_release.haproxy-ingress-controller] # we need to install cert issuers - yaml_body = file("${path.module}/clusterissuer-selfsigned.yaml") -} - -locals { - # local_exec_quotes is a helper function to deal with different handling of - # quotes between linux and windows. On linux, it will output "'". On windows, - # it will output "". - local_exec_quotes = startswith(abspath(path.module), "/") ? "'" : "" - jsonpatch = jsonencode([{ - "op" = "add", - "path" = "/spec/template/spec/containers/0/args/-", - "value" = "--default-ssl-certificate=keycloak/${var.hostname}-tls" - }]) -} - -# TODO remove keycloak here -resource "helm_release" "keycloak" { - depends_on = [helm_release.theia-cloud-base, kubectl_manifest.selfsigned_issuer, helm_release.nginx-ingress-controller, helm_release.haproxy-ingress-controller] # we need an existing issuer - name = "keycloak" - repository = "https://charts.bitnami.com/bitnami" - chart = "keycloak" - version = "15.1.8" - namespace = "keycloak" - create_namespace = true - - values = [ - "${templatefile("${path.module}/keycloak.yaml", { cluster-issuer = var.cert_manager_cluster_issuer, common-name = var.cert_manager_common_name, ingress-class = var.ingress_controller_type == "haproxy" ? "haproxy" : "nginx" })}" - ] - - set = [ - { - name = "postgresql.enabled" - value = var.postgresql_enabled - }, - { - name = "ingress.hostname" - value = var.hostname - }, - { - name = "global.storageClass" - value = var.postgresql_storageClass - }, - { - name = "service.type" - value = var.service_type - }, - { - name = "postgresql.volumePermissions.enabled" - value = var.postgresql_volumePermissions - } - ] - set_sensitive = [ - { - name = "auth.adminPassword" - value = var.keycloak_admin_password - }, - { - name = "postgresql.auth.postgresPassword" - value = var.postgres_postgres_password - }, - { - name = "postgresql.auth.password" - value = var.postgres_password - } - ] - - # We expect that kubectl context was configured by a previous module. - # After keycloak was set up with tls enabled, we use the created tls secret as the default ssl-secret of the ingress-controller. - # Below command connects to the cluster in the local environment and patches the ingress-controller accordingly. - # Theia Cloud is then installed with path based hosts reusing the same certificate. - # Sleep 5 seconds at the end as there might be a brief delay between the ingress controller reporting available and it actually being ready to serve traffic - provisioner "local-exec" { - command = var.ingress_controller_type == "nginx" ? "kubectl patch deploy ingress-nginx-controller --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-nginx -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-nginx wait --for condition=available deploy/ingress-nginx-controller --timeout=90s && kubectl wait certificate -n keycloak ${var.hostname}-tls --for condition=Ready --timeout=90s && sleep 5" : "kubectl patch deploy haproxy-ingress --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-haproxy -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-haproxy wait --for condition=available deploy/haproxy-ingress --timeout=90s && kubectl wait certificate -n keycloak ${var.hostname}-tls --for condition=Ready --timeout=90s && sleep 5" - } -} - resource "helm_release" "theia-cloud" { count = var.install_theia_cloud ? 1 : 0 depends_on = [helm_release.theia-cloud-crds] diff --git a/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf b/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf index 854fbff41..35de07ae9 100644 --- a/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf +++ b/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf @@ -31,96 +31,3 @@ provider "kubernetes" { client_key = module.cluster.cluster_client_key cluster_ca_certificate = module.cluster.cluster_ca_certificate } - -resource "kubernetes_persistent_volume" "minikube" { - - depends_on = [module.cluster] - - metadata { - name = "minikube-volume" - } - spec { - storage_class_name = "manual" - capacity = { - storage = "16Gi" - } - access_modes = ["ReadWriteOnce"] - persistent_volume_source { - host_path { - path = "/data/theia-cloud" - } - } - } -} - -provider "helm" { - kubernetes = { - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate - } -} - -provider "kubectl" { - load_config_file = false - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate -} - -module "host" { - depends_on = [module.cluster] - - source = "matti/urlparse/external" - url = module.cluster.cluster_host -} - -module "cluster_prerequisites" { - source = "../../modules/cluster-prerequisites" - - depends_on = [kubernetes_persistent_volume.minikube] - - hostname = "${module.host.host}.nip.io" - keycloak_admin_password = var.keycloak_admin_password - postgres_password = "admin" - install_cert_manager = true - install_selfsigned_issuer = true - cert_manager_issuer_email = var.cert_manager_issuer_email - ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" - ingress_cert_manager_common_name = "${module.host.host}.nip.io" - postgres_storage_class = "manual" - postgres_volume_permissions = true - cloud_provider = "MINIKUBE" -} - -provider "keycloak" { - client_id = "admin-cli" - username = "admin" - password = var.keycloak_admin_password - url = module.cluster_prerequisites.keycloak_url - tls_insecure_skip_verify = true # only for minikube self signed - initial_login = false - client_timeout = 60 -} - -module "keycloak" { - source = "../../modules/keycloak" - - depends_on = [module.cluster_prerequisites] - - hostname = "${module.host.host}.nip.io" - keycloak_test_user_foo_password = "foo" - keycloak_test_user_bar_password = "bar" - valid_redirect_uri = "*" -} - -# Configure user foo as admin by adding it to the admin group -resource "keycloak_group_memberships" "admin_group_memberships" { - realm_id = module.keycloak.realm.id - group_id = module.keycloak.admin_group.id - members = [ - module.keycloak.test_users.foo.username - ] -} \ No newline at end of file diff --git a/terraform/test-configurations/1_dependencies/.terraform.lock.hcl b/terraform/test-configurations/1_dependencies/.terraform.lock.hcl index 5233c61be..48e91fd19 100644 --- a/terraform/test-configurations/1_dependencies/.terraform.lock.hcl +++ b/terraform/test-configurations/1_dependencies/.terraform.lock.hcl @@ -45,7 +45,7 @@ provider "registry.terraform.io/hashicorp/external" { provider "registry.terraform.io/hashicorp/helm" { version = "3.1.1" - constraints = ">= 3.0.2" + constraints = ">= 2.0.0, >= 3.0.2" hashes = [ "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", @@ -63,9 +63,29 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.5.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=", + "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7", + "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736", + "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476", + "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90", + "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a", + "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6", + "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6", + "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee", + "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926", + "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623", + ] +} + provider "registry.terraform.io/hashicorp/kubernetes" { version = "3.0.1" - constraints = ">= 2.38.0" + constraints = ">= 2.0.0, >= 2.38.0" hashes = [ "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=", "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281", diff --git a/terraform/test-configurations/1_dependencies/dependencies.tf b/terraform/test-configurations/1_dependencies/dependencies.tf index ac1af66af..0b536fd36 100644 --- a/terraform/test-configurations/1_dependencies/dependencies.tf +++ b/terraform/test-configurations/1_dependencies/dependencies.tf @@ -97,36 +97,31 @@ locals { hostname = "${local.effective_host}.nip.io" } -module "helm" { - source = "../../modules/helm" - - depends_on = [module.host, helm_release.haproxy-ingress-controller] - - install_ingress_controller = false - ingress_controller_type = data.terraform_remote_state.minikube.outputs.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email - cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" - cert_manager_common_name = local.hostname - hostname = local.hostname - keycloak_admin_password = var.keycloak_admin_password - postgresql_enabled = true - postgres_postgres_password = "admin" - postgres_password = "admin" - postgresql_storageClass = "manual" - postgresql_volumePermissions = true - service_type = "ClusterIP" - cloudProvider = "MINIKUBE" - install_selfsigned_issuer = true - install_theia_cloud_base = false - install_theia_cloud_crds = false - install_theia_cloud = false +module "cluster_prerequisites" { + source = "../../modules/cluster-prerequisites" + + depends_on = [kubernetes_persistent_volume_v1.minikube, helm_release.haproxy-ingress-controller] + + hostname = local.hostname + keycloak_admin_password = var.keycloak_admin_password + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_controller_type = data.terraform_remote_state.minikube.outputs.ingress_controller_type + ingress_class_name = data.terraform_remote_state.minikube.outputs.ingress_controller_type + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + ingress_cert_manager_common_name = local.hostname + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" } provider "keycloak" { client_id = "admin-cli" username = "admin" password = var.keycloak_admin_password - url = "https://${local.hostname}/keycloak" + url = module.cluster_prerequisites.keycloak_url tls_insecure_skip_verify = true # only for minikube self signed initial_login = false client_timeout = 60 @@ -135,7 +130,7 @@ provider "keycloak" { module "keycloak" { source = "../../modules/keycloak" - depends_on = [module.helm] + depends_on = [module.cluster_prerequisites] hostname = local.hostname keycloak_test_user_foo_password = "foo" diff --git a/terraform/test-configurations/1_dependencies/outputs.tf b/terraform/test-configurations/1_dependencies/outputs.tf index f1c2e9c8a..7bfb55cf4 100644 --- a/terraform/test-configurations/1_dependencies/outputs.tf +++ b/terraform/test-configurations/1_dependencies/outputs.tf @@ -28,7 +28,7 @@ output "hostname" { output "keycloak" { description = "Keycloak" - value = "${local.hostname}/keycloak" + value = module.cluster_prerequisites.keycloak_url } output "ingress_controller_type" { From 8ebf49351dc9404012ab2661c67583d30cd30b46 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Wed, 1 Apr 2026 18:09:06 +0200 Subject: [PATCH 23/37] wip: fix minikube after rebase and cleanup modules --- terraform/ci-configurations/e2e_tests.tf | 5 +- .../gke_getting_started.tf | 9 ++- .../minikube_getting_started.tf | 3 +- .../modules/cluster-prerequisites/main.tf | 56 ++++++++++--------- .../cluster-prerequisites/variables.tf | 2 +- terraform/modules/helm/README.md | 48 ++++++++++++++-- terraform/modules/helm/keycloak.yaml | 40 ------------- terraform/modules/helm/main.tf | 50 +++++------------ terraform/modules/helm/variables.tf | 39 +++++++++++++ terraform/modules/keycloak/main.tf | 4 -- .../1_dependencies/dependencies.tf | 1 - .../3-01_try-now/theia_cloud.tf | 2 +- .../3-03_try-now_paths/theia_cloud.tf | 2 +- .../theia_cloud.tf | 2 +- 14 files changed, 138 insertions(+), 125 deletions(-) delete mode 100644 terraform/modules/helm/keycloak.yaml create mode 100644 terraform/modules/helm/variables.tf diff --git a/terraform/ci-configurations/e2e_tests.tf b/terraform/ci-configurations/e2e_tests.tf index 19a70456d..207900679 100644 --- a/terraform/ci-configurations/e2e_tests.tf +++ b/terraform/ci-configurations/e2e_tests.tf @@ -81,7 +81,7 @@ module "helm" { postgres_postgres_password = "admin" postgres_password = "admin" loadBalancerIP = "" - cloudProvider = "MINIKUBE" + cloud_provider = "MINIKUBE" } provider "keycloak" { @@ -99,7 +99,6 @@ module "keycloak" { depends_on = [module.cluster_prerequisites] - hostname = "${var.ingress_ip}.nip.io" keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "*" @@ -177,7 +176,7 @@ resource "helm_release" "theia-cloud" { name = "operator.eagerStart" value = var.eager_start } - ] + ] } resource "kubectl_manifest" "theia-cloud-monitor-theia-popup" { diff --git a/terraform/configurations/gke_getting_started/gke_getting_started.tf b/terraform/configurations/gke_getting_started/gke_getting_started.tf index bfd898f38..2f2bd7be3 100644 --- a/terraform/configurations/gke_getting_started/gke_getting_started.tf +++ b/terraform/configurations/gke_getting_started/gke_getting_started.tf @@ -83,13 +83,13 @@ module "cluster_prerequisites" { module "helm" { source = "../../modules/helm" - depends_on = [module.cluster_prerequisites] + depends_on = [module.cluster_prerequisites] ingress_controller_type = var.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email + cert_manager_issuer_email = var.cert_manager_issuer_email cert_manager_cluster_issuer = "letsencrypt-prod" cert_manager_common_name = "${google_compute_address.host_ip.address}.sslip.io" - hostname = "${google_compute_address.host_ip.address}.sslip.io" - loadBalancerIP = google_compute_address.host_ip.address + hostname = "${google_compute_address.host_ip.address}.sslip.io" + loadBalancerIP = google_compute_address.host_ip.address } provider "keycloak" { @@ -106,7 +106,6 @@ module "keycloak" { depends_on = [module.cluster_prerequisites] - hostname = "${google_compute_address.host_ip.address}.sslip.io" keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "https://${google_compute_address.host_ip.address}.sslip.io/*" diff --git a/terraform/configurations/minikube_getting_started/minikube_getting_started.tf b/terraform/configurations/minikube_getting_started/minikube_getting_started.tf index a53a5e4cc..3b3cef54e 100644 --- a/terraform/configurations/minikube_getting_started/minikube_getting_started.tf +++ b/terraform/configurations/minikube_getting_started/minikube_getting_started.tf @@ -105,7 +105,7 @@ module "helm" { postgresql_storageClass = "manual" postgresql_volumePermissions = true service_type = "ClusterIP" - cloudProvider = "MINIKUBE" + cloud_provider = "MINIKUBE" } module "cluster_prerequisites" { @@ -141,7 +141,6 @@ module "keycloak" { depends_on = [module.cluster_prerequisites] - hostname = "${module.host.host}.nip.io" keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "https://${module.host.host}.nip.io/*" diff --git a/terraform/modules/cluster-prerequisites/main.tf b/terraform/modules/cluster-prerequisites/main.tf index 6deba0af3..50ce06059 100644 --- a/terraform/modules/cluster-prerequisites/main.tf +++ b/terraform/modules/cluster-prerequisites/main.tf @@ -117,6 +117,8 @@ resource "kubectl_manifest" "keycloak_realm_import_crd" { } locals { + keycloak_ns = kubernetes_namespace_v1.keycloak.metadata[0].name + # local_exec_quotes is a helper function to deal with different handling of # quotes between linux and windows. On linux, it will output "'". On windows, # it will output "". @@ -160,7 +162,7 @@ resource "kubernetes_secret_v1" "postgres" { metadata { name = "postgres-credentials" - namespace = kubernetes_namespace_v1.keycloak.metadata[0].name + namespace = local.keycloak_ns } data = { @@ -177,7 +179,7 @@ resource "kubernetes_persistent_volume_claim_v1" "postgres" { metadata { name = "postgres-pvc" - namespace = kubernetes_namespace_v1.keycloak.metadata[0].name + namespace = local.keycloak_ns } spec { @@ -200,7 +202,7 @@ resource "kubernetes_deployment_v1" "postgres" { metadata { name = "postgres" - namespace = kubernetes_namespace_v1.keycloak.metadata[0].name + namespace = local.keycloak_ns labels = { app = "postgres" } @@ -323,7 +325,7 @@ resource "kubernetes_service_v1" "postgres" { metadata { name = "postgres" - namespace = kubernetes_namespace_v1.keycloak.metadata[0].name + namespace = local.keycloak_ns } spec { @@ -347,6 +349,21 @@ locals { keycloak_protocol = var.ingress_tls_enabled ? "https://" : "http://" + ingress_controller_annotations = var.ingress_controller_type == "nginx" ? { + "nginx.ingress.kubernetes.io/proxy-buffer-size" = "128k" + "nginx.ingress.kubernetes.io/proxy-busy-buffers-size" = "128k" + } : var.ingress_controller_type == "haproxy" ? { + "haproxy-ingress.github.io/proxy-body-size" = "128k" + "haproxy-ingress.github.io/timeout-http-request" = "30s" + } : {} + + ingress_tls_annotations = var.ingress_tls_enabled ? { + "cert-manager.io/cluster-issuer" = var.ingress_cert_manager_cluster_issuer + "cert-manager.io/common-name" = var.ingress_cert_manager_common_name != "" ? var.ingress_cert_manager_common_name : var.hostname + "acme.cert-manager.io/http01-edit-in-place" = "true" + "acme.cert-manager.io/http01-ingress-path-type" = "ImplementationSpecific" + } : {} + keycloak_spec_base = { instances = var.keycloak_replicas http = { @@ -437,7 +454,7 @@ resource "kubectl_manifest" "keycloak_instance" { kind = "Keycloak" metadata = { name = "keycloak" - namespace = kubernetes_namespace_v1.keycloak.metadata[0].name + namespace = local.keycloak_ns } spec = local.keycloak_spec }) @@ -453,22 +470,10 @@ resource "kubernetes_ingress_v1" "keycloak" { metadata { name = "keycloak" - namespace = kubernetes_namespace_v1.keycloak.metadata[0].name + namespace = local.keycloak_ns annotations = merge( - var.ingress_controller_type == "nginx" ? { - "nginx.ingress.kubernetes.io/proxy-buffer-size" = "128k" - "nginx.ingress.kubernetes.io/proxy-busy-buffers-size" = "128k" - } : {}, - var.ingress_controller_type == "haproxy" ? { - "haproxy-ingress.github.io/proxy-body-size" = "128k" - "haproxy-ingress.github.io/timeout-http-request" = "30s" - } : {}, - var.ingress_tls_enabled ? { - "cert-manager.io/cluster-issuer" = var.ingress_cert_manager_cluster_issuer - "cert-manager.io/common-name" = var.ingress_cert_manager_common_name != "" ? var.ingress_cert_manager_common_name : var.hostname - "acme.cert-manager.io/http01-edit-in-place" = "true" - "acme.cert-manager.io/http01-ingress-path-type" = "ImplementationSpecific" - } : {}, + local.ingress_controller_annotations, + local.ingress_tls_annotations, var.ingress_annotations ) } @@ -507,7 +512,8 @@ resource "kubernetes_ingress_v1" "keycloak" { depends_on = [ kubernetes_namespace_v1.keycloak, - helm_release.ingress_nginx + helm_release.ingress_nginx, + helm_release.haproxy-ingress-controller ] } @@ -515,11 +521,11 @@ resource "terraform_data" "wait_for_keycloak_instance" { provisioner "local-exec" { command = <<-EOT echo "Waiting for Keycloak resource to report ready..." - kubectl wait keycloak/keycloak -n ${kubernetes_namespace_v1.keycloak.metadata[0].name} --for=condition=Ready --timeout=3m + kubectl wait keycloak/keycloak -n ${local.keycloak_ns} --for=condition=Ready --timeout=3m echo "Waiting for Keycloak pods to be ready..." - kubectl wait pods -n ${kubernetes_namespace_v1.keycloak.metadata[0].name} -l app=keycloak --for=condition=Ready --timeout=3m + kubectl wait pods -n ${local.keycloak_ns} -l app=keycloak --for=condition=Ready --timeout=3m echo "Waiting for Keycloak service endpoint..." - kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${kubernetes_namespace_v1.keycloak.metadata[0].name} --timeout=2m + kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${local.keycloak_ns} --timeout=2m echo "Keycloak is ready!" echo "Waiting additional 5 for Keycloak authentication to be fully initialized..." sleep 5 @@ -535,7 +541,7 @@ resource "terraform_data" "wait_for_certificate" { count = var.ingress_enabled && var.ingress_tls_enabled ? 1 : 0 provisioner "local-exec" { - command = "kubectl wait certificate -n ${kubernetes_namespace_v1.keycloak.metadata[0].name} ${local.tls_secret_name} --for=condition=Ready --timeout=3m" + command = "kubectl wait certificate -n ${local.keycloak_ns} ${local.tls_secret_name} --for=condition=Ready --timeout=3m" } depends_on = [ diff --git a/terraform/modules/cluster-prerequisites/variables.tf b/terraform/modules/cluster-prerequisites/variables.tf index ca10e05d1..abe3d557f 100644 --- a/terraform/modules/cluster-prerequisites/variables.tf +++ b/terraform/modules/cluster-prerequisites/variables.tf @@ -1,5 +1,5 @@ variable "hostname" { - description = "Hostname for Keycloak ingress" + description = "The hostname for the deployment" type = string } diff --git a/terraform/modules/helm/README.md b/terraform/modules/helm/README.md index 670efc881..22cc9792b 100644 --- a/terraform/modules/helm/README.md +++ b/terraform/modules/helm/README.md @@ -1,9 +1,45 @@ -# Helm Installation +# Theia Cloud Installation Module -This module may be used to install Theia Cloud and all dependencies in a cluster via Helm. +This module installs Theia Cloud components in a Kubernetes cluster via Helm. -We expect users to be familiar with Helm and that `kubectl` points to the cluster which Theia Cloud is going to be installed in. +## Prerequisites -The module will install the Cert Manager, the Nginx Ingress Controller (optional when installed already), the Theia Cloud Base Chart (cluster wide resources), and Keycloak.\ -After Keycloak was installed we will patch the Nginx Ingress Controller to use the certificate generated during the Keycloak installation as the default certificate.\ -Finally we will install Theia Cloud. +Before using this module, ensure the following are already installed in your cluster: + +- **Cert Manager** (v1.17.4 or compatible) - Required for certificate management +- **Nginx Ingress Controller** (v4.13.0 or compatible) - Required for ingress routing +- **Keycloak** (v26.4.5 or compatible) - Required for authentication + +## What This Module Installs + +This module will install: + +1. **theia-cloud-base** - Cluster-wide resources including cert issuers +2. **theia-cloud-crds** - Custom resource definitions for Theia Cloud +3. **theia-cloud** - The Theia Cloud operators, service, and landing page + +## Usage + +We expect users to be familiar with Helm and that `kubectl` points to the cluster where Theia Cloud will be installed. + +### Basic Example + +```terraform +module "helm" { + source = "./modules/helm" + + hostname = "theia.example.com" + cert_manager_issuer_email = "admin@example.com" + cloud_provider = "K8S" +} +``` + +## Variables + +- `install_theia_cloud_base` (optional, default: `true`) - Whether to install theia-cloud-base chart +- `install_theia_cloud_crds` (optional, default: `true`) - Whether to install theia-cloud-crds chart +- `install_theia_cloud` (optional, default: `true`) - Whether to install theia-cloud chart +- `hostname` (required) - The hostname for Theia Cloud services +- `keycloak_url` (optional) - The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/. +- `cert_manager_issuer_email` (required) - Email address used for certificate management +- `cloud_provider` (optional, default: `"K8S"`) - The cloud provider (e.g., "K8S", "MINIKUBE") diff --git a/terraform/modules/helm/keycloak.yaml b/terraform/modules/helm/keycloak.yaml deleted file mode 100644 index c20cfc846..000000000 --- a/terraform/modules/helm/keycloak.yaml +++ /dev/null @@ -1,40 +0,0 @@ -fullnameOverride: "keycloak" -httpRelativePath: "/keycloak/" - -auth: - adminUser: admin - -image: - # Configure using repository bitnamilegacy because bitnami has removed the bitnami repository in favor of a paid service - repository: bitnamilegacy/keycloak - -postgresql: - # Configure using repository bitnamilegacy because bitnami has removed the bitnami repository in favor of a paid service - image: - repository: bitnamilegacy/postgresql - volumePermissions: - image: - repository: bitnamilegacy/os-shell - metrics: - image: - repository: bitnamilegacy/bitnami-exporter - -ingress: - enabled: true - ingressClassName: "${ingress-class}" - path: "/keycloak/" - pathType: "ImplementationSpecific" - annotations: - acme.cert-manager.io/http01-edit-in-place: "true" - acme.cert-manager.io/http01-ingress-path-type: "ImplementationSpecific" -%{ if ingress-class == "nginx" ~} - nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" - nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "128k" -%{ endif ~} -%{ if ingress-class == "haproxy" ~} - haproxy-ingress.github.io/proxy-body-size: "128k" - haproxy-ingress.github.io/timeout-http-request: "30s" -%{ endif ~} - cert-manager.io/cluster-issuer: ${cluster-issuer} - cert-manager.io/common-name: ${common-name} - tls: true diff --git a/terraform/modules/helm/main.tf b/terraform/modules/helm/main.tf index a04c7c421..74b95c664 100644 --- a/terraform/modules/helm/main.tf +++ b/terraform/modules/helm/main.tf @@ -1,40 +1,20 @@ -variable "install_theia_cloud_base" { - description = "Whether to install theia cloud base" - default = true -} - -variable "install_theia_cloud_crds" { - description = "Whether to install theia cloud crds" - default = true -} - -variable "install_theia_cloud" { - description = "Whether to install theia cloud" - default = true -} - -variable "cert_manager_issuer_email" { - description = "EMail address used to create certificates." -} - -variable "hostname" { - description = "The hostname for all installed services" -} +locals { + theia_cloud_helm_repository = "https://eclipse-theia.github.io/theia-cloud-helm" + theia_cloud_namespace = "theia-cloud" -variable "cloudProvider" { - description = "The cloud provider to use" - default = "K8S" + # base_keycloak: use provided URL or build from hostname + base_keycloak = var.keycloak_url != "" ? var.keycloak_url : "https://${var.hostname}/keycloak" + # normalized_keycloak_url: ensure a single trailing slash as required by the Theia Cloud Helm chart. + normalized_keycloak_url = endswith(local.base_keycloak, "/") ? local.base_keycloak : "${local.base_keycloak}/" } -# Note: cert-manager and nginx-ingress must be installed via cluster-prerequisites module first resource "helm_release" "theia-cloud-base" { count = var.install_theia_cloud_base ? 1 : 0 - depends_on = [helm_release.cert-manager, helm_release.nginx-ingress-controller, helm_release.haproxy-ingress-controller] # we need to install cert issuers name = "theia-cloud-base" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" + repository = local.theia_cloud_helm_repository chart = "theia-cloud-base" version = "1.2.0" - namespace = "theia-cloud" + namespace = local.theia_cloud_namespace create_namespace = true set = [ @@ -49,10 +29,10 @@ resource "helm_release" "theia-cloud-crds" { count = var.install_theia_cloud_crds ? 1 : 0 depends_on = [helm_release.theia-cloud-base] name = "theia-cloud-crds" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" + repository = local.theia_cloud_helm_repository chart = "theia-cloud-crds" version = "1.2.0" - namespace = "theia-cloud" + namespace = local.theia_cloud_namespace create_namespace = true } @@ -60,10 +40,10 @@ resource "helm_release" "theia-cloud" { count = var.install_theia_cloud ? 1 : 0 depends_on = [helm_release.theia-cloud-crds] name = "theia-cloud" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" + repository = local.theia_cloud_helm_repository chart = "theia-cloud" version = "1.2.0" - namespace = "theia-cloud" + namespace = local.theia_cloud_namespace create_namespace = true values = [ @@ -77,11 +57,11 @@ resource "helm_release" "theia-cloud" { }, { name = "keycloak.authUrl" - value = "https://${var.hostname}/keycloak/" + value = local.normalized_keycloak_url }, { name = "operator.cloudProvider" - value = var.cloudProvider + value = var.cloud_provider }, { name = "ingress.controller" diff --git a/terraform/modules/helm/variables.tf b/terraform/modules/helm/variables.tf new file mode 100644 index 000000000..40c2eee60 --- /dev/null +++ b/terraform/modules/helm/variables.tf @@ -0,0 +1,39 @@ +variable "install_theia_cloud_base" { + description = "Whether to install theia cloud base" + default = true +} + +variable "install_theia_cloud_crds" { + description = "Whether to install theia cloud crds" + default = true +} + +variable "install_theia_cloud" { + description = "Whether to install theia cloud" + default = true +} + +variable "hostname" { + description = "The hostname for the deployment" +} + +variable "keycloak_url" { + description = "The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/." + default = "" +} + +variable "cloud_provider" { + description = "Cloud provider type" + type = string + default = "K8S" + validation { + condition = contains(["MINIKUBE", "K8S"], var.cloud_provider) + error_message = "Valid values are: MINIKUBE, K8S" + } +} + +variable "cert_manager_issuer_email" { + description = "Email address used to create certificates." + type = string + default = "" +} diff --git a/terraform/modules/keycloak/main.tf b/terraform/modules/keycloak/main.tf index e3f4bf2bd..8de4fcc54 100644 --- a/terraform/modules/keycloak/main.tf +++ b/terraform/modules/keycloak/main.tf @@ -1,7 +1,3 @@ -variable "hostname" { - description = "Hostname for the keycloak instance" -} - variable "keycloak_test_user_foo_password" { description = "Keycloak Foo Test User Password" sensitive = true diff --git a/terraform/test-configurations/1_dependencies/dependencies.tf b/terraform/test-configurations/1_dependencies/dependencies.tf index 0b536fd36..89bf9b039 100644 --- a/terraform/test-configurations/1_dependencies/dependencies.tf +++ b/terraform/test-configurations/1_dependencies/dependencies.tf @@ -132,7 +132,6 @@ module "keycloak" { depends_on = [module.cluster_prerequisites] - hostname = local.hostname keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "*" diff --git a/terraform/test-configurations/3-01_try-now/theia_cloud.tf b/terraform/test-configurations/3-01_try-now/theia_cloud.tf index e1a20cb0d..78f22f286 100644 --- a/terraform/test-configurations/3-01_try-now/theia_cloud.tf +++ b/terraform/test-configurations/3-01_try-now/theia_cloud.tf @@ -70,7 +70,7 @@ resource "helm_release" "theia-cloud" { name = "ingress.controller" value = data.terraform_remote_state.minikube.outputs.ingress_controller_type } - ] + ] } resource "kubectl_manifest" "cdt-cloud-demo" { diff --git a/terraform/test-configurations/3-03_try-now_paths/theia_cloud.tf b/terraform/test-configurations/3-03_try-now_paths/theia_cloud.tf index 942b659a3..be0e7a1c8 100644 --- a/terraform/test-configurations/3-03_try-now_paths/theia_cloud.tf +++ b/terraform/test-configurations/3-03_try-now_paths/theia_cloud.tf @@ -79,7 +79,7 @@ resource "helm_release" "theia-cloud" { name = "ingress.controller" value = data.terraform_remote_state.minikube.outputs.ingress_controller_type } - ] + ] } resource "kubectl_manifest" "cdt-cloud-demo" { diff --git a/terraform/test-configurations/3-04_try-now_paths_eager-start/theia_cloud.tf b/terraform/test-configurations/3-04_try-now_paths_eager-start/theia_cloud.tf index 79339d056..d9400fcb5 100644 --- a/terraform/test-configurations/3-04_try-now_paths_eager-start/theia_cloud.tf +++ b/terraform/test-configurations/3-04_try-now_paths_eager-start/theia_cloud.tf @@ -88,7 +88,7 @@ resource "helm_release" "theia-cloud" { name = "ingress.controller" value = data.terraform_remote_state.minikube.outputs.ingress_controller_type } - ] + ] } resource "kubectl_manifest" "cdt-cloud-demo" { From 27fbdd068c68952e601ed263f151df3a95970f12 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Wed, 29 Apr 2026 16:47:41 +0200 Subject: [PATCH 24/37] remove obsolete minikube-keycloak terraform test config --- .../.terraform.lock.hcl | 168 --------------- .../0_minikube-keycloak-setup/README.md | 191 ------------------ .../minikube_keycloak_test.tf | 127 ------------ .../0_minikube-keycloak-setup/outputs.tf | 15 -- .../0_minikube-keycloak-setup/versions.tf | 34 ---- 5 files changed, 535 deletions(-) delete mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/.terraform.lock.hcl delete mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/README.md delete mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf delete mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/outputs.tf delete mode 100644 terraform/test-configurations/0_minikube-keycloak-setup/versions.tf diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/.terraform.lock.hcl b/terraform/test-configurations/0_minikube-keycloak-setup/.terraform.lock.hcl deleted file mode 100644 index f8f6ec48b..000000000 --- a/terraform/test-configurations/0_minikube-keycloak-setup/.terraform.lock.hcl +++ /dev/null @@ -1,168 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = ">= 1.19.0" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", - "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", - "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", - "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", - "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", - "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", - "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", - "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", - "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", - "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", - "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", - "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", - "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.3.5" - hashes = [ - "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", - "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", - "zh:a2ce38fda83a62fa5fb5a70e6ca8453b168575feb3459fa39803f6f40bd42154", - "zh:a6c72798f4a9a36d1d1433c0372006cc9b904e8cfd60a2ae03ac5b7d2abd2398", - "zh:a8a3141d2fc71c86bf7f3c13b0b3be8a1b0f0144a47572a15af4dfafc051e28a", - "zh:aa20a1242eb97445ad26ebcfb9babf2cd675bdb81cac5f989268ebefa4ef278c", - "zh:b58a22445fb8804e933dcf835ab06c29a0f33148dce61316814783ee7f4e4332", - "zh:cb5626a661ee761e0576defb2a2d75230a3244799d380864f3089c66e99d0dcc", - "zh:d1acb00d20445f682c4e705c965e5220530209c95609194c2dc39324f3d4fcce", - "zh:d91a254ba77b69a29d8eae8ed0e9367cbf0ea6ac1a85b58e190f8cb096a40871", - "zh:f6592327673c9f85cdb6f20336faef240abae7621b834f189c4a62276ea5db41", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "3.1.1" - constraints = ">= 2.0.0, >= 3.0.2" - hashes = [ - "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", - "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", - "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a", - "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29", - "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104", - "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990", - "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34", - "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8", - "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1", - "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b", - "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903", - "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/http" { - version = "3.5.0" - constraints = ">= 3.0.0" - hashes = [ - "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=", - "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7", - "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736", - "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476", - "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90", - "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a", - "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6", - "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6", - "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee", - "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926", - "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.38.0" - constraints = ">= 2.0.0, >= 2.38.0" - hashes = [ - "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", - "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", - "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", - "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", - "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", - "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", - "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", - "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", - "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", - "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", - "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.13.1" - constraints = ">= 0.9.0" - hashes = [ - "h1:+W+DMrVoVnoXo3f3M4W+OpZbkCrUn6PnqDF33D2Cuf0=", - "zh:02cb9aab1002f0f2a94a4f85acec8893297dc75915f7404c165983f720a54b74", - "zh:04429b2b31a492d19e5ecf999b116d396dac0b24bba0d0fb19ecaefe193fdb8f", - "zh:26f8e51bb7c275c404ba6028c1b530312066009194db721a8427a7bc5cdbc83a", - "zh:772ff8dbdbef968651ab3ae76d04afd355c32f8a868d03244db3f8496e462690", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:898db5d2b6bd6ca5457dccb52eedbc7c5b1a71e4a4658381bcbb38cedbbda328", - "zh:8de913bf09a3fa7bedc29fec18c47c571d0c7a3d0644322c46f3aa648cf30cd8", - "zh:9402102c86a87bdfe7e501ffbb9c685c32bbcefcfcf897fd7d53df414c36877b", - "zh:b18b9bb1726bb8cfbefc0a29cf3657c82578001f514bcf4c079839b6776c47f0", - "zh:b9d31fdc4faecb909d7c5ce41d2479dd0536862a963df434be4b16e8e4edc94d", - "zh:c951e9f39cca3446c060bd63933ebb89cedde9523904813973fbc3d11863ba75", - "zh:e5b773c0d07e962291be0e9b413c7a22c044b8c7b58c76e8aa91d1659990dfb5", - ] -} - -provider "registry.terraform.io/mrparkers/keycloak" { - version = "4.4.0" - constraints = ">= 4.4.0" - hashes = [ - "h1:FH9j76zRv05qxk7I/w0mycmBEuew/+XP+Qx+Ptz/onw=", - "zh:0116d63fb4a4436d67cc793038899e0de23c3a5c78f5bf3cf76ee006ad886979", - "zh:0fa399fcdeef21dd914ff7413b8489e47900cbe7bc65b50eeb0d75b71a2b561d", - "zh:30371fee6d0ae438908b1bf03278f6d0a0cb2992a97814028676a05a55d92f19", - "zh:39218a95fe6430ac2b44470cb991dbb98f57c5306017a80b81d3a319855094f4", - "zh:3b436c471cde4eb9120f609e3aecf12d383e8032aeb9cd12c7476faa7c8b4afb", - "zh:9a2a5cc77332e6cd9f6d101d3aff35520a2361fc02f4d436fe176dbd5351f24b", - "zh:9a89cc61c303100174cda3783b13fa4f6e2648eb436c1259d1c72264998534e8", - "zh:b588cd78d9939523de1fa8202c2757c497a20dcf2bf67cf4daf61836194bfe3a", - "zh:c04e6ac2367f55d9cd0893ebebbecb9da685312077e8a7fff299b8d8009955d5", - "zh:c23286693edf2024272219f6728bb7eded5ee087956fc527a63f10ea9ec9c9e4", - "zh:d7a29a2023f17b24236079789931d53662a2696b13d30140cb75dc0e693a1f94", - "zh:ddc0cad0a8ec9e5afc4f4502aed75089c3e9e0bc6da9d4b796728ef5580b94ef", - "zh:de8833a1a0a726401380e52302892de782dddb7efa51122c33104dde8e119561", - "zh:dee864f90327b149d126d603c5ed58cc196682153ebd1bfa73dd67398f6cbe38", - "zh:f63ef9950ebb06fa1daad784a3d0f342803f65404107186bdadb3198ce4d03b2", - "zh:f6d2414fec3fcaefc80cbe8e49647221dbbcfd2fe1b0f7619bd68d06c93c30f4", - "zh:fb659b5a21ba0ad9ec1c7484f167c51c752abea84dd27e726cc3567e7006e99e", - ] -} - -provider "registry.terraform.io/scott-the-programmer/minikube" { - version = "0.6.0" - constraints = "0.6.0" - hashes = [ - "h1:b2DJdavTUmUbOLsHrw+A9Q/yfn4ZAUjvcGL8vi9wWbk=", - "zh:07384be2c110a8727f8a42abb387c5bb715e984ce5394e947a628ac62d9a6288", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:2aa27ced99cf412f48b6f0893542133b2d35107d3863b883025ee5ed316728dd", - "zh:354893a90285a9f8fe59bb14ee91df6eefb9bf83efafedef48b6965d1a454213", - "zh:700d1b78f4bab6591e4e418c989bc4c2e73d3ab403929961a227f133f00fa070", - "zh:9f58563aa5847f2f65ac2f0a6a5e1b38beb9a1ae3bd58a580c3d8eeb411fa11a", - "zh:ac097e1f714aa14c255a62caf8e5022c95765e75a161ca562ccedf52db95dd79", - "zh:c0a75a6886c647a67ae37c9abcb98cd55728435da8142b0711e6f1c6323440a0", - "zh:c7d0bbc8c4aa6cd962214fe1cb24126830f1b836bf49af776a06b06410bdc767", - "zh:ce1a20714dc4a7ef3775e64bd1ab420b92ed59ff782a1fc1e5d9315df32c858e", - "zh:d35cc2226d41a30522331fde97e5dd22bf1fc9cb55773fcfe6e6cdba6687aea3", - ] -} diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/README.md b/terraform/test-configurations/0_minikube-keycloak-setup/README.md deleted file mode 100644 index 8645f0f28..000000000 --- a/terraform/test-configurations/0_minikube-keycloak-setup/README.md +++ /dev/null @@ -1,191 +0,0 @@ -# Minikube Keycloak Setup Test Configuration - -This test configuration demonstrates the use of the `cluster-prerequisites` module without the deprecated `helm` module. It provides a complete, standalone Keycloak deployment on Minikube. - -## What This Configuration Includes - -1. **Minikube Cluster Creation**: Sets up a local Kubernetes cluster -2. **Nginx Ingress Controller**: Deployed directly via Helm (not through the helm module) -3. **Cert-Manager**: Installed by the cluster-prerequisites module -4. **Self-Signed ClusterIssuer**: For local TLS certificates -5. **Keycloak**: Deployed using the official Keycloak Operator -6. **PostgreSQL**: Integrated database deployment -7. **Keycloak Realm Configuration**: Test realm with users and groups - -## Key Differences from Old Configuration - -| Old (0_minikube-setup) | New (0_minikube-cluster-prerequisites) | -| ---------------------------------- | ------------------------------------------------- | -| Uses `modules/helm` for everything | Uses `modules/cluster-prerequisites` for Keycloak | -| Bitnami Helm chart for Keycloak | Official Keycloak Operator | -| Cert-manager in helm module | Cert-manager in cluster-prerequisites module | -| nginx-ingress via helm module | nginx-ingress deployed separately | - -## Prerequisites - -1. Minikube installed -2. KVM2 driver (or adjust the `driver` variable in the configuration) -3. Terraform >= 1.12.2 - -## Usage - -### Initialize and Apply - -```bash -cd terraform/test-configurations/0_minikube-cluster-prerequisites -terraform init -terraform apply -``` - -### Access Keycloak - -After successful deployment: - -1. Get the hostname: - - ```bash - terraform output hostname - ``` - -2. Access Keycloak at: - - ``` - https:///keycloak/ - ``` - -3. Login with: - - Username: `admin` - - Password: `admin` (or the value set in `keycloak_admin_password` variable) - -### Test Users - -The configuration creates a test realm with two users: - -- **foo** (password: `foo`) - Member of admin group -- **bar** (password: `bar`) - -### Verify Installation - -Check all components are running: - -```bash -# Cert-manager -kubectl get pods -n cert-manager - -# Keycloak operator -kubectl get pods -n keycloak -l app=keycloak-operator - -# Keycloak instance -kubectl get keycloak -n keycloak - -# PostgreSQL -kubectl get pods -n keycloak -l app=postgres - -# Ingress -kubectl get ingress -n keycloak - -# Certificate -kubectl get certificate -n keycloak -``` - -### Cleanup - -```bash -terraform destroy -``` - -## Configuration Variables - -You can customize the deployment by setting these variables: - -```hcl -# In terraform.tfvars -kubernetes_version = "v1.26.3" -cert_manager_issuer_email = "your-email@example.com" -keycloak_admin_password = "your-secure-password" -``` - -## Troubleshooting - -### Keycloak Not Accessible - -1. Check if the ingress controller is ready: - - ```bash - kubectl get pods -n ingress-nginx - ``` - -2. Verify Keycloak pods are running: - - ```bash - kubectl get pods -n keycloak - ``` - -3. Check certificate status: - - ```bash - kubectl get certificate -n keycloak - kubectl describe certificate -n keycloak - ``` - -### Self-Signed Certificate Warning - -This is expected for local development. The browser will show a certificate warning. You can safely proceed by accepting the self-signed certificate. - -### 401 Unauthorized When Configuring Keycloak Realm - -If you get a 401 error during `terraform apply`, this is likely due to: - -1. **Keycloak URL format**: Keycloak 26 changed the admin console path structure. Check the actual URL: - - ```bash - kubectl get ingress -n keycloak -o yaml - ``` - -2. **Verify Keycloak admin credentials**: Test login manually: - - ```bash - # Get the Keycloak URL - terraform output keycloak_url - - # Test authentication - curl -k -X POST \ - "$(terraform output -raw keycloak_url)/realms/master/protocol/openid-connect/token" \ - -d "client_id=admin-cli" \ - -d "username=admin" \ - -d "password=admin" \ - -d "grant_type=password" - ``` - -3. **Keycloak not fully initialized**: Even after pods are ready, Keycloak's admin console might need more time. Wait 1-2 minutes after the module completes, then run `terraform apply` again. - -### Database Connection Issues - -Check PostgreSQL logs: - -```bash -kubectl logs -n keycloak -l app=postgres -``` - -Check Keycloak operator logs: - -```bash -kubectl logs -n keycloak -l app=keycloak-operator -``` - -## Benefits of This Approach - -1. **No Deprecated Dependencies**: Uses official Keycloak Operator instead of Bitnami chart -2. **Modular**: Keycloak setup is independent of other components -3. **Self-Contained**: All cert-manager setup included in cluster-prerequisites module -4. **Production-Ready**: Same pattern can be used for production deployments -5. **Easier to Update**: Module can be updated independently - -## Next Steps - -This configuration can be extended to: - -1. Install Theia Cloud components -2. Add additional Keycloak realms and clients -3. Configure external PostgreSQL database -4. Use Let's Encrypt for production TLS certificates diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf b/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf deleted file mode 100644 index af83ddf58..000000000 --- a/terraform/test-configurations/0_minikube-keycloak-setup/minikube_keycloak_test.tf +++ /dev/null @@ -1,127 +0,0 @@ -variable "kubernetes_version" { - description = "Kubernetes version to use" - default = "v1.33.6" -} - -variable "cert_manager_issuer_email" { - description = "EMail address used to create certificates." - default = "tester@theia-cloud.io" -} - -variable "keycloak_admin_password" { - description = "Keycloak Admin Password" - sensitive = true - default = "admin" -} - -provider "minikube" { - kubernetes_version = var.kubernetes_version -} - -module "cluster" { - source = "../../modules/cluster_creation/minikube/" - - cluster_name = "minikube" - cpus = 4 - disk_size = "51200mb" - memory = "8192mb" - driver = "kvm2" -} - -provider "kubernetes" { - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate -} - -provider "helm" { - kubernetes = { - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate - } -} - -resource "kubernetes_persistent_volume" "minikube" { - depends_on = [module.cluster] - - metadata { - name = "minikube-volume" - } - spec { - storage_class_name = "manual" - capacity = { - storage = "16Gi" - } - access_modes = ["ReadWriteOnce"] - persistent_volume_source { - host_path { - path = "/data/theia-cloud" - } - } - } -} - -provider "kubectl" { - load_config_file = false - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate -} - -module "host" { - depends_on = [module.cluster] - - source = "matti/urlparse/external" - url = module.cluster.cluster_host -} - -module "keycloak_setup" { - source = "../../modules/cluster-prerequisites" - - hostname = "${module.host.host}.nip.io" - keycloak_admin_password = var.keycloak_admin_password - postgres_password = "admin" - install_cert_manager = true - install_selfsigned_issuer = true - cert_manager_issuer_email = var.cert_manager_issuer_email - ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" - ingress_cert_manager_common_name = "${module.host.host}.nip.io" - postgres_storage_class = "manual" - postgres_volume_permissions = true - cloud_provider = "MINIKUBE" -} - -provider "keycloak" { - client_id = "admin-cli" - username = "admin" - password = var.keycloak_admin_password - url = module.keycloak_setup.keycloak_url - tls_insecure_skip_verify = true - initial_login = false - client_timeout = 60 -} - -module "keycloak" { - source = "../../modules/keycloak" - - depends_on = [ - module.keycloak_setup - ] - - hostname = "${module.host.host}.nip.io" - keycloak_test_user_foo_password = "foo" - keycloak_test_user_bar_password = "bar" - valid_redirect_uri = "*" -} - -resource "keycloak_group_memberships" "admin_group_memberships" { - realm_id = module.keycloak.realm.id - group_id = module.keycloak.admin_group.id - members = [ - module.keycloak.test_users.foo.username - ] -} diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/outputs.tf b/terraform/test-configurations/0_minikube-keycloak-setup/outputs.tf deleted file mode 100644 index 199bbafe7..000000000 --- a/terraform/test-configurations/0_minikube-keycloak-setup/outputs.tf +++ /dev/null @@ -1,15 +0,0 @@ -output "cluster_host" { - value = module.cluster.cluster_host -} - -output "keycloak_url" { - value = module.keycloak_setup.keycloak_url -} - -output "keycloak_admin_username" { - value = module.keycloak_setup.admin_username -} - -output "hostname" { - value = "${module.host.host}.nip.io" -} diff --git a/terraform/test-configurations/0_minikube-keycloak-setup/versions.tf b/terraform/test-configurations/0_minikube-keycloak-setup/versions.tf deleted file mode 100644 index da419125a..000000000 --- a/terraform/test-configurations/0_minikube-keycloak-setup/versions.tf +++ /dev/null @@ -1,34 +0,0 @@ -terraform { - required_providers { - minikube = { - source = "scott-the-programmer/minikube" - version = "0.6.0" - } - helm = { - source = "hashicorp/helm" - version = ">= 3.0.2" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.38.0" - } - keycloak = { - source = "mrparkers/keycloak" - version = ">= 4.4.0" - } - kubectl = { - source = "gavinbunney/kubectl" - version = ">= 1.19.0" - } - http = { - source = "hashicorp/http" - version = ">= 3.0.0" - } - time = { - source = "hashicorp/time" - version = ">= 0.9.0" - } - } - - required_version = ">= 1.12.2" -} From feffb934a307e921e69f392302a8f7683b5f81f7 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Wed, 29 Apr 2026 16:52:21 +0200 Subject: [PATCH 25/37] update theia-cloud terraform module --- terraform/modules/theia-cloud/main.tf | 27 ++++++++++++++-------- terraform/modules/theia-cloud/variables.tf | 26 +++++++++++++++++---- 2 files changed, 39 insertions(+), 14 deletions(-) diff --git a/terraform/modules/theia-cloud/main.tf b/terraform/modules/theia-cloud/main.tf index 43e8f7d89..74b95c664 100644 --- a/terraform/modules/theia-cloud/main.tf +++ b/terraform/modules/theia-cloud/main.tf @@ -1,4 +1,7 @@ locals { + theia_cloud_helm_repository = "https://eclipse-theia.github.io/theia-cloud-helm" + theia_cloud_namespace = "theia-cloud" + # base_keycloak: use provided URL or build from hostname base_keycloak = var.keycloak_url != "" ? var.keycloak_url : "https://${var.hostname}/keycloak" # normalized_keycloak_url: ensure a single trailing slash as required by the Theia Cloud Helm chart. @@ -8,10 +11,10 @@ locals { resource "helm_release" "theia-cloud-base" { count = var.install_theia_cloud_base ? 1 : 0 name = "theia-cloud-base" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" + repository = local.theia_cloud_helm_repository chart = "theia-cloud-base" - version = "1.1.2" - namespace = "theia-cloud" + version = "1.2.0" + namespace = local.theia_cloud_namespace create_namespace = true set = [ @@ -26,10 +29,10 @@ resource "helm_release" "theia-cloud-crds" { count = var.install_theia_cloud_crds ? 1 : 0 depends_on = [helm_release.theia-cloud-base] name = "theia-cloud-crds" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" + repository = local.theia_cloud_helm_repository chart = "theia-cloud-crds" - version = "1.1.2" - namespace = "theia-cloud" + version = "1.2.0" + namespace = local.theia_cloud_namespace create_namespace = true } @@ -37,10 +40,10 @@ resource "helm_release" "theia-cloud" { count = var.install_theia_cloud ? 1 : 0 depends_on = [helm_release.theia-cloud-crds] name = "theia-cloud" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" + repository = local.theia_cloud_helm_repository chart = "theia-cloud" - version = "1.1.3" - namespace = "theia-cloud" + version = "1.2.0" + namespace = local.theia_cloud_namespace create_namespace = true values = [ @@ -58,7 +61,11 @@ resource "helm_release" "theia-cloud" { }, { name = "operator.cloudProvider" - value = var.cloudProvider + value = var.cloud_provider + }, + { + name = "ingress.controller" + value = var.ingress_controller_type } ] } diff --git a/terraform/modules/theia-cloud/variables.tf b/terraform/modules/theia-cloud/variables.tf index ae4246b81..728c985ff 100644 --- a/terraform/modules/theia-cloud/variables.tf +++ b/terraform/modules/theia-cloud/variables.tf @@ -14,7 +14,18 @@ variable "install_theia_cloud" { } variable "hostname" { - description = "The hostname for all installed services" + description = "The hostname for the deployment" +} + +variable "ingress_controller_type" { + description = "Type of ingress controller to use (nginx or haproxy)" + type = string + default = "nginx" + + validation { + condition = contains(["nginx", "haproxy"], var.ingress_controller_type) + error_message = "Valid values are 'nginx' or 'haproxy'." + } } variable "keycloak_url" { @@ -22,11 +33,18 @@ variable "keycloak_url" { default = "" } -variable "cloudProvider" { - description = "The cloud provider to use" +variable "cloud_provider" { + description = "Cloud provider type" + type = string default = "K8S" + validation { + condition = contains(["MINIKUBE", "K8S"], var.cloud_provider) + error_message = "Valid values are: MINIKUBE, K8S" + } } variable "cert_manager_issuer_email" { - description = "EMail address used to create certificates." + description = "Email address used to create certificates." + type = string + default = "" } From d168a7ee4f574cdadf6156f54da46bb77b88d782 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 30 Apr 2026 10:54:16 +0200 Subject: [PATCH 26/37] minikube test config works after rebase --- .../0_minikube-setup/minikube_test_cluster.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf b/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf index 35de07ae9..2bee48f73 100644 --- a/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf +++ b/terraform/test-configurations/0_minikube-setup/minikube_test_cluster.tf @@ -24,10 +24,3 @@ module "cluster" { driver = "kvm2" ingress_controller_type = var.ingress_controller_type } - -provider "kubernetes" { - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate -} From 9d822bf60a41e95f8e05c1135fdf6ba8a75f68f4 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 30 Apr 2026 14:21:27 +0200 Subject: [PATCH 27/37] fix and cleanup minikube getting started --- .../.terraform.lock.hcl | 128 --------------- .../.terraform.lock.hcl | 24 ++- .../1_theiacloud-and-dependencies/main.tf | 51 +++--- .../1_theiacloud-and-dependencies/outputs.tf | 2 +- .../minikube_getting_started.tf | 147 ------------------ 5 files changed, 53 insertions(+), 299 deletions(-) delete mode 100644 terraform/configurations/minikube_getting_started/.terraform.lock.hcl delete mode 100644 terraform/configurations/minikube_getting_started/minikube_getting_started.tf diff --git a/terraform/configurations/minikube_getting_started/.terraform.lock.hcl b/terraform/configurations/minikube_getting_started/.terraform.lock.hcl deleted file mode 100644 index 0d65fc5db..000000000 --- a/terraform/configurations/minikube_getting_started/.terraform.lock.hcl +++ /dev/null @@ -1,128 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = ">= 1.19.0" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", - "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", - "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", - "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", - "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", - "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", - "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", - "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", - "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", - "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", - "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", - "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", - "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.3.5" - hashes = [ - "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", - "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", - "zh:a2ce38fda83a62fa5fb5a70e6ca8453b168575feb3459fa39803f6f40bd42154", - "zh:a6c72798f4a9a36d1d1433c0372006cc9b904e8cfd60a2ae03ac5b7d2abd2398", - "zh:a8a3141d2fc71c86bf7f3c13b0b3be8a1b0f0144a47572a15af4dfafc051e28a", - "zh:aa20a1242eb97445ad26ebcfb9babf2cd675bdb81cac5f989268ebefa4ef278c", - "zh:b58a22445fb8804e933dcf835ab06c29a0f33148dce61316814783ee7f4e4332", - "zh:cb5626a661ee761e0576defb2a2d75230a3244799d380864f3089c66e99d0dcc", - "zh:d1acb00d20445f682c4e705c965e5220530209c95609194c2dc39324f3d4fcce", - "zh:d91a254ba77b69a29d8eae8ed0e9367cbf0ea6ac1a85b58e190f8cb096a40871", - "zh:f6592327673c9f85cdb6f20336faef240abae7621b834f189c4a62276ea5db41", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "3.0.2" - constraints = ">= 3.0.2" - hashes = [ - "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", - "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", - "zh:3b4c436a41e4fbae5f152852a9bd5c97db4460af384e26977477a40adf036690", - "zh:617a372f5bb2288f3faf5fd4c878a68bf08541cf418a3dbb8a19bc41ad4a0bf2", - "zh:84de431479548c96cb61c495278e320f361e80ab4f8835a5425ece24a9b6d310", - "zh:8b4cf5f81d10214e5e1857d96cff60a382a22b9caded7f5d7a92e5537fc166c1", - "zh:baeb26a00ffbcf3d507cdd940b2a2887eee723af5d3319a53eec69048d5e341e", - "zh:ca05a8814e9bf5fbffcd642df3a8d9fae9549776c7057ceae6d6f56471bae80f", - "zh:ca4bf3f94dedb5c5b1a73568f2dad7daf0ef3f85e688bc8bc2d0e915ec148366", - "zh:d331f2129fd3165c4bda875c84a65555b22eb007801522b9e017d065ac69b67e", - "zh:e583b2b478dde67da28e605ab4ef6521c2e390299b471d7d8ef05a0b608dcdad", - "zh:f238b86611647c108c073d265f8891a2738d3158c247468ae0ff5b1a3ac4122a", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.38.0" - constraints = ">= 2.38.0" - hashes = [ - "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", - "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", - "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", - "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", - "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", - "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", - "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", - "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", - "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", - "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", - "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", - ] -} - -provider "registry.terraform.io/mrparkers/keycloak" { - version = "4.4.0" - constraints = ">= 4.4.0" - hashes = [ - "h1:FH9j76zRv05qxk7I/w0mycmBEuew/+XP+Qx+Ptz/onw=", - "zh:0116d63fb4a4436d67cc793038899e0de23c3a5c78f5bf3cf76ee006ad886979", - "zh:0fa399fcdeef21dd914ff7413b8489e47900cbe7bc65b50eeb0d75b71a2b561d", - "zh:30371fee6d0ae438908b1bf03278f6d0a0cb2992a97814028676a05a55d92f19", - "zh:39218a95fe6430ac2b44470cb991dbb98f57c5306017a80b81d3a319855094f4", - "zh:3b436c471cde4eb9120f609e3aecf12d383e8032aeb9cd12c7476faa7c8b4afb", - "zh:9a2a5cc77332e6cd9f6d101d3aff35520a2361fc02f4d436fe176dbd5351f24b", - "zh:9a89cc61c303100174cda3783b13fa4f6e2648eb436c1259d1c72264998534e8", - "zh:b588cd78d9939523de1fa8202c2757c497a20dcf2bf67cf4daf61836194bfe3a", - "zh:c04e6ac2367f55d9cd0893ebebbecb9da685312077e8a7fff299b8d8009955d5", - "zh:c23286693edf2024272219f6728bb7eded5ee087956fc527a63f10ea9ec9c9e4", - "zh:d7a29a2023f17b24236079789931d53662a2696b13d30140cb75dc0e693a1f94", - "zh:ddc0cad0a8ec9e5afc4f4502aed75089c3e9e0bc6da9d4b796728ef5580b94ef", - "zh:de8833a1a0a726401380e52302892de782dddb7efa51122c33104dde8e119561", - "zh:dee864f90327b149d126d603c5ed58cc196682153ebd1bfa73dd67398f6cbe38", - "zh:f63ef9950ebb06fa1daad784a3d0f342803f65404107186bdadb3198ce4d03b2", - "zh:f6d2414fec3fcaefc80cbe8e49647221dbbcfd2fe1b0f7619bd68d06c93c30f4", - "zh:fb659b5a21ba0ad9ec1c7484f167c51c752abea84dd27e726cc3567e7006e99e", - ] -} - -provider "registry.terraform.io/scott-the-programmer/minikube" { - version = "0.6.0" - constraints = "0.6.0" - hashes = [ - "h1:b2DJdavTUmUbOLsHrw+A9Q/yfn4ZAUjvcGL8vi9wWbk=", - "zh:07384be2c110a8727f8a42abb387c5bb715e984ce5394e947a628ac62d9a6288", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:2aa27ced99cf412f48b6f0893542133b2d35107d3863b883025ee5ed316728dd", - "zh:354893a90285a9f8fe59bb14ee91df6eefb9bf83efafedef48b6965d1a454213", - "zh:700d1b78f4bab6591e4e418c989bc4c2e73d3ab403929961a227f133f00fa070", - "zh:9f58563aa5847f2f65ac2f0a6a5e1b38beb9a1ae3bd58a580c3d8eeb411fa11a", - "zh:ac097e1f714aa14c255a62caf8e5022c95765e75a161ca562ccedf52db95dd79", - "zh:c0a75a6886c647a67ae37c9abcb98cd55728435da8142b0711e6f1c6323440a0", - "zh:c7d0bbc8c4aa6cd962214fe1cb24126830f1b836bf49af776a06b06410bdc767", - "zh:ce1a20714dc4a7ef3775e64bd1ab420b92ed59ff782a1fc1e5d9315df32c858e", - "zh:d35cc2226d41a30522331fde97e5dd22bf1fc9cb55773fcfe6e6cdba6687aea3", - ] -} diff --git a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/.terraform.lock.hcl b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/.terraform.lock.hcl index 5233c61be..48e91fd19 100644 --- a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/.terraform.lock.hcl +++ b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/.terraform.lock.hcl @@ -45,7 +45,7 @@ provider "registry.terraform.io/hashicorp/external" { provider "registry.terraform.io/hashicorp/helm" { version = "3.1.1" - constraints = ">= 3.0.2" + constraints = ">= 2.0.0, >= 3.0.2" hashes = [ "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", @@ -63,9 +63,29 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.5.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=", + "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7", + "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736", + "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476", + "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90", + "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a", + "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6", + "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6", + "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee", + "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926", + "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623", + ] +} + provider "registry.terraform.io/hashicorp/kubernetes" { version = "3.0.1" - constraints = ">= 2.38.0" + constraints = ">= 2.0.0, >= 2.38.0" hashes = [ "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=", "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281", diff --git a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/main.tf b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/main.tf index e51a5fe9f..d207e9d51 100644 --- a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/main.tf +++ b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/main.tf @@ -97,25 +97,35 @@ locals { hostname = "${local.effective_host}.nip.io" } -module "helm" { - source = "../../../modules/helm" - - depends_on = [module.host, helm_release.haproxy-ingress-controller] - - install_ingress_controller = false - ingress_controller_type = local.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email - cert_manager_cluster_issuer = "theia-cloud-selfsigned-issuer" - cert_manager_common_name = local.hostname - hostname = local.hostname - keycloak_admin_password = var.keycloak_admin_password - postgresql_enabled = true - postgres_postgres_password = "admin" - postgres_password = "admin" - postgresql_storageClass = "manual" - postgresql_volumePermissions = true - service_type = "ClusterIP" - cloudProvider = "MINIKUBE" +module "cluster_prerequisites" { + source = "../../../modules/cluster-prerequisites" + + depends_on = [kubernetes_persistent_volume_v1.minikube, helm_release.haproxy-ingress-controller] + + hostname = local.hostname + keycloak_admin_password = var.keycloak_admin_password + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_controller_type = data.terraform_remote_state.cluster.outputs.ingress_controller_type + ingress_class_name = data.terraform_remote_state.cluster.outputs.ingress_controller_type + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + ingress_cert_manager_common_name = local.hostname + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" +} + +module "theia-cloud" { + source = "../../../modules/theia-cloud" + + depends_on = [module.host, module.cluster_prerequisites, helm_release.haproxy-ingress-controller] + + ingress_controller_type = local.ingress_controller_type + cert_manager_issuer_email = var.cert_manager_issuer_email + hostname = local.hostname + cloud_provider = "MINIKUBE" } provider "keycloak" { @@ -131,9 +141,8 @@ provider "keycloak" { module "keycloak" { source = "../../../modules/keycloak" - depends_on = [module.helm] + depends_on = [module.cluster_prerequisites] - hostname = local.hostname keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "https://${local.hostname}/*" diff --git a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/outputs.tf b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/outputs.tf index ddc6ccd0a..d5128ba1d 100644 --- a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/outputs.tf +++ b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/outputs.tf @@ -5,5 +5,5 @@ output "try_now" { output "keycloak" { description = "Keycloak Admin URL." - value = "https://${local.hostname}/keycloak/" + value = "${module.cluster_prerequisites.keycloak_url}/" } diff --git a/terraform/configurations/minikube_getting_started/minikube_getting_started.tf b/terraform/configurations/minikube_getting_started/minikube_getting_started.tf deleted file mode 100644 index 3b3cef54e..000000000 --- a/terraform/configurations/minikube_getting_started/minikube_getting_started.tf +++ /dev/null @@ -1,147 +0,0 @@ -variable "kubernetes_version" { - description = "Kubernetes version to use" - default = "v1.34.0" -} - -variable "cert_manager_issuer_email" { - description = "EMail address used to create certificates." -} - -variable "keycloak_admin_password" { - description = "Keycloak Admin Password" - sensitive = true - default = "admin" -} - -variable "ingress_controller_type" { - description = "Type of ingress controller to use (nginx or haproxy)" - type = string - default = "nginx" -} - -provider "minikube" { - kubernetes_version = var.kubernetes_version -} - -module "cluster" { - source = "../../modules/cluster_creation/minikube/" - - # adjust values below - cluster_name = "minikube" - cpus = 4 - disk_size = "51200mb" - memory = "8192mb" - driver = "virtualbox" - ingress_controller_type = var.ingress_controller_type -} - -provider "kubernetes" { - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate -} - -provider "kubectl" { - load_config_file = false - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate -} - -resource "kubernetes_persistent_volume_v1" "minikube" { - - depends_on = [module.cluster] - - metadata { - name = "minikube-volume" - } - spec { - storage_class_name = "manual" - capacity = { - storage = "16Gi" - } - access_modes = ["ReadWriteOnce"] - persistent_volume_source { - host_path { - path = "/data/theia-cloud" - } - } - } -} - -provider "helm" { - kubernetes = { - host = module.cluster.cluster_host - client_certificate = module.cluster.cluster_client_certificate - client_key = module.cluster.cluster_client_key - cluster_ca_certificate = module.cluster.cluster_ca_certificate - } -} - -module "host" { - depends_on = [module.cluster] - - source = "matti/urlparse/external" - url = module.cluster.cluster_host -} - -module "helm" { - source = "../../modules/helm" - - depends_on = [module.host] - - install_ingress_controller = var.ingress_controller_type == "haproxy" ? true : false - ingress_controller_type = var.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email - cert_manager_cluster_issuer = "theia-cloud-selfsigned-issuer" - cert_manager_common_name = "${module.host.host}.nip.io" - hostname = "${module.host.host}.nip.io" - keycloak_admin_password = var.keycloak_admin_password - postgresql_enabled = true - postgres_postgres_password = "admin" - postgres_password = "admin" - postgresql_storageClass = "manual" - postgresql_volumePermissions = true - service_type = "ClusterIP" - cloud_provider = "MINIKUBE" -} - -module "cluster_prerequisites" { - source = "../../modules/cluster-prerequisites" - - depends_on = [kubernetes_persistent_volume.minikube] - - hostname = "${module.host.host}.nip.io" - keycloak_admin_password = var.keycloak_admin_password - postgres_password = "admin" - install_cert_manager = true - install_selfsigned_issuer = true - cert_manager_issuer_email = var.cert_manager_issuer_email - ingress_cert_manager_cluster_issuer = "theia-cloud-selfsigned-issuer" - ingress_cert_manager_common_name = "${module.host.host}.nip.io" - postgres_storage_class = "manual" - postgres_volume_permissions = true - cloud_provider = "MINIKUBE" -} - -provider "keycloak" { - client_id = "admin-cli" - username = "admin" - password = var.keycloak_admin_password - url = module.cluster_prerequisites.keycloak_url - tls_insecure_skip_verify = true # only for minikube self signed - initial_login = false - client_timeout = 60 -} - -module "keycloak" { - source = "../../modules/keycloak" - - depends_on = [module.cluster_prerequisites] - - keycloak_test_user_foo_password = "foo" - keycloak_test_user_bar_password = "bar" - valid_redirect_uri = "https://${module.host.host}.nip.io/*" -} From 0078e8a5570f1e29dd7980d269856cad623b7ce1 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 30 Apr 2026 15:46:49 +0200 Subject: [PATCH 28/37] fix comment in keycloak setup --- terraform/modules/cluster-prerequisites/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/cluster-prerequisites/main.tf b/terraform/modules/cluster-prerequisites/main.tf index 50ce06059..22f75f284 100644 --- a/terraform/modules/cluster-prerequisites/main.tf +++ b/terraform/modules/cluster-prerequisites/main.tf @@ -405,7 +405,7 @@ locals { } additionalOptions = [ - # Tell Keycloak to use X-Forwarded-* from nginx + # Use X-Forwarded-* headers from the ingress controller (works for both nginx and haproxy). { name = "proxy-headers" value = "xforwarded" From 92fcb7c2ca5deb46ab2fae1a6b7d5c2cc68daa95 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Wed, 27 May 2026 15:14:10 +0200 Subject: [PATCH 29/37] landing-page: bump keycloak-js to 26.2.4 --- node/landing-page/package.json | 2 +- node/package-lock.json | 55 +++++++--------------------------- 2 files changed, 11 insertions(+), 46 deletions(-) diff --git a/node/landing-page/package.json b/node/landing-page/package.json index 25cd09f2b..a7699fa14 100644 --- a/node/landing-page/package.json +++ b/node/landing-page/package.json @@ -12,7 +12,7 @@ }, "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "26.2.2", + "keycloak-js": "26.2.4", "react": "^18.2.0", "react-dom": "^18.2.0" }, diff --git a/node/package-lock.json b/node/package-lock.json index 99af9a6ea..7085d3aa2 100644 --- a/node/package-lock.json +++ b/node/package-lock.json @@ -60,7 +60,7 @@ "license": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "26.2.2", + "keycloak-js": "26.2.4", "react": "^18.2.0", "react-dom": "^18.2.0" }, @@ -539,6 +539,15 @@ "node": "^8.16.0 || ^10.6.0 || >=11.0.0" } }, + "landing-page/node_modules/keycloak-js": { + "version": "26.2.4", + "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-26.2.4.tgz", + "integrity": "sha512-PnXpR3ubETGOt0B/Qt2lxmPbkZr5bc3vlQsOqDoTPPQsZRp7JjhTKxlJ187uWh8qJhvBab6Gsjb06a8ayOPfuw==", + "license": "Apache-2.0", + "workspaces": [ + "test" + ] + }, "landing-page/node_modules/picomatch": { "version": "4.0.3", "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz", @@ -627,21 +636,6 @@ } } }, - "landing-page/node_modules/yaml": { - "version": "2.8.1", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz", - "integrity": "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==", - "dev": true, - "license": "ISC", - "optional": true, - "peer": true, - "bin": { - "yaml": "bin.mjs" - }, - "engines": { - "node": ">= 14.6" - } - }, "node_modules/@adobe/css-tools": { "version": "4.4.4", "resolved": "https://registry.npmjs.org/@adobe/css-tools/-/css-tools-4.4.4.tgz", @@ -18843,20 +18837,6 @@ } } }, - "node_modules/tailwindcss/node_modules/yaml": { - "version": "2.8.1", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz", - "integrity": "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==", - "license": "ISC", - "optional": true, - "peer": true, - "bin": { - "yaml": "bin.mjs" - }, - "engines": { - "node": ">= 14.6" - } - }, "node_modules/tapable": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz", @@ -20885,21 +20865,6 @@ "optional": true } } - }, - "testing-page/node_modules/typescript": { - "version": "4.9.5", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.9.5.tgz", - "integrity": "sha512-1FXk9E2Hm+QzZQ7z+McJiHL4NW1F2EzMu9Nq9i3zAaGqibafqYwCVU6WyWAuyQRRzOlxou8xZSyXLEN8oKj24g==", - "license": "Apache-2.0", - "optional": true, - "peer": true, - "bin": { - "tsc": "bin/tsc", - "tsserver": "bin/tsserver" - }, - "engines": { - "node": ">=4.2.0" - } } } } From a6420765c93d1f69774d13197634f55043149145 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Wed, 27 May 2026 15:59:51 +0200 Subject: [PATCH 30/37] terraform: adapt gke getting started to use cluster-prerequisites - Remove usage of helm module - Install cert-manager and theia-cloud-base before cluster-prerequisites because we re-use theia cloud's let's encrypt cluster issuer --- .../gke_getting_started/.terraform.lock.hcl | 43 ++++++++++++++- .../gke_getting_started.tf | 53 +++++++++++++++---- 2 files changed, 85 insertions(+), 11 deletions(-) diff --git a/terraform/configurations/gke_getting_started/.terraform.lock.hcl b/terraform/configurations/gke_getting_started/.terraform.lock.hcl index 3c18a69ac..550f5467e 100644 --- a/terraform/configurations/gke_getting_started/.terraform.lock.hcl +++ b/terraform/configurations/gke_getting_started/.terraform.lock.hcl @@ -46,7 +46,7 @@ provider "registry.terraform.io/hashicorp/google" { provider "registry.terraform.io/hashicorp/helm" { version = "3.0.2" - constraints = ">= 3.0.2" + constraints = ">= 2.0.0, >= 3.0.2" hashes = [ "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", @@ -64,6 +64,47 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.6.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:FekY+4cjIw3QBdpk2dVQ20+t8AeDwCK/VaKOnjfeJvw=", + "zh:0996c7db5d7627bc6ab8c4d217f18fb122d60e99e454812b080ee5695cad1003", + "zh:25b7ee0ba9edc912a00365c776d062ae7c66d94050c6c13038447c8e8b95ddf2", + "zh:29c4ba54add6eee7f1d0034d331ba0f14f3046234b1f7520a537e6444e4521b7", + "zh:30a3aa3ef978f8142daf2ced3f9f1ecda8b0831cdc6911e7e930e95eab191b4f", + "zh:30bf0810acdfe96e799ed9b64cb70e96d6f7c033621e0373b9897513977c49c5", + "zh:4ecaaf3dfd20feaa2b92af521018501bc7d874b6a6642ef86ea4cc3c251d737a", + "zh:661760406e3d5372e6725d18ca80734996f21adabc02d82e36ed6d8db07cad7d", + "zh:70dd9556bd2633082efd9681421f89dd4abdde6fcd84834627fa4b8b8f9e7afe", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:973a72066866579ac6fa0e0c9e9eee8e77d238cf78f1b1f96ce6536052fa73ce", + "zh:b2ac9463a9499b478147186027fabee65c04b8f6d963a8df3d49241ce5784fe2", + "zh:c6acc05dc3456c0001b5fb99e1b57005f5a3d3d766f9bddfc21ffe8364fa7535", + "zh:f97f2d57ebcefe62f0644f58e8ba68593f8f05baf7856c99953396aedd14e415", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "3.1.0" + constraints = ">= 2.0.0" + hashes = [ + "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=", + "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0", + "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20", + "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c", + "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65", + "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0", + "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a", + "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1", + "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98", + "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1", + "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f", + ] +} + provider "registry.terraform.io/mrparkers/keycloak" { version = "4.4.0" constraints = ">= 4.4.0" diff --git a/terraform/configurations/gke_getting_started/gke_getting_started.tf b/terraform/configurations/gke_getting_started/gke_getting_started.tf index 2f2bd7be3..9c305b8eb 100644 --- a/terraform/configurations/gke_getting_started/gke_getting_started.tf +++ b/terraform/configurations/gke_getting_started/gke_getting_started.tf @@ -66,30 +66,63 @@ provider "kubectl" { cluster_ca_certificate = module.cluster.cluster_ca_certificate } +# Manually install cert-manager to have its CRDs available for the theia-cloud-base module, which installs the cluster issuer for let's encrypt. +resource "helm_release" "cert_manager" { + name = "cert-manager" + repository = "https://charts.jetstack.io" + chart = "cert-manager" + version = "v1.17.4" + namespace = "cert-manager" + create_namespace = true + + set = [ + { + name = "installCRDs" + value = "true" + } + ] +} + +# Install theia-cloud-base first because we re-use the "letsencrypt-prod" ClusterIssuer created by that module for the Keycloak ingress installed in the cluster prerequisites module. +module "theia-cloud-base" { + source = "../../modules/theia-cloud" + + depends_on = [helm_release.cert_manager] + + install_theia_cloud_crds = false + install_theia_cloud = false + hostname = "${google_compute_address.host_ip.address}.sslip.io" + cert_manager_issuer_email = var.cert_manager_issuer_email +} + module "cluster_prerequisites" { source = "../../modules/cluster-prerequisites" + depends_on = [module.theia-cloud-base] hostname = "${google_compute_address.host_ip.address}.sslip.io" keycloak_admin_password = var.keycloak_admin_password postgres_password = var.postgres_password - install_cert_manager = true + install_cert_manager = false install_ingress_controller = true install_selfsigned_issuer = false cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_controller_type = var.ingress_controller_type + ingress_class_name = var.ingress_controller_type ingress_cert_manager_cluster_issuer = "letsencrypt-prod" load_balancer_ip = google_compute_address.host_ip.address } -module "helm" { - source = "../../modules/helm" +module "theia-cloud" { + source = "../../modules/theia-cloud" + + depends_on = [module.cluster_prerequisites] - depends_on = [module.cluster_prerequisites] - ingress_controller_type = var.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email - cert_manager_cluster_issuer = "letsencrypt-prod" - cert_manager_common_name = "${google_compute_address.host_ip.address}.sslip.io" - hostname = "${google_compute_address.host_ip.address}.sslip.io" - loadBalancerIP = google_compute_address.host_ip.address + install_theia_cloud_base = false + hostname = "${google_compute_address.host_ip.address}.sslip.io" + ingress_controller_type = var.ingress_controller_type + cert_manager_issuer_email = var.cert_manager_issuer_email + cloud_provider = "K8S" + keycloak_url = module.cluster_prerequisites.keycloak_url } provider "keycloak" { From f75ef6395670844511e43a6ad23db604c1f80709 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Wed, 27 May 2026 16:05:48 +0200 Subject: [PATCH 31/37] terraform: add version variable to theia-cloud module --- terraform/modules/theia-cloud/README.md | 3 ++- terraform/modules/theia-cloud/main.tf | 6 +++--- terraform/modules/theia-cloud/variables.tf | 6 ++++++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/terraform/modules/theia-cloud/README.md b/terraform/modules/theia-cloud/README.md index 316b6dde2..00590e43e 100644 --- a/terraform/modules/theia-cloud/README.md +++ b/terraform/modules/theia-cloud/README.md @@ -36,10 +36,11 @@ module "theia_cloud" { ## Variables +- `theia_cloud_version` (optional, default: `"1.2.0"`) - The helm chart version to use for all installed charts - `install_theia_cloud_base` (optional, default: `true`) - Whether to install theia-cloud-base chart - `install_theia_cloud_crds` (optional, default: `true`) - Whether to install theia-cloud-crds chart - `install_theia_cloud` (optional, default: `true`) - Whether to install theia-cloud chart - `hostname` (required) - The hostname for Theia Cloud services - `keycloak_url` (optional) - The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/. - `cert_manager_issuer_email` (required) - Email address used for certificate management -- `cloudProvider` (optional, default: `"K8S"`) - The cloud provider (e.g., "K8S", "MINIKUBE") +- `cloud_provider` (optional, default: `"K8S"`) - The cloud provider (e.g., "K8S", "MINIKUBE") diff --git a/terraform/modules/theia-cloud/main.tf b/terraform/modules/theia-cloud/main.tf index 74b95c664..64da7ecc7 100644 --- a/terraform/modules/theia-cloud/main.tf +++ b/terraform/modules/theia-cloud/main.tf @@ -13,7 +13,7 @@ resource "helm_release" "theia-cloud-base" { name = "theia-cloud-base" repository = local.theia_cloud_helm_repository chart = "theia-cloud-base" - version = "1.2.0" + version = var.theia_cloud_version namespace = local.theia_cloud_namespace create_namespace = true @@ -31,7 +31,7 @@ resource "helm_release" "theia-cloud-crds" { name = "theia-cloud-crds" repository = local.theia_cloud_helm_repository chart = "theia-cloud-crds" - version = "1.2.0" + version = var.theia_cloud_version namespace = local.theia_cloud_namespace create_namespace = true } @@ -42,7 +42,7 @@ resource "helm_release" "theia-cloud" { name = "theia-cloud" repository = local.theia_cloud_helm_repository chart = "theia-cloud" - version = "1.2.0" + version = var.theia_cloud_version namespace = local.theia_cloud_namespace create_namespace = true diff --git a/terraform/modules/theia-cloud/variables.tf b/terraform/modules/theia-cloud/variables.tf index 728c985ff..b4c6727f8 100644 --- a/terraform/modules/theia-cloud/variables.tf +++ b/terraform/modules/theia-cloud/variables.tf @@ -1,3 +1,9 @@ +variable "theia_cloud_version" { + description = "The version of theia cloud to install. Used for all installed charts." + type = string + default = "1.2.0" +} + variable "install_theia_cloud_base" { description = "Whether to install theia cloud base" default = true From 2b034d3adb25922669b99d0d8bcec7d96f115c4c Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 28 May 2026 13:03:28 +0200 Subject: [PATCH 32/37] terraform: adapt e2e setup to use cluster-prerequisites module --- .../ci-configurations/.terraform.lock.hcl | 25 ++++++++++- terraform/ci-configurations/e2e_tests.tf | 41 ++++++++----------- 2 files changed, 41 insertions(+), 25 deletions(-) diff --git a/terraform/ci-configurations/.terraform.lock.hcl b/terraform/ci-configurations/.terraform.lock.hcl index f77128e1d..0fe5e74d2 100644 --- a/terraform/ci-configurations/.terraform.lock.hcl +++ b/terraform/ci-configurations/.terraform.lock.hcl @@ -26,7 +26,7 @@ provider "registry.terraform.io/gavinbunney/kubectl" { provider "registry.terraform.io/hashicorp/helm" { version = "3.0.2" - constraints = ">= 3.0.2" + constraints = ">= 2.0.0, >= 3.0.2" hashes = [ "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", @@ -44,9 +44,30 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.6.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:FekY+4cjIw3QBdpk2dVQ20+t8AeDwCK/VaKOnjfeJvw=", + "zh:0996c7db5d7627bc6ab8c4d217f18fb122d60e99e454812b080ee5695cad1003", + "zh:25b7ee0ba9edc912a00365c776d062ae7c66d94050c6c13038447c8e8b95ddf2", + "zh:29c4ba54add6eee7f1d0034d331ba0f14f3046234b1f7520a537e6444e4521b7", + "zh:30a3aa3ef978f8142daf2ced3f9f1ecda8b0831cdc6911e7e930e95eab191b4f", + "zh:30bf0810acdfe96e799ed9b64cb70e96d6f7c033621e0373b9897513977c49c5", + "zh:4ecaaf3dfd20feaa2b92af521018501bc7d874b6a6642ef86ea4cc3c251d737a", + "zh:661760406e3d5372e6725d18ca80734996f21adabc02d82e36ed6d8db07cad7d", + "zh:70dd9556bd2633082efd9681421f89dd4abdde6fcd84834627fa4b8b8f9e7afe", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:973a72066866579ac6fa0e0c9e9eee8e77d238cf78f1b1f96ce6536052fa73ce", + "zh:b2ac9463a9499b478147186027fabee65c04b8f6d963a8df3d49241ce5784fe2", + "zh:c6acc05dc3456c0001b5fb99e1b57005f5a3d3d766f9bddfc21ffe8364fa7535", + "zh:f97f2d57ebcefe62f0644f58e8ba68593f8f05baf7856c99953396aedd14e415", + ] +} + provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.38.0" - constraints = ">= 2.38.0" + constraints = ">= 2.0.0, >= 2.38.0" hashes = [ "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", diff --git a/terraform/ci-configurations/e2e_tests.tf b/terraform/ci-configurations/e2e_tests.tf index 207900679..932874061 100644 --- a/terraform/ci-configurations/e2e_tests.tf +++ b/terraform/ci-configurations/e2e_tests.tf @@ -58,30 +58,25 @@ resource "kubernetes_persistent_volume_v1" "minikube" { } } -module "helm" { - source = "../modules/helm" +module "cluster_prerequisites" { + source = "../modules/cluster-prerequisites" depends_on = [kubernetes_persistent_volume_v1.minikube] - install_ingress_controller = false - ingress_controller_type = var.ingress_controller_type - install_theia_cloud_base = false - install_theia_cloud_crds = false - install_theia_cloud = false - install_selfsigned_issuer = true - cert_manager_issuer_email = "jdoe@theia-cloud.io" - cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" - cert_manager_common_name = "${var.ingress_ip}.nip.io" - hostname = "${var.ingress_ip}.nip.io" - service_type = "ClusterIP" - postgresql_storageClass = "manual" - postgresql_volumePermissions = true - keycloak_admin_password = "admin" - postgresql_enabled = true - postgres_postgres_password = "admin" - postgres_password = "admin" - loadBalancerIP = "" - cloud_provider = "MINIKUBE" + hostname = "${var.ingress_ip}.nip.io" + keycloak_admin_password = "admin" + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + install_ingress_controller = false + cert_manager_issuer_email = "jdoe@theia-cloud.io" + ingress_controller_type = var.ingress_controller_type + ingress_class_name = var.ingress_controller_type + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + ingress_cert_manager_common_name = "${var.ingress_ip}.nip.io" + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" } provider "keycloak" { @@ -105,7 +100,7 @@ module "keycloak" { } resource "helm_release" "theia-cloud-crds" { - depends_on = [module.keycloak] + depends_on = [module.cluster_prerequisites] name = "theia-cloud-crds" chart = "../../../theia-cloud-helm/charts/theia-cloud-crds" @@ -121,7 +116,7 @@ resource "helm_release" "theia-cloud-crds" { } resource "helm_release" "theia-cloud-base" { - depends_on = [module.keycloak] + depends_on = [module.cluster_prerequisites] name = "theia-cloud-base" chart = "../../../theia-cloud-helm/charts/theia-cloud-base" From 7934cb17fe2499692c0bd7339effa65eb2b22d2a Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 28 May 2026 13:04:21 +0200 Subject: [PATCH 33/37] terraform: add theia cloud version variable to cluster-prerequisites --- terraform/modules/cluster-prerequisites/variables.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/modules/cluster-prerequisites/variables.tf b/terraform/modules/cluster-prerequisites/variables.tf index abe3d557f..b234b6bb4 100644 --- a/terraform/modules/cluster-prerequisites/variables.tf +++ b/terraform/modules/cluster-prerequisites/variables.tf @@ -208,25 +208,25 @@ variable "cert_manager_issuer_email" { } variable "install_ingress_controller" { - description = "Whether to install the nginx ingress controller" + description = "Whether to install the ingress controller" type = bool default = false } variable "ingress_controller_version" { - description = "Version of nginx ingress controller to install" + description = "Version of ingress controller to install" type = string default = "4.13.0" } variable "ingress_controller_namespace" { - description = "Namespace for nginx ingress controller installation" + description = "Namespace for ingress controller installation" type = string default = "ingress-nginx" } variable "load_balancer_ip" { - description = "External IP for the nginx ingress controller service" + description = "External IP for the ingress controller service" type = string default = "" } From 914c8014d823c334519066d1be7006527b1e9ed8 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 28 May 2026 13:12:35 +0200 Subject: [PATCH 34/37] terraform: remove helm module and adapt READMEs --- README.md | 2 +- terraform/modules/helm/.terraform.lock.hcl | 45 ---- terraform/modules/helm/LICENSE | 277 --------------------- terraform/modules/helm/README.md | 45 ---- terraform/modules/helm/main.tf | 71 ------ terraform/modules/helm/theia-cloud.yaml | 52 ---- terraform/modules/helm/variables.tf | 39 --- terraform/modules/helm/versions.tf | 14 -- terraform/terraform.md | 2 +- 9 files changed, 2 insertions(+), 545 deletions(-) delete mode 100644 terraform/modules/helm/.terraform.lock.hcl delete mode 100644 terraform/modules/helm/LICENSE delete mode 100644 terraform/modules/helm/README.md delete mode 100644 terraform/modules/helm/main.tf delete mode 100644 terraform/modules/helm/theia-cloud.yaml delete mode 100644 terraform/modules/helm/variables.tf delete mode 100644 terraform/modules/helm/versions.tf diff --git a/README.md b/README.md index e34682c1f..b6e45c4e4 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ To make a release provide a commit that: - removes the next parts from `version` fields across the repo. - updates the package-lock files. - updates the `node/monitor` .vsix file in `demo/dockerfiles/demo-theia-monitor-vscode`. -- updates the helm chart versions in `terraform/modules/helm` to the new version. +- updates the helm chart version in `terraform/modules/theia-cloud/variables.tf` to the new version. When this commit is merged it should not result in pushed artifacts. Create a `releases/` branch. This will be used in the future if any backports are necessary. Also it makes versions easier to find. diff --git a/terraform/modules/helm/.terraform.lock.hcl b/terraform/modules/helm/.terraform.lock.hcl deleted file mode 100644 index 395bee93c..000000000 --- a/terraform/modules/helm/.terraform.lock.hcl +++ /dev/null @@ -1,45 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = ">= 1.19.0" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", - "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", - "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", - "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", - "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", - "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", - "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", - "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", - "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", - "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", - "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", - "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", - "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "3.0.2" - constraints = ">= 3.0.2" - hashes = [ - "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", - "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", - "zh:3b4c436a41e4fbae5f152852a9bd5c97db4460af384e26977477a40adf036690", - "zh:617a372f5bb2288f3faf5fd4c878a68bf08541cf418a3dbb8a19bc41ad4a0bf2", - "zh:84de431479548c96cb61c495278e320f361e80ab4f8835a5425ece24a9b6d310", - "zh:8b4cf5f81d10214e5e1857d96cff60a382a22b9caded7f5d7a92e5537fc166c1", - "zh:baeb26a00ffbcf3d507cdd940b2a2887eee723af5d3319a53eec69048d5e341e", - "zh:ca05a8814e9bf5fbffcd642df3a8d9fae9549776c7057ceae6d6f56471bae80f", - "zh:ca4bf3f94dedb5c5b1a73568f2dad7daf0ef3f85e688bc8bc2d0e915ec148366", - "zh:d331f2129fd3165c4bda875c84a65555b22eb007801522b9e017d065ac69b67e", - "zh:e583b2b478dde67da28e605ab4ef6521c2e390299b471d7d8ef05a0b608dcdad", - "zh:f238b86611647c108c073d265f8891a2738d3158c247468ae0ff5b1a3ac4122a", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/modules/helm/LICENSE b/terraform/modules/helm/LICENSE deleted file mode 100644 index e48e09634..000000000 --- a/terraform/modules/helm/LICENSE +++ /dev/null @@ -1,277 +0,0 @@ -Eclipse Public License - v 2.0 - - THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE - PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION - OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. - -1. DEFINITIONS - -"Contribution" means: - - a) in the case of the initial Contributor, the initial content - Distributed under this Agreement, and - - b) in the case of each subsequent Contributor: - i) changes to the Program, and - ii) additions to the Program; - where such changes and/or additions to the Program originate from - and are Distributed by that particular Contributor. A Contribution - "originates" from a Contributor if it was added to the Program by - such Contributor itself or anyone acting on such Contributor's behalf. - Contributions do not include changes or additions to the Program that - are not Modified Works. - -"Contributor" means any person or entity that Distributes the Program. - -"Licensed Patents" mean patent claims licensable by a Contributor which -are necessarily infringed by the use or sale of its Contribution alone -or when combined with the Program. - -"Program" means the Contributions Distributed in accordance with this -Agreement. - -"Recipient" means anyone who receives the Program under this Agreement -or any Secondary License (as applicable), including Contributors. - -"Derivative Works" shall mean any work, whether in Source Code or other -form, that is based on (or derived from) the Program and for which the -editorial revisions, annotations, elaborations, or other modifications -represent, as a whole, an original work of authorship. - -"Modified Works" shall mean any work in Source Code or other form that -results from an addition to, deletion from, or modification of the -contents of the Program, including, for purposes of clarity any new file -in Source Code form that contains any contents of the Program. Modified -Works shall not include works that contain only declarations, -interfaces, types, classes, structures, or files of the Program solely -in each case in order to link to, bind by name, or subclass the Program -or Modified Works thereof. - -"Distribute" means the acts of a) distributing or b) making available -in any manner that enables the transfer of a copy. - -"Source Code" means the form of a Program preferred for making -modifications, including but not limited to software source code, -documentation source, and configuration files. - -"Secondary License" means either the GNU General Public License, -Version 2.0, or any later versions of that license, including any -exceptions or additional permissions as identified by the initial -Contributor. - -2. GRANT OF RIGHTS - - a) Subject to the terms of this Agreement, each Contributor hereby - grants Recipient a non-exclusive, worldwide, royalty-free copyright - license to reproduce, prepare Derivative Works of, publicly display, - publicly perform, Distribute and sublicense the Contribution of such - Contributor, if any, and such Derivative Works. - - b) Subject to the terms of this Agreement, each Contributor hereby - grants Recipient a non-exclusive, worldwide, royalty-free patent - license under Licensed Patents to make, use, sell, offer to sell, - import and otherwise transfer the Contribution of such Contributor, - if any, in Source Code or other form. This patent license shall - apply to the combination of the Contribution and the Program if, at - the time the Contribution is added by the Contributor, such addition - of the Contribution causes such combination to be covered by the - Licensed Patents. The patent license shall not apply to any other - combinations which include the Contribution. No hardware per se is - licensed hereunder. - - c) Recipient understands that although each Contributor grants the - licenses to its Contributions set forth herein, no assurances are - provided by any Contributor that the Program does not infringe the - patent or other intellectual property rights of any other entity. - Each Contributor disclaims any liability to Recipient for claims - brought by any other entity based on infringement of intellectual - property rights or otherwise. As a condition to exercising the - rights and licenses granted hereunder, each Recipient hereby - assumes sole responsibility to secure any other intellectual - property rights needed, if any. For example, if a third party - patent license is required to allow Recipient to Distribute the - Program, it is Recipient's responsibility to acquire that license - before distributing the Program. - - d) Each Contributor represents that to its knowledge it has - sufficient copyright rights in its Contribution, if any, to grant - the copyright license set forth in this Agreement. - - e) Notwithstanding the terms of any Secondary License, no - Contributor makes additional grants to any Recipient (other than - those set forth in this Agreement) as a result of such Recipient's - receipt of the Program under the terms of a Secondary License - (if permitted under the terms of Section 3). - -3. REQUIREMENTS - -3.1 If a Contributor Distributes the Program in any form, then: - - a) the Program must also be made available as Source Code, in - accordance with section 3.2, and the Contributor must accompany - the Program with a statement that the Source Code for the Program - is available under this Agreement, and informs Recipients how to - obtain it in a reasonable manner on or through a medium customarily - used for software exchange; and - - b) the Contributor may Distribute the Program under a license - different than this Agreement, provided that such license: - i) effectively disclaims on behalf of all other Contributors all - warranties and conditions, express and implied, including - warranties or conditions of title and non-infringement, and - implied warranties or conditions of merchantability and fitness - for a particular purpose; - - ii) effectively excludes on behalf of all other Contributors all - liability for damages, including direct, indirect, special, - incidental and consequential damages, such as lost profits; - - iii) does not attempt to limit or alter the recipients' rights - in the Source Code under section 3.2; and - - iv) requires any subsequent distribution of the Program by any - party to be under a license that satisfies the requirements - of this section 3. - -3.2 When the Program is Distributed as Source Code: - - a) it must be made available under this Agreement, or if the - Program (i) is combined with other material in a separate file or - files made available under a Secondary License, and (ii) the initial - Contributor attached to the Source Code the notice described in - Exhibit A of this Agreement, then the Program may be made available - under the terms of such Secondary Licenses, and - - b) a copy of this Agreement must be included with each copy of - the Program. - -3.3 Contributors may not remove or alter any copyright, patent, -trademark, attribution notices, disclaimers of warranty, or limitations -of liability ("notices") contained within the Program from any copy of -the Program which they Distribute, provided that Contributors may add -their own appropriate notices. - -4. COMMERCIAL DISTRIBUTION - -Commercial distributors of software may accept certain responsibilities -with respect to end users, business partners and the like. While this -license is intended to facilitate the commercial use of the Program, -the Contributor who includes the Program in a commercial product -offering should do so in a manner which does not create potential -liability for other Contributors. Therefore, if a Contributor includes -the Program in a commercial product offering, such Contributor -("Commercial Contributor") hereby agrees to defend and indemnify every -other Contributor ("Indemnified Contributor") against any losses, -damages and costs (collectively "Losses") arising from claims, lawsuits -and other legal actions brought by a third party against the Indemnified -Contributor to the extent caused by the acts or omissions of such -Commercial Contributor in connection with its distribution of the Program -in a commercial product offering. The obligations in this section do not -apply to any claims or Losses relating to any actual or alleged -intellectual property infringement. In order to qualify, an Indemnified -Contributor must: a) promptly notify the Commercial Contributor in -writing of such claim, and b) allow the Commercial Contributor to control, -and cooperate with the Commercial Contributor in, the defense and any -related settlement negotiations. The Indemnified Contributor may -participate in any such claim at its own expense. - -For example, a Contributor might include the Program in a commercial -product offering, Product X. That Contributor is then a Commercial -Contributor. If that Commercial Contributor then makes performance -claims, or offers warranties related to Product X, those performance -claims and warranties are such Commercial Contributor's responsibility -alone. Under this section, the Commercial Contributor would have to -defend claims against the other Contributors related to those performance -claims and warranties, and if a court requires any other Contributor to -pay any damages as a result, the Commercial Contributor must pay -those damages. - -5. NO WARRANTY - -EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT -PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS" -BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR -IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF -TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR -PURPOSE. Each Recipient is solely responsible for determining the -appropriateness of using and distributing the Program and assumes all -risks associated with its exercise of rights under this Agreement, -including but not limited to the risks and costs of program errors, -compliance with applicable laws, damage to or loss of data, programs -or equipment, and unavailability or interruption of operations. - -6. DISCLAIMER OF LIABILITY - -EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT -PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS -SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST -PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE -EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - -7. GENERAL - -If any provision of this Agreement is invalid or unenforceable under -applicable law, it shall not affect the validity or enforceability of -the remainder of the terms of this Agreement, and without further -action by the parties hereto, such provision shall be reformed to the -minimum extent necessary to make such provision valid and enforceable. - -If Recipient institutes patent litigation against any entity -(including a cross-claim or counterclaim in a lawsuit) alleging that the -Program itself (excluding combinations of the Program with other software -or hardware) infringes such Recipient's patent(s), then such Recipient's -rights granted under Section 2(b) shall terminate as of the date such -litigation is filed. - -All Recipient's rights under this Agreement shall terminate if it -fails to comply with any of the material terms or conditions of this -Agreement and does not cure such failure in a reasonable period of -time after becoming aware of such noncompliance. If all Recipient's -rights under this Agreement terminate, Recipient agrees to cease use -and distribution of the Program as soon as reasonably practicable. -However, Recipient's obligations under this Agreement and any licenses -granted by Recipient relating to the Program shall continue and survive. - -Everyone is permitted to copy and distribute copies of this Agreement, -but in order to avoid inconsistency the Agreement is copyrighted and -may only be modified in the following manner. The Agreement Steward -reserves the right to publish new versions (including revisions) of -this Agreement from time to time. No one other than the Agreement -Steward has the right to modify this Agreement. The Eclipse Foundation -is the initial Agreement Steward. The Eclipse Foundation may assign the -responsibility to serve as the Agreement Steward to a suitable separate -entity. Each new version of the Agreement will be given a distinguishing -version number. The Program (including Contributions) may always be -Distributed subject to the version of the Agreement under which it was -received. In addition, after a new version of the Agreement is published, -Contributor may elect to Distribute the Program (including its -Contributions) under the new version. - -Except as expressly stated in Sections 2(a) and 2(b) above, Recipient -receives no rights or licenses to the intellectual property of any -Contributor under this Agreement, whether expressly, by implication, -estoppel or otherwise. All rights in the Program not expressly granted -under this Agreement are reserved. Nothing in this Agreement is intended -to be enforceable by any entity that is not a Contributor or Recipient. -No third-party beneficiary rights are created under this Agreement. - -Exhibit A - Form of Secondary Licenses Notice - -"This Source Code may also be made available under the following -Secondary Licenses when the conditions for such availability set forth -in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), -version(s), and exceptions or additional permissions here}." - - Simply including a copy of this Agreement, including this Exhibit A - is not sufficient to license the Source Code under Secondary Licenses. - - If it is not possible or desirable to put the notice in a particular - file, then You may include the notice in a location (such as a LICENSE - file in a relevant directory) where a recipient would be likely to - look for such a notice. - - You may add additional accurate notices of copyright ownership. diff --git a/terraform/modules/helm/README.md b/terraform/modules/helm/README.md deleted file mode 100644 index 22cc9792b..000000000 --- a/terraform/modules/helm/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# Theia Cloud Installation Module - -This module installs Theia Cloud components in a Kubernetes cluster via Helm. - -## Prerequisites - -Before using this module, ensure the following are already installed in your cluster: - -- **Cert Manager** (v1.17.4 or compatible) - Required for certificate management -- **Nginx Ingress Controller** (v4.13.0 or compatible) - Required for ingress routing -- **Keycloak** (v26.4.5 or compatible) - Required for authentication - -## What This Module Installs - -This module will install: - -1. **theia-cloud-base** - Cluster-wide resources including cert issuers -2. **theia-cloud-crds** - Custom resource definitions for Theia Cloud -3. **theia-cloud** - The Theia Cloud operators, service, and landing page - -## Usage - -We expect users to be familiar with Helm and that `kubectl` points to the cluster where Theia Cloud will be installed. - -### Basic Example - -```terraform -module "helm" { - source = "./modules/helm" - - hostname = "theia.example.com" - cert_manager_issuer_email = "admin@example.com" - cloud_provider = "K8S" -} -``` - -## Variables - -- `install_theia_cloud_base` (optional, default: `true`) - Whether to install theia-cloud-base chart -- `install_theia_cloud_crds` (optional, default: `true`) - Whether to install theia-cloud-crds chart -- `install_theia_cloud` (optional, default: `true`) - Whether to install theia-cloud chart -- `hostname` (required) - The hostname for Theia Cloud services -- `keycloak_url` (optional) - The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/. -- `cert_manager_issuer_email` (required) - Email address used for certificate management -- `cloud_provider` (optional, default: `"K8S"`) - The cloud provider (e.g., "K8S", "MINIKUBE") diff --git a/terraform/modules/helm/main.tf b/terraform/modules/helm/main.tf deleted file mode 100644 index 74b95c664..000000000 --- a/terraform/modules/helm/main.tf +++ /dev/null @@ -1,71 +0,0 @@ -locals { - theia_cloud_helm_repository = "https://eclipse-theia.github.io/theia-cloud-helm" - theia_cloud_namespace = "theia-cloud" - - # base_keycloak: use provided URL or build from hostname - base_keycloak = var.keycloak_url != "" ? var.keycloak_url : "https://${var.hostname}/keycloak" - # normalized_keycloak_url: ensure a single trailing slash as required by the Theia Cloud Helm chart. - normalized_keycloak_url = endswith(local.base_keycloak, "/") ? local.base_keycloak : "${local.base_keycloak}/" -} - -resource "helm_release" "theia-cloud-base" { - count = var.install_theia_cloud_base ? 1 : 0 - name = "theia-cloud-base" - repository = local.theia_cloud_helm_repository - chart = "theia-cloud-base" - version = "1.2.0" - namespace = local.theia_cloud_namespace - create_namespace = true - - set = [ - { - name = "issuer.email" - value = var.cert_manager_issuer_email - } - ] -} - -resource "helm_release" "theia-cloud-crds" { - count = var.install_theia_cloud_crds ? 1 : 0 - depends_on = [helm_release.theia-cloud-base] - name = "theia-cloud-crds" - repository = local.theia_cloud_helm_repository - chart = "theia-cloud-crds" - version = "1.2.0" - namespace = local.theia_cloud_namespace - create_namespace = true -} - -resource "helm_release" "theia-cloud" { - count = var.install_theia_cloud ? 1 : 0 - depends_on = [helm_release.theia-cloud-crds] - name = "theia-cloud" - repository = local.theia_cloud_helm_repository - chart = "theia-cloud" - version = "1.2.0" - namespace = local.theia_cloud_namespace - create_namespace = true - - values = [ - "${file("${path.module}/theia-cloud.yaml")}" - ] - - set = [ - { - name = "hosts.configuration.baseHost" - value = var.hostname - }, - { - name = "keycloak.authUrl" - value = local.normalized_keycloak_url - }, - { - name = "operator.cloudProvider" - value = var.cloud_provider - }, - { - name = "ingress.controller" - value = var.ingress_controller_type - } - ] -} diff --git a/terraform/modules/helm/theia-cloud.yaml b/terraform/modules/helm/theia-cloud.yaml deleted file mode 100644 index fe2550e2f..000000000 --- a/terraform/modules/helm/theia-cloud.yaml +++ /dev/null @@ -1,52 +0,0 @@ -imagePullPolicy: Always - -# Service configuration -service: - authToken: asdfghjkl - -# Legacy app configuration (deprecated - use service.authToken instead) -app: - id: asdfghjkl - name: Theia Cloud - -demoApplication: - pullSecret: "" - timeoutStrategy: "FIXEDTIME" - timeoutLimit: "30" - imagePullPolicy: IfNotPresent - # This overrides the default value and does not write the default values to the app definition - monitor: null - -hosts: - usePaths: true - configuration: - service: servicex - landing: trynow - instance: instances - -landingPage: - appDefinition: "theia-cloud-demo" - ephemeralStorage: false - -keycloak: - enable: true - realm: "TheiaCloud" - clientId: "theia-cloud" - clientSecret: "publicbutoauth2proxywantsasecret" - cookieSecret: "OQINaROshtE9TcZkNAm5Zs2Pv3xaWytBmc5W7sPX7ws=" - -operator: - eagerStart: false - bandwidthLimiter: "WONDERSHAPER" - sessionsPerUser: "1" - storageClassName: "" - -ingress: - clusterIssuer: letsencrypt-prod - theiaCloudCommonName: false - addTLSSecretName: false - instances: - name: "theia-cloud-demo-ws-ingress" - -monitor: - enable: false diff --git a/terraform/modules/helm/variables.tf b/terraform/modules/helm/variables.tf deleted file mode 100644 index 40c2eee60..000000000 --- a/terraform/modules/helm/variables.tf +++ /dev/null @@ -1,39 +0,0 @@ -variable "install_theia_cloud_base" { - description = "Whether to install theia cloud base" - default = true -} - -variable "install_theia_cloud_crds" { - description = "Whether to install theia cloud crds" - default = true -} - -variable "install_theia_cloud" { - description = "Whether to install theia cloud" - default = true -} - -variable "hostname" { - description = "The hostname for the deployment" -} - -variable "keycloak_url" { - description = "The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/." - default = "" -} - -variable "cloud_provider" { - description = "Cloud provider type" - type = string - default = "K8S" - validation { - condition = contains(["MINIKUBE", "K8S"], var.cloud_provider) - error_message = "Valid values are: MINIKUBE, K8S" - } -} - -variable "cert_manager_issuer_email" { - description = "Email address used to create certificates." - type = string - default = "" -} diff --git a/terraform/modules/helm/versions.tf b/terraform/modules/helm/versions.tf deleted file mode 100644 index 66c3a9854..000000000 --- a/terraform/modules/helm/versions.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_providers { - helm = { - source = "hashicorp/helm" - version = ">= 3.0.2" - } - kubectl = { - source = "gavinbunney/kubectl" - version = ">= 1.19.0" - } - } - - required_version = ">= 1.12.2" -} diff --git a/terraform/terraform.md b/terraform/terraform.md index e862deac6..a7bc81fa1 100644 --- a/terraform/terraform.md +++ b/terraform/terraform.md @@ -16,7 +16,7 @@ If you are unfamiliar with Terraform, you may want to have a look at their tutor The `modules` directory contains our reusable terraform modules for creating clusters, installing dependencies via helm, and configuring keycloak. The modules will be used by the actual terraform configurations available in the `configurations` directory. -If you can't use Terraform, the `./modules/helm/main.tf` contains the information which helm charts are installed from which helm repository and you may extract the passed values. For an initial Keycloak realm configuration, you may check the values in `./modules/keycloak/main.tf`. +If you can't use Terraform, `./modules/cluster-prerequisites/main.tf` and `./modules/theia-cloud/main.tf` contain the information which helm charts are installed from which helm repository and you may extract the passed values. For an initial Keycloak realm configuration, you may check the values in `./modules/keycloak/main.tf`. ## Theia Cloud Getting Started From 993692c3f398be357ff425c11c7447e45f156b50 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 28 May 2026 14:39:05 +0200 Subject: [PATCH 35/37] terraform: configure first and last names for keycloak test users This avoids being asked to enter a first and last name on first login. --- terraform/modules/keycloak/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/modules/keycloak/main.tf b/terraform/modules/keycloak/main.tf index 8de4fcc54..a35725233 100644 --- a/terraform/modules/keycloak/main.tf +++ b/terraform/modules/keycloak/main.tf @@ -69,6 +69,8 @@ resource "keycloak_user" "test-user-foo" { enabled = true email = "foo@theia-cloud.io" email_verified = true + first_name = "Foo" + last_name = "User" initial_password { value = var.keycloak_test_user_foo_password temporary = false @@ -81,6 +83,8 @@ resource "keycloak_user" "test-user-bar" { enabled = true email = "bar@theia-cloud.io" email_verified = true + first_name = "Bar" + last_name = "User" initial_password { value = var.keycloak_test_user_bar_password temporary = false From 26e11aa834670ad108e3b652d3e56f0d7672b2fe Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Thu, 28 May 2026 17:28:38 +0200 Subject: [PATCH 36/37] fix: align testing page keycloak-js version to 26.2.4 --- node/package-lock.json | 17 ++++------------- node/testing-page/package.json | 2 +- 2 files changed, 5 insertions(+), 14 deletions(-) diff --git a/node/package-lock.json b/node/package-lock.json index 7085d3aa2..f30fbe590 100644 --- a/node/package-lock.json +++ b/node/package-lock.json @@ -539,15 +539,6 @@ "node": "^8.16.0 || ^10.6.0 || >=11.0.0" } }, - "landing-page/node_modules/keycloak-js": { - "version": "26.2.4", - "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-26.2.4.tgz", - "integrity": "sha512-PnXpR3ubETGOt0B/Qt2lxmPbkZr5bc3vlQsOqDoTPPQsZRp7JjhTKxlJ187uWh8qJhvBab6Gsjb06a8ayOPfuw==", - "license": "Apache-2.0", - "workspaces": [ - "test" - ] - }, "landing-page/node_modules/picomatch": { "version": "4.0.3", "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz", @@ -13743,9 +13734,9 @@ } }, "node_modules/keycloak-js": { - "version": "26.2.2", - "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-26.2.2.tgz", - "integrity": "sha512-ug7pNZ1xNkd7PPkerOJCEU2VnUhS7CYStDOCFJgqCNQ64h53ppxaKrh4iXH0xM8hFu5b1W6e6lsyYWqBMvaQFg==", + "version": "26.2.4", + "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-26.2.4.tgz", + "integrity": "sha512-PnXpR3ubETGOt0B/Qt2lxmPbkZr5bc3vlQsOqDoTPPQsZRp7JjhTKxlJ187uWh8qJhvBab6Gsjb06a8ayOPfuw==", "license": "Apache-2.0", "workspaces": [ "test" @@ -20755,7 +20746,7 @@ "license": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "26.2.2", + "keycloak-js": "26.2.4", "react": "^18.2.0", "react-dom": "^18.2.0", "react-scripts": "5.0.1", diff --git a/node/testing-page/package.json b/node/testing-page/package.json index 0f7154763..bbce3f8b2 100644 --- a/node/testing-page/package.json +++ b/node/testing-page/package.json @@ -5,7 +5,7 @@ "private": true, "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "26.2.2", + "keycloak-js": "26.2.4", "react": "^18.2.0", "react-dom": "^18.2.0", "react-scripts": "5.0.1", From 4177b9b523053ce73f468135ef7a16fc9a5a55a9 Mon Sep 17 00:00:00 2001 From: Lucas Koehler Date: Fri, 29 May 2026 10:26:40 +0200 Subject: [PATCH 37/37] update cluster-prerequisites readme --- .../modules/cluster-prerequisites/README.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/terraform/modules/cluster-prerequisites/README.md b/terraform/modules/cluster-prerequisites/README.md index ae0b709d5..42ae18f2d 100644 --- a/terraform/modules/cluster-prerequisites/README.md +++ b/terraform/modules/cluster-prerequisites/README.md @@ -30,7 +30,7 @@ Note: cert-manager can be installed automatically by this module (default) or yo ### Minikube Example (with cert-manager installation) ```hcl -module "keycloak" { +module "cluster-prerequisites" { source = "../../modules/cluster-prerequisites" hostname = "192.168.49.2.nip.io" @@ -52,7 +52,7 @@ module "keycloak" { ### GKE Example (with Let's Encrypt) ```hcl -module "keycloak" { +module "cluster-prerequisites" { source = "../../modules/cluster-prerequisites" hostname = "keycloak.example.com" @@ -79,7 +79,7 @@ module "keycloak" { ### Using Existing cert-manager Installation ```hcl -module "keycloak" { +module "cluster-prerequisites" { source = "../../modules/cluster-prerequisites" hostname = "keycloak.example.com" @@ -97,7 +97,7 @@ module "keycloak" { ### Using External PostgreSQL Database ```hcl -module "keycloak" { +module "cluster-prerequisites" { source = "../../modules/cluster-prerequisites" hostname = "keycloak.example.com" @@ -177,14 +177,14 @@ module "keycloak" { ## Outputs -| Name | Description | -| ----------------------- | -------------------------------------------- | -| `namespace` | Keycloak namespace | +| Name | Description | +| ----------------------- | ---------------------------------------------------- | +| `namespace` | Keycloak namespace | | `keycloak_url` | Full URL to access Keycloak (without trailing slash) | -| `admin_username` | Keycloak admin username | -| `postgres_service_name` | PostgreSQL service name (if deployed) | -| `keycloak_service_name` | Keycloak service name | -| `tls_secret_name` | TLS certificate secret name (if TLS enabled) | +| `admin_username` | Keycloak admin username | +| `postgres_service_name` | PostgreSQL service name (if deployed) | +| `keycloak_service_name` | Keycloak service name | +| `tls_secret_name` | TLS certificate secret name (if TLS enabled) | ## Migration from Bitnami Helm Chart