Merge "Switch from legacy to new style keycloak container"

2024-01-26 22:07:44 +00:00 · 2024-01-26 22:07:44 +00:00 · d4c209e7a4
commit d4c209e7a4
parent 5c02d66231 fb47277a56
2 changed files with 37 additions and 9 deletions
--- a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
@ -4,17 +4,18 @@ version: '2'

 services:
  keycloak:
-    image: quay.io/keycloak/keycloak:legacy
+    image: quay.io/keycloak/keycloak:19.0
    network_mode: host
    restart: always
    environment:
-      - KEYCLOAK_USER=admin
-      - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}"
-      - DB_VENDOR=h2
-      - PROXY_ADDRESS_FORWARDING=true
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}"
    command:
-      -Djboss.bind.address.private=127.0.0.1
-      -Djboss.bind.address=127.0.0.1
+      - 'start'
+      - '--hostname-strict=false'
+      - '--http-enabled=true'
+      - '--http-host=127.0.0.1'
+      - '--proxy=edge'
    volumes:
      - /var/keycloak/data:/opt/jboss/keycloak/standalone/data
      - /var/log/keycloak:/opt/jboss/keycloak/standalone/log
--- a/testinfra/test_keycloak.py
+++ b/testinfra/test_keycloak.py
@ -14,6 +14,9 @@
 # under the License.


+import json
+
+
 testinfra_hosts = ['keycloak01.opendev.org']


@ -26,7 +29,31 @@ def test_keycloak_openid_config(host):
    # the proxy headers and is not hard-coded configuration.
    cmd = host.run('curl --insecure '
                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
-                   'https://keycloak.opendev.org/auth/realms/master'
+                   'https://keycloak.opendev.org/realms/master'
                   '/.well-known/openid-configuration')
-    assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"'
+    assert ('"issuer":"https://keycloak.opendev.org/realms/master"'
            in cmd.stdout)
+
+def test_keycloak_admin_api(host):
+    # This tests the admin account and password can be used to
+    # acquire an OIDC bearer token and then use it to check the
+    # user count.
+    cmd = host.run('curl --insecure '
+                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
+                   '-X POST '
+                   '-H "Content-Type: application/x-www-form-urlencoded" '
+                   '-d "username=admin" '
+                   '-d "password=testpassword" '
+                   '-d "grant_type=password" '
+                   '-d "client_id=admin-cli" '
+                   'https://keycloak.opendev.org'
+                   '/realms/master/protocol/openid-connect/token')
+    token = json.loads(cmd.stdout)
+    assert token["token_type"] == "Bearer"
+    cmd = host.run('curl --insecure '
+                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
+                   '-H "Authorization: Bearer %s" '
+                   '-H "Content-Type: application/json" '
+                   'https://keycloak.opendev.org'
+                   '/admin/realms/master/users/count' % token["access_token"])
+    assert cmd.stdout == "1"