From fb47277a56df671bbab389ce10a89d976308d232 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Fri, 12 Jan 2024 15:30:12 +0000 Subject: [PATCH] Switch from legacy to new style keycloak container When moving from DockerHub to Quay in 2022, we had to specify the legacy container tag because something also changed with the images themselves at that time in such a way that they no longer worked with our configs. The legacy images ceased being updated past v19, so specify the 19.0 tag in order to match the major version we're running in production, and work through the necessary container config changes before resuming upgrades to a more current version. Change-Id: I5bf587fe3d8327c17d71908104c0896f8baf0973 --- .../keycloak/templates/docker-compose.yaml.j2 | 15 ++++----- testinfra/test_keycloak.py | 31 +++++++++++++++++-- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 index 303c5d9468..d4ea7c5610 100644 --- a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 +++ b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 @@ -4,17 +4,18 @@ version: '2' services: keycloak: - image: quay.io/keycloak/keycloak:legacy + image: quay.io/keycloak/keycloak:19.0 network_mode: host restart: always environment: - - KEYCLOAK_USER=admin - - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}" - - DB_VENDOR=h2 - - PROXY_ADDRESS_FORWARDING=true + KEYCLOAK_ADMIN: admin + KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}" command: - -Djboss.bind.address.private=127.0.0.1 - -Djboss.bind.address=127.0.0.1 + - 'start' + - '--hostname-strict=false' + - '--http-enabled=true' + - '--http-host=127.0.0.1' + - '--proxy=edge' volumes: - /var/keycloak/data:/opt/jboss/keycloak/standalone/data - /var/log/keycloak:/opt/jboss/keycloak/standalone/log diff --git a/testinfra/test_keycloak.py b/testinfra/test_keycloak.py index 96ce0c885c..8e272cd542 100644 --- a/testinfra/test_keycloak.py +++ b/testinfra/test_keycloak.py @@ -14,6 +14,9 @@ # under the License. +import json + + testinfra_hosts = ['keycloak01.opendev.org'] @@ -26,7 +29,31 @@ def test_keycloak_openid_config(host): # the proxy headers and is not hard-coded configuration. cmd = host.run('curl --insecure ' '--resolve keycloak.opendev.org:443:127.0.0.1 ' - 'https://keycloak.opendev.org/auth/realms/master' + 'https://keycloak.opendev.org/realms/master' '/.well-known/openid-configuration') - assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"' + assert ('"issuer":"https://keycloak.opendev.org/realms/master"' in cmd.stdout) + +def test_keycloak_admin_api(host): + # This tests the admin account and password can be used to + # acquire an OIDC bearer token and then use it to check the + # user count. + cmd = host.run('curl --insecure ' + '--resolve keycloak.opendev.org:443:127.0.0.1 ' + '-X POST ' + '-H "Content-Type: application/x-www-form-urlencoded" ' + '-d "username=admin" ' + '-d "password=testpassword" ' + '-d "grant_type=password" ' + '-d "client_id=admin-cli" ' + 'https://keycloak.opendev.org' + '/realms/master/protocol/openid-connect/token') + token = json.loads(cmd.stdout) + assert token["token_type"] == "Bearer" + cmd = host.run('curl --insecure ' + '--resolve keycloak.opendev.org:443:127.0.0.1 ' + '-H "Authorization: Bearer %s" ' + '-H "Content-Type: application/json" ' + 'https://keycloak.opendev.org' + '/admin/realms/master/users/count' % token["access_token"]) + assert cmd.stdout == "1"