Switch from legacy to new style keycloak container

When moving from DockerHub to Quay in 2022, we had to specify the
legacy container tag because something also changed with the images
themselves at that time in such a way that they no longer worked
with our configs. The legacy images ceased being updated past v19,
so specify the 19.0 tag in order to match the major version we're
running in production, and work through the necessary container
config changes before resuming upgrades to a more current version.

Change-Id: I5bf587fe3d8327c17d71908104c0896f8baf0973

playbooks/roles/keycloak/templates/docker-compose.yaml.j2

@@ -4,17 +4,18 @@ version: '2'
 
 services:
   keycloak:
-    image: quay.io/keycloak/keycloak:legacy
+    image: quay.io/keycloak/keycloak:19.0
     network_mode: host
     restart: always
     environment:
-      - KEYCLOAK_USER=admin
+      KEYCLOAK_ADMIN: admin
-      - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}"
+      KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}"
-      - DB_VENDOR=h2
-      - PROXY_ADDRESS_FORWARDING=true
     command:
-      -Djboss.bind.address.private=127.0.0.1
+      - 'start'
-      -Djboss.bind.address=127.0.0.1
+      - '--hostname-strict=false'
+      - '--http-enabled=true'
+      - '--http-host=127.0.0.1'
+      - '--proxy=edge'
     volumes:
       - /var/keycloak/data:/opt/jboss/keycloak/standalone/data
       - /var/log/keycloak:/opt/jboss/keycloak/standalone/log

testinfra/test_keycloak.py

@@ -14,6 +14,9 @@
 # under the License.
 
 
+import json
+
+
 testinfra_hosts = ['keycloak01.opendev.org']
 
 
@@ -26,7 +29,31 @@ def test_keycloak_openid_config(host):
     # the proxy headers and is not hard-coded configuration.
     cmd = host.run('curl --insecure '
                    '--resolve keycloak.opendev.org:443:127.0.0.1 '
-                   'https://keycloak.opendev.org/auth/realms/master'
+                   'https://keycloak.opendev.org/realms/master'
                    '/.well-known/openid-configuration')
-    assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"'
+    assert ('"issuer":"https://keycloak.opendev.org/realms/master"'
             in cmd.stdout)
+
+def test_keycloak_admin_api(host):
+    # This tests the admin account and password can be used to
+    # acquire an OIDC bearer token and then use it to check the
+    # user count.
+    cmd = host.run('curl --insecure '
+                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
+                   '-X POST '
+                   '-H "Content-Type: application/x-www-form-urlencoded" '
+                   '-d "username=admin" '
+                   '-d "password=testpassword" '
+                   '-d "grant_type=password" '
+                   '-d "client_id=admin-cli" '
+                   'https://keycloak.opendev.org'
+                   '/realms/master/protocol/openid-connect/token')
+    token = json.loads(cmd.stdout)
+    assert token["token_type"] == "Bearer"
+    cmd = host.run('curl --insecure '
+                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
+                   '-H "Authorization: Bearer %s" '
+                   '-H "Content-Type: application/json" '
+                   'https://keycloak.opendev.org'
+                   '/admin/realms/master/users/count' % token["access_token"])
+    assert cmd.stdout == "1"