Switch from legacy to new style keycloak container

When moving from DockerHub to Quay in 2022, we had to specify the legacy container tag because something also changed with the images themselves at that time in such a way that they no longer worked with our configs. The legacy images ceased being updated past v19, so specify the 19.0 tag in order to match the major version we're running in production, and work through the necessary container config changes before resuming upgrades to a more current version. Change-Id: I5bf587fe3d8327c17d71908104c0896f8baf0973
2024-01-12 15:30:12 +00:00 · 2024-01-12 15:30:12 +00:00 · fb47277a56
commit fb47277a56
parent 331ca64055
2 changed files with 37 additions and 9 deletions
--- a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
@ -4,17 +4,18 @@ version: '2'

 services:
  keycloak:
-    image: quay.io/keycloak/keycloak:legacy
+    image: quay.io/keycloak/keycloak:19.0
    network_mode: host
    restart: always
    environment:
-      - KEYCLOAK_USER=admin
-      - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}"
-      - DB_VENDOR=h2
-      - PROXY_ADDRESS_FORWARDING=true
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}"
    command:
-      -Djboss.bind.address.private=127.0.0.1
-      -Djboss.bind.address=127.0.0.1
+      - 'start'
+      - '--hostname-strict=false'
+      - '--http-enabled=true'
+      - '--http-host=127.0.0.1'
+      - '--proxy=edge'
    volumes:
      - /var/keycloak/data:/opt/jboss/keycloak/standalone/data
      - /var/log/keycloak:/opt/jboss/keycloak/standalone/log
--- a/testinfra/test_keycloak.py
+++ b/testinfra/test_keycloak.py
@ -14,6 +14,9 @@
 # under the License.


+import json
+
+
 testinfra_hosts = ['keycloak01.opendev.org']


@ -26,7 +29,31 @@ def test_keycloak_openid_config(host):
    # the proxy headers and is not hard-coded configuration.
    cmd = host.run('curl --insecure '
                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
-                   'https://keycloak.opendev.org/auth/realms/master'
+                   'https://keycloak.opendev.org/realms/master'
                   '/.well-known/openid-configuration')
-    assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"'
+    assert ('"issuer":"https://keycloak.opendev.org/realms/master"'
            in cmd.stdout)
+
+def test_keycloak_admin_api(host):
+    # This tests the admin account and password can be used to
+    # acquire an OIDC bearer token and then use it to check the
+    # user count.
+    cmd = host.run('curl --insecure '
+                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
+                   '-X POST '
+                   '-H "Content-Type: application/x-www-form-urlencoded" '
+                   '-d "username=admin" '
+                   '-d "password=testpassword" '
+                   '-d "grant_type=password" '
+                   '-d "client_id=admin-cli" '
+                   'https://keycloak.opendev.org'
+                   '/realms/master/protocol/openid-connect/token')
+    token = json.loads(cmd.stdout)
+    assert token["token_type"] == "Bearer"
+    cmd = host.run('curl --insecure '
+                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
+                   '-H "Authorization: Bearer %s" '
+                   '-H "Content-Type: application/json" '
+                   'https://keycloak.opendev.org'
+                   '/admin/realms/master/users/count' % token["access_token"])
+    assert cmd.stdout == "1"