CH-159 Keycloak upgrade configuration changes

.gitignore

@@ -1,4 +1,6 @@
 *.jar
+# Allow the KC kafka plugin
+!applications/accounts/plugins/*.jar
 .idea
 node_modules
 .openapi-generator

applications/accounts/Dockerfile

@@ -1,12 +1,18 @@
-FROM quay.io/keycloak/keycloak:16.1.0
+FROM quay.io/keycloak/keycloak:26.2.1
 
-# add kubectl
+EXPOSE 9000
+EXPOSE 8080
 USER root
-COPY --chmod=0755 scripts/create_api_user.sh /opt/jboss/startup-scripts/create_api_user.sh
-USER jboss
+COPY --chmod=0755 scripts/create_api_user.sh /opt/keycloak/startup-scripts/create_api_user.sh
+COPY --chmod=0755 scripts/kc-entrypoint.sh /opt/keycloak/bin/kc-entrypoint.sh
+
+USER keycloak
 
 # Customize keycloak look
-COPY themes/custom /opt/jboss/keycloak/themes/custom
+COPY themes/custom /opt/keycloak/themes/custom
+
+# # keycloak kafka listener plugin
+COPY plugins/metacell-admin-event-listener-module-1.0.0.jar /opt/keycloak/providers/
 
-# keycloak kafka listener plugin
-COPY plugins/metacell-admin-event-listener-bundle-1.0.0.ear /opt/jboss/keycloak/standalone/deployments/
+ENTRYPOINT [ "/opt/keycloak/bin/kc-entrypoint.sh" ]
+CMD [ "start-dev", "--import-realm", "--health-enabled=true" ]

applications/accounts/admin-event-listener/jar-module/pom.xml

@@ -49,4 +49,28 @@
             <version>2.5.0</version>
         </dependency>
     </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.4.1</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                        <configuration>
+                            <createDependencyReducedPom>false</createDependencyReducedPom>
+                            <transformers>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+                            </transformers>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
 </project>

applications/accounts/deploy/values.yaml

@@ -16,23 +16,21 @@ harness:
     auto: true
     port: 8080
   env:
-    - name: KEYCLOAK_IMPORT
-      value: "/tmp/realm.json"
-    - name: KEYCLOAK_USER
+    - name: KC_BOOTSTRAP_ADMIN_USERNAME
       value: "admin"
-    - name: KEYCLOAK_PASSWORD
+    - name: KC_BOOTSTRAP_ADMIN_PASSWORD
       value: "metacell"
-    - name: PROXY_ADDRESS_FORWARDING
-      value: "true"
-    - name: DB_VENDOR
-      value: "POSTGRES"
-    - name: DB_ADDR
+    - name: KC_PROXY_HEADERS
+      value: xforwarded
+    - name: KC_DB
+      value: "postgres"
+    - name: KC_DB_URL_HOST
       value: "keycloak-postgres"
-    - name: DB_DATABASE
+    - name: KC_DB_URL_DATABASE
       value: "auth_db"
-    - name: DB_USER
+    - name: KC_DB_USERNAME
       value: "user"
-    - name: DB_PASSWORD
+    - name: KC_DB_PASSWORD
       value: "password"
     - name: JAVA_OPTS
       value: -server -Xms64m -Xmx896m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
@@ -42,7 +40,7 @@ harness:
     type: postgres
     size: 2Gi
     postgres:
-      image: postgres:10.4
+      image: postgres:17
       initialdb: auth_db
     user: user
     pass: password
@@ -51,9 +49,16 @@ harness:
   resources:
     - name: realm-config
       src: realm.json
-      dst: /tmp/realm.json
+      dst: /opt/keycloak/data/import/realm.json
+  startupProbe:
+    path: /health/started
+    port: 9000
   readinessProbe:
-    path: /auth/realms/master
+    path: /health/ready
+    port: 9000
+  livenessProbe:
+    path: /health/live
+    port: 9000
 
 # Keycloak realm configuration
 client:

applications/accounts/scripts/create_api_user.sh

@@ -8,4 +8,6 @@ set -e
 echo Creating API user
 
 # create the user and reload keycloak
-/opt/jboss/keycloak/bin/add-user-keycloak.sh -u ${USERNAME} -p ${PASSWORD}
+/opt/keycloak/bin/kcadm.sh create users -s "username=$USERNAME" -s enabled=True
+/opt/keycloak/bin/kcadm.sh set-password --username "$USERNAME" --new-password "$PASSWORD"
+/opt/keycloak/bin/kcadm.sh add-roles --uusername "$USERNAME" --rolename admin

applications/accounts/scripts/kc-entrypoint.sh

@@ -0,0 +1,19 @@
+#! /bin/bash
+
+/opt/keycloak/bin/kc.sh $@ &
+
+until /opt/keycloak/bin/kcadm.sh config credentials \
+    --server http://localhost:8080 \
+    --realm master \
+    --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \
+    --password "$KC_BOOTSTRAP_ADMIN_PASSWORD";
+do
+    sleep 1s
+done
+
+for script in /opt/keycloak/startup-scripts/*.sh;
+do
+    bash "$script";
+done
+
+wait

applications/jupyterhub/deploy/resources/hub/jupyterhub_config.py

@@ -546,13 +546,16 @@ def camelCaseify(s):
     c.OAuthenticator.client_secret = client_secret
     c.OAuthenticator.allow_all = True
 
+
     c.GenericOAuthenticator.login_service = "CH"
     c.GenericOAuthenticator.username_key = "email"
-    c.GenericOAuthenticator.authorize_url = f"{accounts_url}/auth/realms/{realm}/protocol/openid-connect/auth"
-    c.GenericOAuthenticator.token_url = f"{accounts_url}/auth/realms/{realm}/protocol/openid-connect/token"
-    c.GenericOAuthenticator.userdata_url = f"{accounts_url}/auth/realms/{realm}/protocol/openid-connect/userinfo"
+    c.GenericOAuthenticator.username_claim = "email"
+    c.GenericOAuthenticator.scope = ["openid"]
+    c.GenericOAuthenticator.authorize_url = f"{accounts_url}/realms/{realm}/protocol/openid-connect/auth"
+    c.GenericOAuthenticator.token_url = f"{accounts_url}/realms/{realm}/protocol/openid-connect/token"
+    c.GenericOAuthenticator.userdata_url = f"{accounts_url}/realms/{realm}/protocol/openid-connect/userinfo"
     c.GenericOAuthenticator.userdata_params = {'state': 'state'}
-
+    c.GenericOAuthenticator.admin_groups = {"administrator"}
 
 set_config_if_not_none(c.OAuthenticator, 'scope', 'auth.scopes')
 

applications/jupyterhub/src/harness_jupyter/harness_jupyter/jupyterhub.py

@@ -18,9 +18,14 @@
 def custom_options_form(spawner, abc):
     # let's skip the profile selection form for now
     # ToDo: for future we can remove this hook
-    spawner._ch_profile_list = spawner.profile_list
-    spawner.profile_list = []
     # ref: https://github.com/jupyterhub/kubespawner/blob/37a80abb0a6c826e5c118a068fa1cf2725738038/kubespawner/spawner.py#L1885-L1935
+    try:
+        print("Cloudharness: start saving profile list in _ch_profile_list")
+        spawner._ch_profile_list = spawner.profile_list
+        spawner.profile_list = []
+        print("Cloudharness: saving profile list in _ch_profile_list")
+    except Exception as e:
+        print(f"Cloudharness: finish daving profile exception: {e}")
     return spawner._options_form_default()
 
 
@@ -32,9 +37,8 @@ def harness_hub():
     """Wraps the method to change spawner configuration"""
     KubeSpawner.get_pod_manifest_base = KubeSpawner.get_pod_manifest
     KubeSpawner.get_pod_manifest = spawner_pod_manifest
-    # let's skip the profile selection form for now
-    # TODO: for future we can remove this hook
-    KubeSpawner.options_form = custom_options_form
+    # to skip the profile selection form enable the line below
+    # KubeSpawner.options_form = custom_options_form
     KubeSpawner.get_pvc_manifest_base = KubeSpawner.get_pvc_manifest
     KubeSpawner.get_pvc_manifest = spawner_pvc_manifest
 

deployment-configuration/compose/templates/auto-compose.yaml

@@ -86,7 +86,7 @@ services:
     {{- end }}
     {{- if eq $app_name "accounts" }}
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://127.0.0.1:8080/auth/realms/{{ $.Values.namespace }}/account"]
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:8080/realms/{{ $.Values.namespace }}/account"]
       interval: 1s
       timeout: 3s
       retries: 30

deployment-configuration/compose/templates/auto-gatekeepers.yaml

@@ -6,7 +6,7 @@
   networks:
   - ch
   restart: always
-  image: quay.io/gogatekeeper/gatekeeper:1.3.8
+  image: quay.io/gogatekeeper/gatekeeper:2.14.3
   expose:
     - '8080'
     - '8443'
@@ -47,7 +47,7 @@ cloudharness-metadata:
 
 data: |-
     verbose: {{ .root.Values.debug }}
-    discovery-url: {{ ternary "https" "http" $tls}}://{{ .root.Values.apps.accounts.harness.subdomain }}.{{ .root.Values.domain }}/auth/realms/{{ .root.Values.namespace }}
+    discovery-url: {{ ternary "https" "http" $tls}}://{{ .root.Values.apps.accounts.harness.subdomain }}.{{ .root.Values.domain }}/realms/{{ .root.Values.namespace }}
     client-id: {{ .root.Values.apps.accounts.webclient.id | quote }}
     client-secret: {{ .root.Values.apps.accounts.webclient.secret }}
     secure-cookie: {{ $tls }}

deployment-configuration/helm/templates/auto-deployments.yaml

@@ -75,7 +75,7 @@ spec:
         livenessProbe:
           httpGet:
             path: {{ .app.harness.livenessProbe.path }}
-            port: {{ .app.harness.deployment.port | default 8080 }}
+            port: {{ coalesce .app.harness.livenessProbe.port .app.harness.deployment.port 8080 }}
           periodSeconds: {{ .app.harness.livenessProbe.periodSeconds | default 10 }}
           failureThreshold: {{ .app.harness.livenessProbe.failureThreshold | default 3 }}
           initialDelaySeconds: {{ .app.harness.livenessProbe.initialDelaySeconds | default 0 }}
@@ -84,7 +84,7 @@ spec:
         readinessProbe:
           httpGet:
             path: {{ .app.harness.readinessProbe.path }}
-            port: {{ .app.harness.deployment.port | default 8080 }}
+            port: {{ coalesce .app.harness.readinessProbe.port .app.harness.deployment.port 8080 }}
           periodSeconds: {{ .app.harness.readinessProbe.periodSeconds | default 10 }}
           failureThreshold: {{ .app.harness.readinessProbe.failureThreshold | default 3 }}
           initialDelaySeconds: {{ .app.harness.readinessProbe.initialDelaySeconds | default 0 }}
@@ -93,7 +93,7 @@ spec:
         startupProbe:
           httpGet:
             path: {{ .app.harness.startupProbe.path }}
-            port: {{ .app.harness.deployment.port | default 8080 }}
+            port: {{ coalesce .app.harness.startupProbe.port .app.harness.deployment.port 8080 }}
           periodSeconds: {{ .app.harness.startupProbe.periodSeconds | default 10 }}
           failureThreshold: {{ .app.harness.startupProbe.failureThreshold | default 30 }}
           initialDelaySeconds: {{ .app.harness.startupProbe.initialDelaySeconds | default 0 }}

deployment-configuration/helm/templates/auto-gatekeepers.yaml

@@ -20,7 +20,7 @@ metadata:
 data:
   proxy.yml: |-
     verbose: {{ .root.Values.debug }}
-    discovery-url: {{ ternary "https" "http" $tls}}://{{ .root.Values.apps.accounts.harness.subdomain }}.{{ .root.Values.domain }}/auth/realms/{{ .root.Values.namespace }}
+    discovery-url: {{ ternary "https" "http" $tls}}://{{ .root.Values.apps.accounts.harness.subdomain }}.{{ .root.Values.domain }}/realms/{{ .root.Values.namespace }}
     client-id: {{ .root.Values.apps.accounts.webclient.id | quote }}
     client-secret: {{ .root.Values.apps.accounts.webclient.secret }}
     secure-cookie: {{ $tls }}

deployment/docker-compose.yaml

@@ -40,7 +40,7 @@ services:
           cpus: 0.010
           memory: 512M
     healthcheck:
-      test: [CMD, curl, -f, http://127.0.0.1:8080/auth/realms/ch/account]
+      test: [CMD, curl, -f, http://127.0.0.1:8080/realms/ch/account]
       interval: 1s
       timeout: 3s
       retries: 30

docs/model/ApplicationProbe.md

@@ -10,6 +10,7 @@ Name | Type | Description | Notes
 **period_seconds** | **float** |  | [optional] 
 **failure_threshold** | **float** |  | [optional] 
 **initial_delay_seconds** | **float** |  | [optional] 
+**port** | **float** |  | [optional] 
 
 ## Example
 

libraries/cloudharness-common/cloudharness/auth/keycloak.py

@@ -66,8 +66,8 @@ def get_server_url():
 
     if not os.environ.get('KUBERNETES_SERVICE_HOST', None):
         # running outside kubernetes
-        return accounts_app.get_public_address() + '/auth/'
-    return accounts_app.get_service_address() + '/auth/'
+        return accounts_app.get_public_address()
+    return accounts_app.get_service_address()
 
 
 def get_auth_realm():

libraries/cloudharness-common/setup.py

@@ -19,7 +19,7 @@
     'cryptography',
     'requests>=2.21.0',
     'sentry-sdk[flask]>=0.14.4',
-    'python-keycloak >= 3.7.0',
+    'python-keycloak >= 4.7.0',
     'cloudharness_model',
     'argo-workflows==5.0.0',
     'cachetools >= 5.3.2',

libraries/cloudharness-common/tests/test_applications.py

@@ -63,7 +63,7 @@ def test_application_conf():
     assert uut.is_auto_deployment()
     assert uut.is_sentry_enabled()
 
-    d2 = {'admin': {'pass': 'metacell', 'role': 'administrator', 'user': 'admin'}, 'client': {'id': 'rest-client', 'secret': '5678eb6e-9e2c-4ee5-bd54-34e7411339e8'}, 'enabled': True, 'harness': {'aliases': [], 'database': {'auto': True, 'mongo': {'image': 'mongo:5', 'ports': [{'name': 'http', 'port': 27017}]}, 'name': 'keycloak-postgres', 'neo4j': {'dbms_security_auth_enabled': 'false', 'image': 'neo4j:4.1.9', 'memory': {'heap': {'initial': '64M', 'max': '128M'}, 'pagecache': {'size': '64M'}, 'size': '256M'}, 'ports': [{'name': 'http', 'port': 7474}, {'name': 'bolt', 'port': 7687}]}, 'pass': 'password', 'postgres': {'image': 'postgres:10.4', 'initialdb': 'auth_db', 'ports': [{'name': 'http', 'port': 5432}]}, 'resources': {'limits': {'cpu': '1000m', 'memory': '2Gi'}, 'requests': {'cpu': '100m', 'memory': '512Mi'}}, 'size': '2Gi', 'type': 'postgres', 'user': 'user'}, 'dependencies': {'build': [], 'hard': [], 'soft': []}, 'deployment': {'auto': True, 'image': 'osb/accounts:3e02a15477b4696ed554e08cedf4109c67908cbe6b03331072b5b73e83b4fc2b', 'name': 'accounts', 'port': 8080, 'replicas': 1, 'resources': {'limits': {'cpu': '500m', 'memory': '1024Mi'}, 'requests': {'cpu': '10m', 'memory': '512Mi'}}}, 'domain': None, 'env': [{'name': 'KEYCLOAK_IMPORT', 'value': '/tmp/realm.json'}, {'name': 'KEYCLOAK_USER', 'value': 'admin'}, {'name': 'KEYCLOAK_PASSWORD', 'value': 'metacell'}, {'name': 'PROXY_ADDRESS_FORWARDING', 'value': 'true'}, {'name': 'DB_VENDOR', 'value': 'POSTGRES'}, {'name': 'DB_ADDR', 'value': 'keycloak-postgres'}, {'name': 'DB_DATABASE', 'value': 'auth_db'}, {'name': 'DB_USER', 'value': 'user'}, {'name': 'DB_PASSWORD', 'value': 'password'}, {'name': 'JAVA_OPTS', 'value': '-server -Xms64m -Xmx896m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'}], 'name': 'accounts', 'readinessProbe': {'path': '/auth/realms/master'}, 'resources': [{'dst': '/tmp/realm.json', 'name': 'realm-config', 'src': 'realm.json'}], 'secrets': '', 'secured': False, 'service': {'auto': True, 'name': 'accounts', 'port': 8080}, 'subdomain': 'accounts', 'uri_role_mapping': [{'roles': ['administrator'], 'uri': '/*'}], 'use_services': []}, 'harvest': True, 'image': 'osb/accounts:latest', 'name': 'accounts', 'port': 8080, 'resources': {'limits': {'cpu': '500m', 'memory': '1024Mi'}, 'requests': {'cpu': '10m', 'memory': '512Mi'}}, 'task-images': {}, 'webclient': {'id': 'web-client', 'secret': '452952ae-922c-4766-b912-7b106271e34b'}}
+    d2 = {'admin': {'pass': 'metacell', 'role': 'administrator', 'user': 'admin'}, 'client': {'id': 'rest-client', 'secret': '5678eb6e-9e2c-4ee5-bd54-34e7411339e8'}, 'enabled': True, 'harness': {'aliases': [], 'database': {'auto': True, 'mongo': {'image': 'mongo:5', 'ports': [{'name': 'http', 'port': 27017}]}, 'name': 'keycloak-postgres', 'neo4j': {'dbms_security_auth_enabled': 'false', 'image': 'neo4j:4.1.9', 'memory': {'heap': {'initial': '64M', 'max': '128M'}, 'pagecache': {'size': '64M'}, 'size': '256M'}, 'ports': [{'name': 'http', 'port': 7474}, {'name': 'bolt', 'port': 7687}]}, 'pass': 'password', 'postgres': {'image': 'postgres:10.4', 'initialdb': 'auth_db', 'ports': [{'name': 'http', 'port': 5432}]}, 'resources': {'limits': {'cpu': '1000m', 'memory': '2Gi'}, 'requests': {'cpu': '100m', 'memory': '512Mi'}}, 'size': '2Gi', 'type': 'postgres', 'user': 'user'}, 'dependencies': {'build': [], 'hard': [], 'soft': []}, 'deployment': {'auto': True, 'image': 'osb/accounts:3e02a15477b4696ed554e08cedf4109c67908cbe6b03331072b5b73e83b4fc2b', 'name': 'accounts', 'port': 8080, 'replicas': 1, 'resources': {'limits': {'cpu': '500m', 'memory': '1024Mi'}, 'requests': {'cpu': '10m', 'memory': '512Mi'}}}, 'domain': None, 'env': [{'name': 'KEYCLOAK_IMPORT', 'value': '/tmp/realm.json'}, {'name': 'KEYCLOAK_USER', 'value': 'admin'}, {'name': 'KEYCLOAK_PASSWORD', 'value': 'metacell'}, {'name': 'PROXY_ADDRESS_FORWARDING', 'value': 'true'}, {'name': 'DB_VENDOR', 'value': 'POSTGRES'}, {'name': 'DB_ADDR', 'value': 'keycloak-postgres'}, {'name': 'DB_DATABASE', 'value': 'auth_db'}, {'name': 'DB_USER', 'value': 'user'}, {'name': 'DB_PASSWORD', 'value': 'password'}, {'name': 'JAVA_OPTS', 'value': '-server -Xms64m -Xmx896m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED'}], 'name': 'accounts', 'readinessProbe': {'path': '/realms/master'}, 'resources': [{'dst': '/tmp/realm.json', 'name': 'realm-config', 'src': 'realm.json'}], 'secrets': '', 'secured': False, 'service': {'auto': True, 'name': 'accounts', 'port': 8080}, 'subdomain': 'accounts', 'uri_role_mapping': [{'roles': ['administrator'], 'uri': '/*'}], 'use_services': []}, 'harvest': True, 'image': 'osb/accounts:latest', 'name': 'accounts', 'port': 8080, 'resources': {'limits': {'cpu': '500m', 'memory': '1024Mi'}, 'requests': {'cpu': '10m', 'memory': '512Mi'}}, 'task-images': {}, 'webclient': {'id': 'web-client', 'secret': '452952ae-922c-4766-b912-7b106271e34b'}}
     uut = ApplicationConfiguration.from_dict(d2)
     assert uut.conf
     assert uut.conf.admin.role == 'administrator'

libraries/cloudharness-common/tests/values.yaml

@@ -189,7 +189,7 @@ apps:
         src: realm.json
         dst: /tmp/realm.json
       readinessProbe:
-        path: /auth/realms/master
+        path: /realms/master
       name: accounts
     client:
       id: rest-client

libraries/models/api/openapi.yaml

@@ -132,6 +132,9 @@ components:
                 initialDelaySeconds:
                     description: ''
                     type: number
+                port:
+                    description: ''
+                    type: number
         URL:
             description: ''
             type: string