chore: update to keycloak 25 (#707)

## Description
* Updates to Keycloak 25
* Adds support for `advancedHTTP.redirect` to address
https://sso.uds.dev redirect to https://sso.uds.dev/realms/uds/account
* Adds task for testing Keycloak in HA with external database.
  - `uds run test-uds-core-ha --set FLAVOR=unicorn --no-progress`

Depends on
defenseunicorns/uds-identity-config#207

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

---------

Co-authored-by: UnicornChance <[email protected]>

bundles/k3d-slim-dev/uds-bundle.yaml

@@ -61,6 +61,24 @@ packages:
             - name: INSECURE_ADMIN_PASSWORD_GENERATION
               description: "Generate an insecure admin password for dev/test"
               path: insecureAdminPasswordGeneration.enabled
+            - name: KEYCLOAK_HA
+              description: "Enable Keycloak HA"
+              path: autoscaling.enabled
+            - name: KEYCLOAK_PG_USERNAME
+              description: "Keycloak Postgres username"
+              path: postgresql.username
+            - name: KEYCLOAK_PG_PASSWORD
+              description: "Keycloak Postgres password"
+              path: postgresql.password
+            - name: KEYCLOAK_PG_DATABASE
+              description: "Keycloak Postgres database"
+              path: postgresql.database
+            - name: KEYCLOAK_PG_HOST
+              description: "Keycloak Postgres host"
+              path: postgresql.host
+            - name: KEYCLOAK_DEVMODE
+              description: "Enables Keycloak dev mode"
+              path: devMode
           values:
             - path: realmInitEnv
               value:

bundles/k3d-standard/uds-bundle.yaml

@@ -100,6 +100,24 @@ packages:
             - name: INSECURE_ADMIN_PASSWORD_GENERATION
               description: "Generate an insecure admin password for dev/test"
               path: insecureAdminPasswordGeneration.enabled
+            - name: KEYCLOAK_HA
+              description: "Enable Keycloak HA"
+              path: autoscaling.enabled
+            - name: KEYCLOAK_PG_USERNAME
+              description: "Keycloak Postgres username"
+              path: postgresql.username
+            - name: KEYCLOAK_PG_PASSWORD
+              description: "Keycloak Postgres password"
+              path: postgresql.password
+            - name: KEYCLOAK_PG_DATABASE
+              description: "Keycloak Postgres database"
+              path: postgresql.database
+            - name: KEYCLOAK_PG_HOST
+              description: "Keycloak Postgres host"
+              path: postgresql.host
+            - name: KEYCLOAK_DEVMODE
+              description: "Enables Keycloak dev mode"
+              path: devMode
           values:
             - path: realmInitEnv
               value:

bundles/k3d-standard/uds-ha-config.yaml

@@ -0,0 +1,8 @@
+variables:
+  core:
+    keycloak_ha: true
+    keycloak_pg_username: keycloak
+    keycloak_pg_password: password
+    keycloak_pg_database: keycloak
+    keycloak_pg_host: host.k3d.internal
+    keycloak_devmode: false

src/keycloak/chart/templates/statefulset.yaml

@@ -72,6 +72,9 @@ spec:
             # This will only import the realm if it does not exist
             - "--import-realm"
             - "--features=preview"
+            - "--proxy-headers=xforwarded"
+            - "--http-enabled=true"
+            - "--hostname-strict=false"
             {{- if .Values.jsonLogFormat }}
             - "--log-console-output=json"
             {{- end }}
@@ -91,18 +94,8 @@ spec:
 
             # Enable access log
             - name: QUARKUS_HTTP_ACCESS_LOG_ENABLED
-              value: "true"          
-
-            # Hostname strict is not needed when used with Istio
-            - name: KC_HOSTNAME_STRICT
-              value: "false"
-            - name: KC_HOSTNAME_STRICT_HTTPS
-              value: "false"
-
-            # Set the proxy type to edge to avoid weird Keycloak behavior
-            - name: KC_PROXY
-              value: edge
-
+              value: "true"
+
             # X509 configuration
             - name: KC_HTTPS_CLIENT_AUTH
               value: request
@@ -195,10 +188,13 @@ spec:
             - name: tcp-fd
               containerPort: 57800
               protocol: TCP
+            - name: metrics
+              containerPort: 9000
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /health/live
-              port: http
+              port: metrics
               scheme: HTTP
             failureThreshold: 15
             timeoutSeconds: 2
@@ -207,7 +203,7 @@ spec:
           readinessProbe:
             httpGet:
               path: /health/ready
-              port: http
+              port: metrics
               scheme: HTTP
             failureThreshold: 15
             timeoutSeconds: 2

src/keycloak/chart/templates/uds-package.yaml

@@ -95,7 +95,7 @@ spec:
             - name: redirect-metrics
               uri:
                 prefix: /metrics
-          rewrite:
+          redirect:
             uri: "/realms/{{ .Values.realm }}/account"
           headers:
             request:

src/keycloak/chart/values.yaml

@@ -2,12 +2,12 @@ image:
   # The Keycloak image repository
   repository: quay.io/keycloak/keycloak
   # Overrides the Keycloak image tag whose default is the chart appVersion
-  tag: "24.0.5"
+  tag: "25.0.4"
   # The Keycloak image pull policy
   pullPolicy: IfNotPresent
 
 # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver
-configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.0
+configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.1
 
 # The public domain name of the Keycloak server
 domain: "###ZARF_VAR_DOMAIN###"
@@ -193,7 +193,7 @@ serviceMonitor:
   # The path at which metrics are served
   path: /metrics
   # The Service port at which metrics are served
-  port: http
+  port: metrics
   # added by Big Bang to support Istio mTLS
   scheme: ""
   tlsConfig: {}

src/keycloak/common/zarf.yaml

@@ -10,7 +10,7 @@ components:
       - name: keycloak
         namespace: keycloak
         # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver
-        version: 24.0.5
+        version: 25.0.4
         localPath: ../chart
     actions:
       onDeploy:

src/keycloak/tasks.yaml

@@ -1,5 +1,5 @@
 includes:
-  - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.0/tasks.yaml
+  - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.1/tasks.yaml
 
 tasks:
   - name: validate

src/keycloak/values/registry1-values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak
-  tag: "24.0.5"
+  tag: "25.0.4"
 podSecurityContext:
   fsGroup: 2000
 securityContext:

src/keycloak/values/unicorn-values.yaml

@@ -2,4 +2,4 @@ podSecurityContext:
   fsGroup: 65532
 image:
   repository: cgr.dev/du-uds-defenseunicorns/keycloak
-  tag: "24.0.5"
+  tag: "25.0.4"

src/keycloak/values/upstream-values.yaml

@@ -2,4 +2,4 @@ podSecurityContext:
   fsGroup: 1000
 image:
   repository: quay.io/keycloak/keycloak
-  tag: "24.0.5"
+  tag: "25.0.4"

src/keycloak/zarf.yaml

@@ -20,8 +20,8 @@ components:
         valuesFiles:
           - "values/upstream-values.yaml"
     images:
-      - quay.io/keycloak/keycloak:24.0.5
-      - ghcr.io/defenseunicorns/uds/identity-config:0.6.0
+      - quay.io/keycloak/keycloak:25.0.4
+      - ghcr.io/defenseunicorns/uds/identity-config:0.6.1
 
   - name: keycloak
     required: true
@@ -36,8 +36,8 @@ components:
         valuesFiles:
           - "values/registry1-values.yaml"
     images:
-      - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:24.0.5
-      - ghcr.io/defenseunicorns/uds/identity-config:0.6.0
+      - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4
+      - ghcr.io/defenseunicorns/uds/identity-config:0.6.1
 
   - name: keycloak
     required: true
@@ -50,5 +50,5 @@ components:
         valuesFiles:
           - "values/unicorn-values.yaml"
     images:
-      - cgr.dev/du-uds-defenseunicorns/keycloak:24.0.5 # todo: switch to FIPS image
-      - ghcr.io/defenseunicorns/uds/identity-config:0.6.0
+      - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.4 # todo: switch to FIPS image
+      - ghcr.io/defenseunicorns/uds/identity-config:0.6.1

src/pepr/operator/controllers/istio/virtual-service.spec.ts

@@ -1,7 +1,7 @@
 import { describe, expect, it } from "@jest/globals";
 import { UDSConfig } from "../../../config";
-import { generateVirtualService } from "./virtual-service";
 import { Expose, Gateway } from "../../crd";
+import { generateVirtualService } from "./virtual-service";
 
 describe("test generate virtual service", () => {
   const ownerRefs = [
@@ -109,4 +109,21 @@ describe("test generate virtual service", () => {
     );
     expect(payload.spec!.http![0].route![0].destination?.port?.number).toEqual(port);
   });
+
+  it.only("should create a redirect VirtualService object", () => {
+    const gateway = Gateway.Tenant;
+    const expose: Expose = {
+      gateway,
+      host,
+      port,
+      service,
+      advancedHTTP: { redirect: { uri: "https://example.com" } },
+    };
+
+    const payload = generateVirtualService(expose, namespace, pkgName, generation, ownerRefs);
+
+    expect(payload).toBeDefined();
+    expect(payload.spec!.http![0].route).toBeUndefined();
+    expect(payload.spec!.http![0].redirect?.uri).toEqual("https://example.com");
+  });
 });

src/pepr/operator/controllers/istio/virtual-service.ts

@@ -40,7 +40,7 @@ export function generateVirtualService(
     },
   ];
 
-  if (!advancedHTTP.directResponse) {
+  if (!advancedHTTP.directResponse && !advancedHTTP.redirect) {
     // Create the route to the service if not using advancedHTTP.directResponse
     http.route = route;
   }

src/pepr/operator/crd/generated/package-v1alpha1.ts

@@ -250,6 +250,10 @@ export interface AdvancedHTTP {
    * passthrough gateway.
    */
   match?: AdvancedHTTPMatch[];
+  /**
+   * A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
+   */
+  redirect?: Redirect;
   /**
    * Retry policy for HTTP requests.
    */
@@ -395,6 +399,50 @@ export interface PurpleURI {
   regex?: string;
 }
 
+/**
+ * A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
+ */
+export interface Redirect {
+  /**
+   * On a redirect, overwrite the Authority/Host portion of the URL with this value.
+   */
+  authority?: string;
+  /**
+   * On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80
+   * for HTTP and 443 for HTTPS.
+   *
+   * Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+   */
+  derivePort?: DerivePort;
+  /**
+   * On a redirect, overwrite the port portion of the URL with this value.
+   */
+  port?: number;
+  /**
+   * On a redirect, Specifies the HTTP status code to use in the redirect response.
+   */
+  redirectCode?: number;
+  /**
+   * On a redirect, overwrite the scheme portion of the URL with this value.
+   */
+  scheme?: string;
+  /**
+   * On a redirect, overwrite the Path portion of the URL with this value.
+   */
+  uri?: string;
+}
+
+/**
+ * On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80
+ * for HTTP and 443 for HTTPS.
+ *
+ * Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+ */
+export enum DerivePort {
+  FromProtocolDefault = "FROM_PROTOCOL_DEFAULT",
+  FromRequestPort = "FROM_REQUEST_PORT",
+}
+
 /**
  * Retry policy for HTTP requests.
  */

src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts

@@ -228,6 +228,65 @@ export const advancedHTTP: V1JSONSchemaProps = {
       },
       type: "object",
     },
+    redirect: {
+      description:
+        "A HTTP rule can either return a direct_response, redirect or forward (default) traffic.",
+      oneOf: [
+        {
+          not: {
+            anyOf: [
+              {
+                required: ["port"],
+              },
+              {
+                required: ["derivePort"],
+              },
+            ],
+          },
+        },
+        {
+          required: ["port"],
+        },
+        {
+          required: ["derivePort"],
+        },
+      ],
+      properties: {
+        authority: {
+          description:
+            "On a redirect, overwrite the Authority/Host portion of the URL with this value.",
+          type: "string",
+        },
+        port: {
+          description: "On a redirect, overwrite the port portion of the URL with this value.",
+          maximum: 4294967295,
+          minimum: 0,
+          type: "integer",
+        },
+        derivePort: {
+          description:
+            "On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.\n\nValid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT",
+          enum: ["FROM_PROTOCOL_DEFAULT", "FROM_REQUEST_PORT"],
+          type: "string",
+        },
+        redirectCode: {
+          description:
+            "On a redirect, Specifies the HTTP status code to use in the redirect response.",
+          maximum: 4294967295,
+          minimum: 0,
+          type: "integer",
+        },
+        scheme: {
+          description: "On a redirect, overwrite the scheme portion of the URL with this value.",
+          type: "string",
+        },
+        uri: {
+          description: "On a redirect, overwrite the Path portion of the URL with this value.",
+          type: "string",
+        },
+      },
+      type: "object",
+    },
     retries: {
       description: "Retry policy for HTTP requests.",
       properties: {
@@ -265,4 +324,4 @@ export const advancedHTTP: V1JSONSchemaProps = {
     },
   },
   type: "object",
-};
+} as V1JSONSchemaProps;