Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update to keycloak 25 #707

Merged
merged 11 commits into from
Sep 5, 2024
18 changes: 18 additions & 0 deletions bundles/k3d-slim-dev/uds-bundle.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,24 @@ packages:
- name: INSECURE_ADMIN_PASSWORD_GENERATION
description: "Generate an insecure admin password for dev/test"
path: insecureAdminPasswordGeneration.enabled
- name: KEYCLOAK_HA
description: "Enable Keycloak HA"
path: autoscaling.enabled
- name: KEYCLOAK_PG_USERNAME
description: "Keycloak Postgres username"
path: postgresql.username
- name: KEYCLOAK_PG_PASSWORD
description: "Keycloak Postgres password"
path: postgresql.password
- name: KEYCLOAK_PG_DATABASE
description: "Keycloak Postgres database"
path: postgresql.database
- name: KEYCLOAK_PG_HOST
description: "Keycloak Postgres host"
path: postgresql.host
- name: KEYCLOAK_DEVMODE
description: "Enables Keycloak dev mode"
path: devMode
values:
- path: realmInitEnv
value:
Expand Down
18 changes: 18 additions & 0 deletions bundles/k3d-standard/uds-bundle.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,24 @@ packages:
- name: INSECURE_ADMIN_PASSWORD_GENERATION
description: "Generate an insecure admin password for dev/test"
path: insecureAdminPasswordGeneration.enabled
- name: KEYCLOAK_HA
description: "Enable Keycloak HA"
path: autoscaling.enabled
- name: KEYCLOAK_PG_USERNAME
description: "Keycloak Postgres username"
path: postgresql.username
- name: KEYCLOAK_PG_PASSWORD
description: "Keycloak Postgres password"
path: postgresql.password
- name: KEYCLOAK_PG_DATABASE
description: "Keycloak Postgres database"
path: postgresql.database
- name: KEYCLOAK_PG_HOST
description: "Keycloak Postgres host"
path: postgresql.host
- name: KEYCLOAK_DEVMODE
description: "Enables Keycloak dev mode"
path: devMode
values:
- path: realmInitEnv
value:
Expand Down
8 changes: 8 additions & 0 deletions bundles/k3d-standard/uds-ha-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
variables:
core:
keycloak_ha: true
keycloak_pg_username: keycloak
keycloak_pg_password: password
keycloak_pg_database: keycloak
keycloak_pg_host: host.k3d.internal
keycloak_devmode: false
24 changes: 10 additions & 14 deletions src/keycloak/chart/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ spec:
# This will only import the realm if it does not exist
- "--import-realm"
- "--features=preview"
- "--proxy-headers=xforwarded"
- "--http-enabled=true"
- "--hostname-strict=false"
{{- if .Values.jsonLogFormat }}
- "--log-console-output=json"
{{- end }}
Expand All @@ -91,18 +94,8 @@ spec:

# Enable access log
- name: QUARKUS_HTTP_ACCESS_LOG_ENABLED
value: "true"

# Hostname strict is not needed when used with Istio
- name: KC_HOSTNAME_STRICT
value: "false"
- name: KC_HOSTNAME_STRICT_HTTPS
value: "false"

# Set the proxy type to edge to avoid weird Keycloak behavior
- name: KC_PROXY
value: edge

value: "true"

# X509 configuration
- name: KC_HTTPS_CLIENT_AUTH
value: request
Expand Down Expand Up @@ -195,10 +188,13 @@ spec:
- name: tcp-fd
containerPort: 57800
protocol: TCP
- name: metrics
containerPort: 9000
protocol: TCP
livenessProbe:
httpGet:
path: /health/live
port: http
port: metrics
scheme: HTTP
failureThreshold: 15
timeoutSeconds: 2
Expand All @@ -207,7 +203,7 @@ spec:
readinessProbe:
httpGet:
path: /health/ready
port: http
port: metrics
scheme: HTTP
failureThreshold: 15
timeoutSeconds: 2
Expand Down
2 changes: 1 addition & 1 deletion src/keycloak/chart/templates/uds-package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ spec:
- name: redirect-metrics
uri:
prefix: /metrics
rewrite:
redirect:
uri: "/realms/{{ .Values.realm }}/account"
headers:
request:
Expand Down
6 changes: 3 additions & 3 deletions src/keycloak/chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@ image:
# The Keycloak image repository
repository: quay.io/keycloak/keycloak
# Overrides the Keycloak image tag whose default is the chart appVersion
tag: "24.0.5"
tag: "25.0.4"
# The Keycloak image pull policy
pullPolicy: IfNotPresent

# renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver
configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.0
configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.1

# The public domain name of the Keycloak server
domain: "###ZARF_VAR_DOMAIN###"
Expand Down Expand Up @@ -193,7 +193,7 @@ serviceMonitor:
# The path at which metrics are served
path: /metrics
# The Service port at which metrics are served
port: http
port: metrics
# added by Big Bang to support Istio mTLS
scheme: ""
tlsConfig: {}
Expand Down
2 changes: 1 addition & 1 deletion src/keycloak/common/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ components:
- name: keycloak
namespace: keycloak
# renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver
version: 24.0.5
version: 25.0.4
localPath: ../chart
actions:
onDeploy:
Expand Down
2 changes: 1 addition & 1 deletion src/keycloak/tasks.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
includes:
- config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.0/tasks.yaml
- config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.1/tasks.yaml

tasks:
- name: validate
Expand Down
2 changes: 1 addition & 1 deletion src/keycloak/values/registry1-values.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
image:
repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak
tag: "24.0.5"
tag: "25.0.4"
podSecurityContext:
fsGroup: 2000
securityContext:
Expand Down
2 changes: 1 addition & 1 deletion src/keycloak/values/unicorn-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ podSecurityContext:
fsGroup: 65532
image:
repository: cgr.dev/du-uds-defenseunicorns/keycloak
tag: "24.0.5"
tag: "25.0.4"
2 changes: 1 addition & 1 deletion src/keycloak/values/upstream-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ podSecurityContext:
fsGroup: 1000
image:
repository: quay.io/keycloak/keycloak
tag: "24.0.5"
tag: "25.0.4"
12 changes: 6 additions & 6 deletions src/keycloak/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ components:
valuesFiles:
- "values/upstream-values.yaml"
images:
- quay.io/keycloak/keycloak:24.0.5
- ghcr.io/defenseunicorns/uds/identity-config:0.6.0
- quay.io/keycloak/keycloak:25.0.4
- ghcr.io/defenseunicorns/uds/identity-config:0.6.1

- name: keycloak
required: true
Expand All @@ -36,8 +36,8 @@ components:
valuesFiles:
- "values/registry1-values.yaml"
images:
- registry1.dso.mil/ironbank/opensource/keycloak/keycloak:24.0.5
- ghcr.io/defenseunicorns/uds/identity-config:0.6.0
- registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4
- ghcr.io/defenseunicorns/uds/identity-config:0.6.1

- name: keycloak
required: true
Expand All @@ -50,5 +50,5 @@ components:
valuesFiles:
- "values/unicorn-values.yaml"
images:
- cgr.dev/du-uds-defenseunicorns/keycloak:24.0.5 # todo: switch to FIPS image
- ghcr.io/defenseunicorns/uds/identity-config:0.6.0
- cgr.dev/du-uds-defenseunicorns/keycloak:25.0.4 # todo: switch to FIPS image
- ghcr.io/defenseunicorns/uds/identity-config:0.6.1
19 changes: 18 additions & 1 deletion src/pepr/operator/controllers/istio/virtual-service.spec.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { describe, expect, it } from "@jest/globals";
import { UDSConfig } from "../../../config";
import { generateVirtualService } from "./virtual-service";
import { Expose, Gateway } from "../../crd";
import { generateVirtualService } from "./virtual-service";

describe("test generate virtual service", () => {
const ownerRefs = [
Expand Down Expand Up @@ -109,4 +109,21 @@ describe("test generate virtual service", () => {
);
expect(payload.spec!.http![0].route![0].destination?.port?.number).toEqual(port);
});

it.only("should create a redirect VirtualService object", () => {
const gateway = Gateway.Tenant;
const expose: Expose = {
gateway,
host,
port,
service,
advancedHTTP: { redirect: { uri: "https://example.com" } },
};

const payload = generateVirtualService(expose, namespace, pkgName, generation, ownerRefs);

expect(payload).toBeDefined();
expect(payload.spec!.http![0].route).toBeUndefined();
expect(payload.spec!.http![0].redirect?.uri).toEqual("https://example.com");
});
});
2 changes: 1 addition & 1 deletion src/pepr/operator/controllers/istio/virtual-service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ export function generateVirtualService(
},
];

if (!advancedHTTP.directResponse) {
if (!advancedHTTP.directResponse && !advancedHTTP.redirect) {
// Create the route to the service if not using advancedHTTP.directResponse
http.route = route;
}
Expand Down
48 changes: 48 additions & 0 deletions src/pepr/operator/crd/generated/package-v1alpha1.ts
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,10 @@ export interface AdvancedHTTP {
* passthrough gateway.
*/
match?: AdvancedHTTPMatch[];
/**
* A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
*/
redirect?: Redirect;
/**
* Retry policy for HTTP requests.
*/
Expand Down Expand Up @@ -395,6 +399,50 @@ export interface PurpleURI {
regex?: string;
}

/**
* A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
*/
export interface Redirect {
/**
* On a redirect, overwrite the Authority/Host portion of the URL with this value.
*/
authority?: string;
/**
* On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80
* for HTTP and 443 for HTTPS.
*
* Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
*/
derivePort?: DerivePort;
/**
* On a redirect, overwrite the port portion of the URL with this value.
*/
port?: number;
/**
* On a redirect, Specifies the HTTP status code to use in the redirect response.
*/
redirectCode?: number;
/**
* On a redirect, overwrite the scheme portion of the URL with this value.
*/
scheme?: string;
/**
* On a redirect, overwrite the Path portion of the URL with this value.
*/
uri?: string;
}

/**
* On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80
* for HTTP and 443 for HTTPS.
*
* Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
*/
export enum DerivePort {
FromProtocolDefault = "FROM_PROTOCOL_DEFAULT",
FromRequestPort = "FROM_REQUEST_PORT",
}

/**
* Retry policy for HTTP requests.
*/
Expand Down
61 changes: 60 additions & 1 deletion src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,65 @@ export const advancedHTTP: V1JSONSchemaProps = {
},
type: "object",
},
redirect: {
description:
"A HTTP rule can either return a direct_response, redirect or forward (default) traffic.",
oneOf: [
{
not: {
anyOf: [
{
required: ["port"],
},
{
required: ["derivePort"],
},
],
},
},
{
required: ["port"],
},
{
required: ["derivePort"],
},
],
properties: {
authority: {
description:
"On a redirect, overwrite the Authority/Host portion of the URL with this value.",
type: "string",
},
port: {
description: "On a redirect, overwrite the port portion of the URL with this value.",
maximum: 4294967295,
minimum: 0,
type: "integer",
},
derivePort: {
description:
"On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.\n\nValid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT",
enum: ["FROM_PROTOCOL_DEFAULT", "FROM_REQUEST_PORT"],
type: "string",
},
redirectCode: {
description:
"On a redirect, Specifies the HTTP status code to use in the redirect response.",
maximum: 4294967295,
minimum: 0,
type: "integer",
},
scheme: {
description: "On a redirect, overwrite the scheme portion of the URL with this value.",
type: "string",
},
uri: {
description: "On a redirect, overwrite the Path portion of the URL with this value.",
type: "string",
},
},
type: "object",
},
retries: {
description: "Retry policy for HTTP requests.",
properties: {
Expand Down Expand Up @@ -265,4 +324,4 @@ export const advancedHTTP: V1JSONSchemaProps = {
},
},
type: "object",
};
} as V1JSONSchemaProps;
Loading
Loading