task: upgrading to quarkus 3.7.0.CR1 (keycloak#26203)

there are several downgrades from the quarkus versions, and some additional logic needed to handle changes with re-creating the configuration Signed-off-by: Steve Hawkins <[email protected]>
vmuzikar · Jan 31, 2024 · 37acb2f · 37acb2f
1 parent a43ba73
commit 37acb2f
Show file tree

Hide file tree

Showing 16 changed files with 182 additions and 122 deletions.
diff --git a/crypto/default/src/main/java/org/keycloak/crypto/def/BCOCSPProvider.java b/crypto/default/src/main/java/org/keycloak/crypto/def/BCOCSPProvider.java
@@ -18,6 +18,7 @@
 
 package org.keycloak.crypto.def;
 
+import org.bouncycastle.asn1.ASN1IA5String;
 import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.DERIA5String;
@@ -338,8 +339,8 @@ private void verifyResponse(BasicOCSPResp basicOcspResponse, X509Certificate iss
                     // https://www.ietf.org/rfc/rfc2560.txt, if nextUpdate is not set,
                     // the responder is indicating that newer update is avilable all the time
                     long current = date == null ? System.currentTimeMillis() : date.getTime();
-                    Date stop = new Date(current + (long) TIME_SKEW);
-                    Date start = new Date(current - (long) TIME_SKEW);
+                    Date stop = new Date(current + TIME_SKEW);
+                    Date start = new Date(current - TIME_SKEW);
 
                     Iterator<SingleResp> iter = Arrays.asList(basicOcspResponse.getResponses()).iterator();
                     SingleResp singleRes = null;
@@ -436,7 +437,7 @@ protected List<String> getResponderURIs(X509Certificate cert) throws Certificate
                     if (ad.getAccessMethod().equals(AccessDescription.id_ad_ocsp)) {
                         // See https://www.ietf.org/rfc/rfc2560.txt, 3.1 Certificate Content
                         if (ad.getAccessLocation().getTagNo() == GeneralName.uniformResourceIdentifier) {
-                            DERIA5String value = DERIA5String.getInstance(ad.getAccessLocation().getName());
+                            ASN1IA5String value = DERIA5String.getInstance(ad.getAccessLocation().getName());
                             responderURIs.add(value.getString());
                         }
                     }

diff --git a/crypto/default/src/main/java/org/keycloak/crypto/def/BCUserIdentityExtractorProvider.java b/crypto/default/src/main/java/org/keycloak/crypto/def/BCUserIdentityExtractorProvider.java
@@ -23,6 +23,8 @@
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.ASN1TaggedObject;
+import org.bouncycastle.asn1.ASN1UTF8String;
+import org.bouncycastle.asn1.BERTags;
 import org.bouncycastle.asn1.DERUTF8String;
 import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
 import org.bouncycastle.asn1.x500.RDN;
@@ -162,7 +164,7 @@ public Object extractUserIdentity(X509Certificate[] certs) {
                                     tempOid = oid.getId();
 
                                     ASN1Encodable principalNameEncoded = asn1Sequence.getObjectAt(1);
-                                    DERUTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded));
+                                    ASN1UTF8String principalName = DERUTF8String.getInstance(unwrap(principalNameEncoded));
 
                                     tempOtherName = principalName.getString();
 
@@ -195,8 +197,8 @@ public Object extractUserIdentity(X509Certificate[] certs) {
 
         private ASN1Encodable unwrap(ASN1Encodable encodable) {
             while (encodable instanceof ASN1TaggedObject) {
-                ASN1TaggedObject taggedObj = (ASN1TaggedObject) encodable;
-                encodable = taggedObj.getObject();
+                ASN1TaggedObject taggedObj = ASN1TaggedObject.getInstance(encodable, BERTags.CONTEXT_SPECIFIC);
+                encodable = taggedObj.getBaseObject().toASN1Primitive();
             }
 
             return encodable;

diff --git a/operator/pom.xml b/operator/pom.xml
@@ -67,18 +67,6 @@
             <artifactId>quarkus-operator-sdk-bundle-generator</artifactId>
             <optional>true</optional>
         </dependency>
-        <dependency>
-            <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-resteasy-jackson</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-rest-client</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-rest-client-jackson</artifactId>
-        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-kubernetes-client</artifactId>

diff --git a/operator/src/main/java/org/keycloak/operator/Config.java b/operator/src/main/java/org/keycloak/operator/Config.java
@@ -18,6 +18,7 @@
 package org.keycloak.operator;
 
 import io.smallrye.config.ConfigMapping;
+import io.smallrye.config.WithDefault;
 
 import java.util.Map;
 
@@ -36,4 +37,17 @@ interface Keycloak {
 
         Map<String, String> podLabels();
     }
+
+    // workarounds for OLM env values
+    // to be removed after https://github.com/keycloak/keycloak/issues/12352
+
+    @WithDefault("keycloak-operator")
+    String name();
+
+    interface Condition {
+        @WithDefault("keycloak-operator.v999-SNAPSHOT")
+        String name();
+    }
+
+    Condition condition();
 }
diff --git a/.../src/main/java/org/keycloak/operator/controllers/KeycloakDeploymentDependentResource.java b/.../src/main/java/org/keycloak/operator/controllers/KeycloakDeploymentDependentResource.java
@@ -23,17 +23,15 @@
 import io.fabric8.kubernetes.api.model.EnvVarSource;
 import io.fabric8.kubernetes.api.model.EnvVarSourceBuilder;
 import io.fabric8.kubernetes.api.model.PodSpec;
-import io.fabric8.kubernetes.api.model.PodSpecFluent.ContainersNested;
 import io.fabric8.kubernetes.api.model.PodTemplateSpec;
-import io.fabric8.kubernetes.api.model.PodTemplateSpecFluent.SpecNested;
 import io.fabric8.kubernetes.api.model.Secret;
 import io.fabric8.kubernetes.api.model.SecretKeySelector;
 import io.fabric8.kubernetes.api.model.VolumeBuilder;
 import io.fabric8.kubernetes.api.model.VolumeMountBuilder;
 import io.fabric8.kubernetes.api.model.apps.StatefulSet;
 import io.fabric8.kubernetes.api.model.apps.StatefulSetBuilder;
 import io.fabric8.kubernetes.api.model.apps.StatefulSetSpec;
-import io.fabric8.kubernetes.api.model.apps.StatefulSetSpecFluent.TemplateNested;
+import io.fabric8.kubernetes.client.KubernetesClient;
 import io.javaoperatorsdk.operator.api.reconciler.Context;
 import io.javaoperatorsdk.operator.processing.dependent.kubernetes.CRUDKubernetesDependentResource;
 import io.javaoperatorsdk.operator.processing.dependent.kubernetes.KubernetesDependent;
@@ -103,10 +101,10 @@ public StatefulSet desired(Keycloak primary, Context<Keycloak> context) {
         addTruststores(primary, baseDeployment, kcContainer, allSecrets);
         addEnvVars(baseDeployment, primary, allSecrets);
         Optional.ofNullable(primary.getSpec().getCacheSpec())
-                .ifPresent(c -> configureCache(primary, baseDeployment, kcContainer, c));
+                .ifPresent(c -> configureCache(primary, baseDeployment, kcContainer, c, context.getClient()));
 
         if (!allSecrets.isEmpty()) {
-            watchedResources.annotateDeployment(new ArrayList<>(allSecrets), Secret.class, baseDeployment, this.client);
+            watchedResources.annotateDeployment(new ArrayList<>(allSecrets), Secret.class, baseDeployment, context.getClient());
         }
 
         StatefulSet existingDeployment = context.getSecondaryResource(StatefulSet.class).orElse(null);
@@ -128,7 +126,7 @@ public StatefulSet desired(Keycloak primary, Context<Keycloak> context) {
         return baseDeployment;
     }
 
-    private void configureCache(Keycloak keycloakCR, StatefulSet deployment, Container kcContainer, CacheSpec spec) {
+    private void configureCache(Keycloak keycloakCR, StatefulSet deployment, Container kcContainer, CacheSpec spec, KubernetesClient client) {
         Optional.ofNullable(spec.getConfigMapFile()).ifPresent(configFile -> {
             if (configFile.getName() == null || configFile.getKey() == null) {
                 throw new IllegalStateException("Cache file ConfigMap requires both a name and a key");
@@ -151,7 +149,7 @@ private void configureCache(Keycloak keycloakCR, StatefulSet deployment, Contain
             kcContainer.getVolumeMounts().add(0, volumeMount);
 
             // currently the only configmap we're watching
-            watchedResources.annotateDeployment(List.of(configFile.getName()), ConfigMap.class, deployment, this.client);
+            watchedResources.annotateDeployment(List.of(configFile.getName()), ConfigMap.class, deployment, client);
         });
     }
 
@@ -249,12 +247,7 @@ private StatefulSet createBaseDeployment(Keycloak keycloakCR, Context<Keycloak>
         }
 
         // there isn't currently an editOrNewFirstContainer, so we need to do this manually
-        ContainersNested<SpecNested<TemplateNested<io.fabric8.kubernetes.api.model.apps.StatefulSetFluent.SpecNested<StatefulSetBuilder>>>> containerBuilder = null;
-        if (specBuilder.buildContainers().isEmpty()) {
-            containerBuilder = specBuilder.addNewContainer();
-        } else {
-            containerBuilder = specBuilder.editFirstContainer();
-        }
+        var containerBuilder = specBuilder.buildContainers().isEmpty() ? specBuilder.addNewContainer() : specBuilder.editFirstContainer();
 
         containerBuilder.withName("keycloak");
 

diff --git a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakRealmImportController.java b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakRealmImportController.java
@@ -57,7 +57,6 @@ public class KeycloakRealmImportController implements Reconciler<KeycloakRealmIm
     @Override
     public Map<String, EventSource> prepareEventSources(EventSourceContext<KeycloakRealmImport> context) {
         this.jobDependentResource = new KeycloakRealmImportJobDependentResource();
-        this.jobDependentResource.setKubernetesClient(context.getClient());
         return EventSourceInitializer.nameEventSourcesFromDependentResource(context, jobDependentResource);
     }
 

diff --git a/operator/src/test/java/org/keycloak/operator/testsuite/integration/BaseOperatorTest.java b/operator/src/test/java/org/keycloak/operator/testsuite/integration/BaseOperatorTest.java
@@ -20,8 +20,6 @@
 import io.fabric8.kubernetes.api.model.HasMetadata;
 import io.fabric8.kubernetes.api.model.NamespaceBuilder;
 import io.fabric8.kubernetes.api.model.Pod;
-import io.fabric8.kubernetes.api.model.PodSpecFluent.ContainersNested;
-import io.fabric8.kubernetes.api.model.PodTemplateSpecFluent.SpecNested;
 import io.fabric8.kubernetes.api.model.Secret;
 import io.fabric8.kubernetes.api.model.apps.Deployment;
 import io.fabric8.kubernetes.api.model.apps.StatefulSet;
@@ -59,9 +57,7 @@
 import org.keycloak.operator.controllers.KeycloakDeploymentDependentResource;
 import org.keycloak.operator.crds.v2alpha1.deployment.Keycloak;
 import org.keycloak.operator.crds.v2alpha1.deployment.KeycloakSpecBuilder;
-import org.keycloak.operator.crds.v2alpha1.deployment.KeycloakSpecFluent.UnsupportedNested;
 import org.keycloak.operator.crds.v2alpha1.deployment.KeycloakStatus;
-import org.keycloak.operator.crds.v2alpha1.deployment.spec.UnsupportedSpecFluent.PodTemplateNested;
 import org.keycloak.operator.crds.v2alpha1.realmimport.KeycloakRealmImport;
 import org.keycloak.operator.testsuite.utils.K8sUtils;
 import org.opentest4j.TestAbortedException;
@@ -405,12 +401,8 @@ public static Keycloak getTestKeycloakDeployment(boolean disableProbes) {
   public static Keycloak disableProbes(Keycloak keycloak) {
       KeycloakSpecBuilder specBuilder = new KeycloakSpecBuilder(keycloak.getSpec());
       var podTemplateSpecBuilder = specBuilder.editOrNewUnsupported().editOrNewPodTemplate().editOrNewSpec();
-      ContainersNested<SpecNested<PodTemplateNested<UnsupportedNested<KeycloakSpecBuilder>>>> containerBuilder = null;
-      if (podTemplateSpecBuilder.hasContainers()) {
-          containerBuilder = podTemplateSpecBuilder.editContainer(0);
-      } else {
-          containerBuilder = podTemplateSpecBuilder.addNewContainer();
-      }
+      var containerBuilder = podTemplateSpecBuilder.hasContainers() ? podTemplateSpecBuilder.editContainer(0)
+              : podTemplateSpecBuilder.addNewContainer();
       keycloak.setSpec(containerBuilder.withNewLivenessProbe().withNewExec().addToCommand("true").endExec()
               .endLivenessProbe().withNewReadinessProbe().withNewExec().addToCommand("true").endExec()
               .endReadinessProbe().withNewStartupProbe().withNewExec().addToCommand("true").endExec()

diff --git a/pom.xml b/pom.xml
@@ -45,8 +45,8 @@
         <jboss.snapshots.repo.id>jboss-snapshots-repository</jboss.snapshots.repo.id>
         <jboss.snapshots.repo.url>https://s01.oss.sonatype.org/content/repositories/snapshots/</jboss.snapshots.repo.url>
 
-        <quarkus.version>3.2.9.Final</quarkus.version>
-        <quarkus.build.version>3.2.9.Final</quarkus.build.version>
+        <quarkus.version>3.7.0.CR1</quarkus.version>
+        <quarkus.build.version>3.7.0.CR1</quarkus.build.version>
 
         <project.build-time>${timestamp}</project.build-time>
 
@@ -86,6 +86,8 @@
 
         <!-- TODO Are these correct versions? -->
         <bouncycastle.pkixfips.version>1.0.7</bouncycastle.pkixfips.version>
+        <!-- 1.0.2.4 exhibits class loading issues -->
+        <bouncycastle.bcfips.version>1.0.2.3</bouncycastle.bcfips.version>
 
         <cxf.version>3.3.10</cxf.version>
         <cxf.jetty.version>3.3.10</cxf.jetty.version>
@@ -106,8 +108,6 @@
         <servlet.api.30.version>1.0.2.Final</servlet.api.30.version>
         <jboss-jaxrs-api_2.1_spec>2.0.2.Final</jboss-jaxrs-api_2.1_spec>
         <jboss-servlet-api_4.0_spec>2.0.0.Final</jboss-servlet-api_4.0_spec>
-        <jboss.logmanager>2.1.19.Final</jboss.logmanager>
-        <jboss.marshalling.version>2.0.11.Final</jboss.marshalling.version>
         <jboss.spec.javax.xml.bind.jboss-jaxb-api_2.3_spec.version>2.0.1.Final</jboss.spec.javax.xml.bind.jboss-jaxb-api_2.3_spec.version>
         <jboss.spec.javax.servlet.jsp.jboss-jsp-api_2.3_spec.version>2.0.0.Final</jboss.spec.javax.servlet.jsp.jboss-jsp-api_2.3_spec.version>
         <log4j.version>1.2.17</log4j.version>
@@ -427,6 +427,13 @@
                 <artifactId>bcpkix-fips</artifactId>
                 <version>${bouncycastle.pkixfips.version}</version>
             </dependency>
+
+          <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bc-fips</artifactId>
+            <version>${bouncycastle.bcfips.version}</version>
+          </dependency>
+
             <dependency>
                 <groupId>com.github.ua-parser</groupId>
                 <artifactId>uap-java</artifactId>
@@ -557,11 +564,6 @@
                 <artifactId>log4j</artifactId>
                 <version>${log4j.version}</version>
             </dependency>
-            <dependency>
-                <groupId>org.jboss.logmanager</groupId>
-                <artifactId>jboss-logmanager</artifactId>
-                <version>${jboss.logmanager}</version>
-            </dependency>
             <dependency>
                 <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
                 <artifactId>owasp-java-html-sanitizer</artifactId>
@@ -894,16 +896,6 @@
                 <artifactId>undertow-server</artifactId>
                 <version>${elytron.undertow-server.version}</version>
             </dependency>
-            <dependency>
-                <groupId>org.jboss.marshalling</groupId>
-                <artifactId>jboss-marshalling</artifactId>
-                <version>${jboss.marshalling.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.jboss.marshalling</groupId>
-                <artifactId>jboss-marshalling-river</artifactId>
-                <version>${jboss.marshalling.version}</version>
-            </dependency>
             <dependency>
                 <groupId>org.liquibase</groupId>
                 <artifactId>liquibase-core</artifactId>

diff --git a/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java b/quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java
@@ -29,7 +29,6 @@
 import io.quarkus.deployment.annotations.ExecutionTime;
 import io.quarkus.deployment.annotations.Produce;
 import io.quarkus.deployment.annotations.Record;
-import io.quarkus.deployment.builditem.BootstrapConfigSetupCompleteBuildItem;
 import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
 import io.quarkus.deployment.builditem.FeatureBuildItem;
 import io.quarkus.deployment.builditem.GeneratedResourceBuildItem;
@@ -44,6 +43,7 @@
 import io.quarkus.runtime.configuration.ConfigurationException;
 import io.quarkus.runtime.configuration.ProfileManager;
 import io.quarkus.vertx.http.deployment.RouteBuildItem;
+import io.quarkus.resteasy.reactive.spi.IgnoreStackMixingBuildItem;
 import io.smallrye.config.ConfigValue;
 import org.hibernate.cfg.AvailableSettings;
 import org.hibernate.jpa.boot.internal.ParsedPersistenceXmlDescriptor;
@@ -207,6 +207,11 @@ private static ProviderFactory registerSAMLScriptMapper(ScriptProviderMetadata m
         return new DeployedScriptSAMLProtocolMapper(metadata);
     }
 
+    @BuildStep
+    IgnoreStackMixingBuildItem getIgnoreStackMixing() {
+        return new IgnoreStackMixingBuildItem();
+    }
+
     @BuildStep
     FeatureBuildItem getFeature() {
         return new FeatureBuildItem("keycloak");
@@ -286,7 +291,7 @@ void setDefaultUserProfileConfig(KeycloakRecorder recorder, UserProfileBuildItem
      *
      * <p>The {@code hibernate-orm} extension expects that the dialect is statically
      * set to the persistence unit if there is any from the classpath and we use this method to obtain the dialect from the configuration
-     * file so that we can build the application with whatever dialect we want. In addition to the dialect, we should also be 
+     * file so that we can build the application with whatever dialect we want. In addition to the dialect, we should also be
      * allowed to set any additional defaults that we think that makes sense.
      *
      * @param config
@@ -459,9 +464,9 @@ private void configureUserDefinedPersistenceUnits(List<PersistenceXmlDescriptorB
                 .map(ParsedPersistenceXmlDescriptor::getName)
                 .filter(Predicate.not("keycloak-default"::equals)).forEach((String unitName) -> {
                     NamedJpaConnectionProviderFactory factory = new NamedJpaConnectionProviderFactory();
-                    
+
                     factory.setUnitName(unitName);
-                    
+
                     factories.get(spi).get(JpaConnectionProvider.class).put(unitName, NamedJpaConnectionProviderFactory.class);
                     preConfiguredProviders.put(unitName, factory);
                 });
@@ -662,7 +667,6 @@ public List<HandlerChainCustomizer> scan(MethodInfo method, ClassInfo actualEndp
         }));
     }
 
-    @Consume(BootstrapConfigSetupCompleteBuildItem.class)
     @Consume(ProfileBuildItem.class)
     @Produce(CryptoProviderInitBuildItem.class)
     @BuildStep

diff --git a/...time/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java b/...time/src/main/java/org/keycloak/quarkus/runtime/configuration/ConfigArgsConfigSource.java
@@ -58,7 +58,7 @@ protected ConfigArgsConfigSource() {
         super(parseArguments(), NAME, 600);
     }
 
-    public static void setCliArgs(String[] args) {
+    public static void setCliArgs(String... args) {
         System.setProperty(CLI_ARGS, String.join(ARG_SEPARATOR, args));
     }