From 3918113afb7ab9955959144f02c9f17bea6de65d Mon Sep 17 00:00:00 2001 From: Phil Brookes Date: Fri, 24 Jul 2020 10:25:59 +0100 Subject: [PATCH] update to SSO 7.4 --- Makefile | 2 +- deploy/operator.yaml | 2 +- deploy/rbac.yaml | 1 + .../sso74-x509-postgresql-persistent.json | 650 ++++++++++++++++++ pkg/keycloak/keycloak.go | 6 +- pkg/keycloak/upgrade.go | 4 +- pkg/keycloak/upgrade_test.go | 4 +- tmp/build/Dockerfile | 1 + version/version.go | 2 +- 9 files changed, 662 insertions(+), 10 deletions(-) create mode 100644 deploy/template/sso74-x509-postgresql-persistent.json diff --git a/Makefile b/Makefile index b90b6b70..1607c1c1 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ CONSUMER_NAMESPACES=${NAMESPACE} PROJECT=keycloak-operator REG=quay.io SHELL=/bin/bash -TAG=v1.9.5 +TAG=v1.10.0 PKG=github.com/integr8ly/keycloak-operator TEST_DIRS?=$(shell sh -c "find $(TOP_SRC_DIRS) -name \\*_test.go -exec dirname {} \\; | sort | uniq") TEST_POD_NAME=keycloak-operator-test diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 8d495182..2dc5d268 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: keycloak-operator - image: quay.io/integreatly/keycloak-operator:v1.9.5 + image: quay.io/integreatly/keycloak-operator:v1.10.0 ports: - containerPort: 60000 name: metrics diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index deecf6c0..0cdab621 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -24,6 +24,7 @@ rules: - secrets - services - pods + - configmaps verbs: - "*" - apiGroups: diff --git a/deploy/template/sso74-x509-postgresql-persistent.json b/deploy/template/sso74-x509-postgresql-persistent.json new file mode 100644 index 00000000..788e0142 --- /dev/null +++ b/deploy/template/sso74-x509-postgresql-persistent.json @@ -0,0 +1,650 @@ +{ + "kind": "Template", + "apiVersion": "template.openshift.io/v1", + "metadata": { + "annotations": { + "iconClass" : "icon-sso", + "tags" : "sso,keycloak,jboss", + "version": "7.4.1.GA", + "openshift.io/display-name": "Red Hat Single Sign-On 7.4 on OpenJDK + PostgreSQL (Persistent)", + "openshift.io/provider-display-name": "Red Hat, Inc.", + "description": "An example application based on RH-SSO 7.4 on OpenJDK image. For more information about using this template, see https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso74-dev/docs.", + "template.openshift.io/long-description": "This template defines resources needed to develop Red Hat Single Sign-On 7.4 on OpenJDK server based deployment, deployment configuration for PostgreSQL using persistence, and securing RH-SSO communication using re-encrypt TLS.", + "template.openshift.io/documentation-url": "https://access.redhat.com/documentation/en/red-hat-single-sign-on/", + "template.openshift.io/support-url": "https://access.redhat.com" + }, + "name": "sso74-ocp4-x509-postgresql-persistent" + }, + "labels": { + "template": "sso74-ocp4-x509-postgresql-persistent", + "rhsso": "7.4.1.GA" + }, + "message": "A new persistent RH-SSO service (using PostgreSQL) has been created in your project. The admin username/password for accessing the master realm via the RH-SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The username/password for accessing the PostgreSQL database \"${DB_DATABASE}\" is ${DB_USERNAME}/${DB_PASSWORD}. The HTTPS keystore used for serving secure content, the JGroups keystore used for securing JGroups communications, and server truststore used for securing RH-SSO requests were automatically created via OpenShift's service serving x509 certificate secrets.", + "parameters": [ + { + "displayName": "Application Name", + "description": "The name for the application.", + "name": "APPLICATION_NAME", + "value": "sso", + "required": true + }, + { + "displayName": "Custom RH-SSO Server Hostname", + "description": "Custom hostname for the RH-SSO server.", + "name": "SSO_HOSTNAME", + "value": "", + "required": false + }, + { + "displayName": "JGroups Cluster Password", + "description": "The password for the JGroups cluster.", + "name": "JGROUPS_CLUSTER_PASSWORD", + "from": "[a-zA-Z0-9]{32}", + "generate": "expression", + "required": true + }, + { + "displayName": "Database JNDI Name", + "description": "Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql", + "name": "DB_JNDI", + "value": "java:jboss/datasources/KeycloakDS", + "required": false + }, + { + "displayName": "Database Name", + "description": "Database name", + "name": "DB_DATABASE", + "value": "root", + "required": true + }, + { + "displayName": "Datasource Minimum Pool Size", + "description": "Sets xa-pool/min-pool-size for the configured datasource.", + "name": "DB_MIN_POOL_SIZE", + "required": false + }, + { + "displayName": "Datasource Maximum Pool Size", + "description": "Sets xa-pool/max-pool-size for the configured datasource.", + "name": "DB_MAX_POOL_SIZE", + "required": false + }, + { + "displayName": "Datasource Transaction Isolation", + "description": "Sets transaction-isolation for the configured datasource.", + "name": "DB_TX_ISOLATION", + "required": false + }, + { + "displayName": "PostgreSQL Maximum number of connections", + "description": "The maximum number of client connections allowed. This also sets the maximum number of prepared transactions.", + "name": "POSTGRESQL_MAX_CONNECTIONS", + "required": false + }, + { + "displayName": "PostgreSQL Shared Buffers", + "description": "Configures how much memory is dedicated to PostgreSQL for caching data.", + "name": "POSTGRESQL_SHARED_BUFFERS", + "required": false + }, + { + "displayName": "Database Username", + "description": "Database user name", + "name": "DB_USERNAME", + "from": "user[a-zA-Z0-9]{3}", + "generate": "expression", + "required": true + }, + { + "displayName": "Database Password", + "description": "Database user password", + "name": "DB_PASSWORD", + "from": "[a-zA-Z0-9]{32}", + "generate": "expression", + "required": true + }, + { + "displayName": "Database Volume Capacity", + "description": "Size of persistent storage for database volume.", + "name": "VOLUME_CAPACITY", + "value": "1Gi", + "required": true + }, + { + "displayName": "ImageStream Namespace", + "description": "Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project.", + "name": "IMAGE_STREAM_NAMESPACE", + "value": "openshift", + "required": true + }, + { + "displayName": "RH-SSO Administrator Username", + "description": "RH-SSO Server administrator username", + "name": "SSO_ADMIN_USERNAME", + "from": "[a-zA-Z0-9]{8}", + "generate": "expression", + "required": true + }, + { + "displayName": "RH-SSO Administrator Password", + "description": "RH-SSO Server administrator password", + "name": "SSO_ADMIN_PASSWORD", + "from": "[a-zA-Z0-9]{32}", + "generate": "expression", + "required": true + }, + { + "displayName": "RH-SSO Realm", + "description": "Realm to be created in the RH-SSO server (e.g. demorealm).", + "name": "SSO_REALM", + "value": "", + "required": false + }, + { + "displayName": "RH-SSO Service Username", + "description": "The username used to access the RH-SSO service. This is used by clients to create the appliction client(s) within the specified RH-SSO realm.", + "name": "SSO_SERVICE_USERNAME", + "value": "", + "required": false + }, + { + "displayName": "RH-SSO Service Password", + "description": "The password for the RH-SSO service user.", + "name": "SSO_SERVICE_PASSWORD", + "value": "", + "required": false + }, + { + "displayName": "PostgreSQL Image Stream Tag", + "description": "The tag to use for the \"postgresql\" image stream. Typically, this aligns with the major.minor version of PostgreSQL.", + "name": "POSTGRESQL_IMAGE_STREAM_TAG", + "value": "10", + "required": true + }, + { + "displayName": "Container Memory Limit", + "description": "Container memory limit.", + "name": "MEMORY_LIMIT", + "value": "1Gi", + "required": false + } + ], + "objects": [ + { + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "annotations": { + "description": "ConfigMap providing service ca bundle.", + "service.beta.openshift.io/inject-cabundle": "true" + }, + "labels": { + "application": "${APPLICATION_NAME}" + }, + "name": "${APPLICATION_NAME}-service-ca" + } + }, + { + "kind": "Service", + "apiVersion": "v1", + "spec": { + "ports": [ + { + "port": 8443, + "targetPort": 8443 + } + ], + "selector": { + "deploymentConfig": "${APPLICATION_NAME}" + } + }, + "metadata": { + "name": "${APPLICATION_NAME}", + "labels": { + "application": "${APPLICATION_NAME}" + }, + "annotations": { + "description": "The web server's https port.", + "service.alpha.openshift.io/serving-cert-secret-name": "sso-x509-https-secret", + "service.alpha.openshift.io/dependencies": "[{\"name\": \"${APPLICATION_NAME}-postgresql\", \"kind\": \"Service\"}]" + } + } + }, + { + "kind": "Service", + "apiVersion": "v1", + "spec": { + "ports": [ + { + "port": 5432, + "targetPort": 5432 + } + ], + "selector": { + "deploymentConfig": "${APPLICATION_NAME}-postgresql" + } + }, + "metadata": { + "name": "${APPLICATION_NAME}-postgresql", + "labels": { + "application": "${APPLICATION_NAME}" + }, + "annotations": { + "description": "The database server's port." + } + } + }, + { + "kind": "Service", + "apiVersion": "v1", + "spec": { + "clusterIP": "None", + "ports": [ + { + "name": "ping", + "port": 8888 + } + ], + "selector": { + "deploymentConfig": "${APPLICATION_NAME}" + } + }, + "metadata": { + "name": "${APPLICATION_NAME}-ping", + "labels": { + "application": "${APPLICATION_NAME}" + }, + "annotations": { + "service.alpha.kubernetes.io/tolerate-unready-endpoints": "true", + "service.alpha.openshift.io/serving-cert-secret-name": "sso-x509-jgroups-secret", + "description": "The JGroups ping port for clustering." + } + } + }, + { + "kind": "Route", + "apiVersion": "v1", + "id": "${APPLICATION_NAME}-https", + "metadata": { + "name": "${APPLICATION_NAME}", + "labels": { + "application": "${APPLICATION_NAME}" + }, + "annotations": { + "description": "Route for application's https service." + } + }, + "spec": { + "to": { + "name": "${APPLICATION_NAME}" + }, + "tls": { + "termination": "reencrypt" + } + } + }, + { + "kind": "DeploymentConfig", + "apiVersion": "v1", + "metadata": { + "name": "${APPLICATION_NAME}", + "labels": { + "application": "${APPLICATION_NAME}" + } + }, + "spec": { + "strategy": { + "type": "Recreate" + }, + "triggers": [ + { + "type": "ImageChange", + "imageChangeParams": { + "automatic": true, + "containerNames": [ + "${APPLICATION_NAME}" + ], + "from": { + "kind": "ImageStreamTag", + "namespace": "${IMAGE_STREAM_NAMESPACE}", + "name": "redhat-sso74-openshift:1.0" + } + } + }, + { + "type": "ConfigChange" + } + ], + "replicas": 1, + "selector": { + "deploymentConfig": "${APPLICATION_NAME}" + }, + "template": { + "metadata": { + "name": "${APPLICATION_NAME}", + "labels": { + "deploymentConfig": "${APPLICATION_NAME}", + "application": "${APPLICATION_NAME}" + } + }, + "spec": { + "terminationGracePeriodSeconds": 75, + "containers": [ + { + "name": "${APPLICATION_NAME}", + "image": "${APPLICATION_NAME}", + "imagePullPolicy": "Always", + "resources": { + "limits": { + "memory": "${MEMORY_LIMIT}" + } + }, + "volumeMounts": [ + { + "name": "sso-x509-https-volume", + "mountPath": "/etc/x509/https", + "readOnly": true + }, + { + "name": "sso-x509-jgroups-volume", + "mountPath": "/etc/x509/jgroups", + "readOnly": true + }, + { + "mountPath": "/var/run/configmaps/service-ca", + "name": "service-ca", + "readOnly": true + } + ], + "livenessProbe": { + "exec": { + "command": [ + "/bin/bash", + "-c", + "/opt/eap/bin/livenessProbe.sh" + ] + }, + "initialDelaySeconds": 60 + }, + "readinessProbe": { + "exec": { + "command": [ + "/bin/bash", + "-c", + "/opt/eap/bin/readinessProbe.sh" + ] + } + }, + "ports": [ + { + "name": "jolokia", + "containerPort": 8778, + "protocol": "TCP" + }, + { + "name": "http", + "containerPort": 8080, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 8443, + "protocol": "TCP" + }, + { + "name": "ping", + "containerPort": 8888, + "protocol": "TCP" + } + ], + "env": [ + { + "name": "SSO_HOSTNAME", + "value": "${SSO_HOSTNAME}" + }, + { + "name": "DB_SERVICE_PREFIX_MAPPING", + "value": "${APPLICATION_NAME}-postgresql=DB" + }, + { + "name": "DB_JNDI", + "value": "${DB_JNDI}" + }, + { + "name": "DB_USERNAME", + "value": "${DB_USERNAME}" + }, + { + "name": "DB_PASSWORD", + "value": "${DB_PASSWORD}" + }, + { + "name": "DB_DATABASE", + "value": "${DB_DATABASE}" + }, + { + "name": "TX_DATABASE_PREFIX_MAPPING", + "value": "${APPLICATION_NAME}-postgresql=DB" + }, + { + "name": "DB_MIN_POOL_SIZE", + "value": "${DB_MIN_POOL_SIZE}" + }, + { + "name": "DB_MAX_POOL_SIZE", + "value": "${DB_MAX_POOL_SIZE}" + }, + { + "name": "DB_TX_ISOLATION", + "value": "${DB_TX_ISOLATION}" + }, + { + "name": "JGROUPS_PING_PROTOCOL", + "value": "openshift.DNS_PING" + }, + { + "name": "OPENSHIFT_DNS_PING_SERVICE_NAME", + "value": "${APPLICATION_NAME}-ping" + }, + { + "name": "OPENSHIFT_DNS_PING_SERVICE_PORT", + "value": "8888" + }, + { + "name": "X509_CA_BUNDLE", + "value": "/var/run/configmaps/service-ca/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + }, + { + "name": "JGROUPS_CLUSTER_PASSWORD", + "value": "${JGROUPS_CLUSTER_PASSWORD}" + }, + { + "name": "SSO_ADMIN_USERNAME", + "value": "${SSO_ADMIN_USERNAME}" + }, + { + "name": "SSO_ADMIN_PASSWORD", + "value": "${SSO_ADMIN_PASSWORD}" + }, + { + "name": "SSO_REALM", + "value": "${SSO_REALM}" + }, + { + "name": "SSO_SERVICE_USERNAME", + "value": "${SSO_SERVICE_USERNAME}" + }, + { + "name": "SSO_SERVICE_PASSWORD", + "value": "${SSO_SERVICE_PASSWORD}" + } + ] + } + ], + "volumes": [ + { + "name": "sso-x509-https-volume", + "secret": { + "secretName": "sso-x509-https-secret" + } + }, + { + "name": "sso-x509-jgroups-volume", + "secret": { + "secretName": "sso-x509-jgroups-secret" + } + }, + { + "name": "service-ca", + "configMap": { + "name": "${APPLICATION_NAME}-service-ca" + } + } + ] + } + } + } + }, + { + "kind": "DeploymentConfig", + "apiVersion": "v1", + "metadata": { + "name": "${APPLICATION_NAME}-postgresql", + "labels": { + "application": "${APPLICATION_NAME}" + } + }, + "spec": { + "strategy": { + "type": "Recreate" + }, + "triggers": [ + { + "type": "ImageChange", + "imageChangeParams": { + "automatic": true, + "containerNames": [ + "${APPLICATION_NAME}-postgresql" + ], + "from": { + "kind": "ImageStreamTag", + "namespace": "${IMAGE_STREAM_NAMESPACE}", + "name": "postgresql:${POSTGRESQL_IMAGE_STREAM_TAG}" + } + } + }, + { + "type": "ConfigChange" + } + ], + "replicas": 1, + "selector": { + "deploymentConfig": "${APPLICATION_NAME}-postgresql" + }, + "template": { + "metadata": { + "name": "${APPLICATION_NAME}-postgresql", + "labels": { + "deploymentConfig": "${APPLICATION_NAME}-postgresql", + "application": "${APPLICATION_NAME}" + } + }, + "spec": { + "terminationGracePeriodSeconds": 60, + "containers": [ + { + "name": "${APPLICATION_NAME}-postgresql", + "image": "postgresql", + "imagePullPolicy": "Always", + "ports": [ + { + "containerPort": 5432, + "protocol": "TCP" + } + ], + "readinessProbe": { + "timeoutSeconds": 10, + "initialDelaySeconds": 90, + "successThreshold:": 1, + "failureThreshold": 3, + "exec": { + "command": [ "/bin/sh", "-i", "-c", "psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1'"] + } + }, + "livenessProbe": { + "timeoutSeconds": 10, + "initialDelaySeconds": 90, + "successThreshold:": 1, + "failureThreshold": 3, + "tcpSocket": { + "port": 5432 + } + }, + "volumeMounts": [ + { + "mountPath": "/var/lib/pgsql/data", + "name": "${APPLICATION_NAME}-postgresql-pvol" + } + ], + "env": [ + { + "name": "POSTGRESQL_USER", + "value": "${DB_USERNAME}" + }, + { + "name": "POSTGRESQL_PASSWORD", + "value": "${DB_PASSWORD}" + }, + { + "name": "POSTGRESQL_DATABASE", + "value": "${DB_DATABASE}" + }, + { + "name": "POSTGRESQL_MAX_CONNECTIONS", + "value": "${POSTGRESQL_MAX_CONNECTIONS}" + }, + { + "name": "POSTGRESQL_MAX_PREPARED_TRANSACTIONS", + "value": "${POSTGRESQL_MAX_CONNECTIONS}" + }, + { + "name": "POSTGRESQL_SHARED_BUFFERS", + "value": "${POSTGRESQL_SHARED_BUFFERS}" + } + ] + } + ], + "volumes": [ + { + "name": "${APPLICATION_NAME}-postgresql-pvol", + "persistentVolumeClaim": { + "claimName": "${APPLICATION_NAME}-postgresql-claim" + } + } + ] + } + } + } + }, + { + "apiVersion": "v1", + "kind": "PersistentVolumeClaim", + "metadata": { + "name": "${APPLICATION_NAME}-postgresql-claim", + "labels": { + "application": "${APPLICATION_NAME}" + } + }, + "spec": { + "accessModes": [ + "ReadWriteOnce" + ], + "resources": { + "requests": { + "storage": "${VOLUME_CAPACITY}" + } + } + } + } + ] +} diff --git a/pkg/keycloak/keycloak.go b/pkg/keycloak/keycloak.go index b0e64696..191460a9 100644 --- a/pkg/keycloak/keycloak.go +++ b/pkg/keycloak/keycloak.go @@ -22,13 +22,13 @@ import ( ) const ( - SSO_TEMPLATE_NAME = "sso73-x509-postgresql-persistent.json" + SSO_TEMPLATE_NAME = "sso74-x509-postgresql-persistent.json" SSO_ROUTE_NAME = "sso" SSO_APPLICATION_NAME = "sso" SSO_TEMPLATE_PATH = "deploy/template" SSO_TEMPLATE_PATH_ENV_VAR = "TEMPLATE_DIR" - SSO_VERSION = "v7.3.2.GA" - SSO_IMAGE_STREAM = "redhat-sso73-openshift:1.0" + SSO_VERSION = "v7.4.1.GA" + SSO_IMAGE_STREAM = "redhat-sso74-openshift:1.0" SSO_POSTGRES_VERSION = "9.6" ) diff --git a/pkg/keycloak/upgrade.go b/pkg/keycloak/upgrade.go index 110000a8..9405b3b6 100644 --- a/pkg/keycloak/upgrade.go +++ b/pkg/keycloak/upgrade.go @@ -8,8 +8,8 @@ import ( ) func CanUpgrade(version string) bool { - // we will handle upgrade for any 7.2.x version - r := regexp.MustCompile("^v7.2.*.GA$") + // we will handle upgrade for any 7.3.x version + r := regexp.MustCompile("^v7.3.*.GA$") return r.MatchString(version) } diff --git a/pkg/keycloak/upgrade_test.go b/pkg/keycloak/upgrade_test.go index 384fe332..bbfb6cab 100644 --- a/pkg/keycloak/upgrade_test.go +++ b/pkg/keycloak/upgrade_test.go @@ -17,12 +17,12 @@ func TestCanUpgrade(t *testing.T) { }{ { Name: "Test Should upgrade", - Versions: []string{"v7.2.11.GA", "v7.2.1.GA"}, + Versions: []string{"v7.3.11.GA", "v7.3.1.GA"}, Expected: true, }, { Name: "Test Should Not upgrade", - Versions: []string{"v7.3.2.GA", "v7.3.1.GA", "v7.3.0.GA", "v7.2.0-ALPHA"}, + Versions: []string{"v7.4.2.GA", "v7.4.1.GA", "v7.4.0.GA", "v7.3.0-ALPHA"}, Expected: false, }, } diff --git a/tmp/build/Dockerfile b/tmp/build/Dockerfile index 51a7405a..e2bc62ed 100644 --- a/tmp/build/Dockerfile +++ b/tmp/build/Dockerfile @@ -5,6 +5,7 @@ USER keycloak-operator ENV PATH="/home/keycloak-operator:${PATH}" ENV TEMPLATE_DIR="/home/keycloak-operator/deploy/template" ADD tmp/_output/bin/keycloak-operator /home/keycloak-operator/keycloak-operator +ADD deploy/template/sso74-x509-postgresql-persistent.json /home/keycloak-operator/deploy/template/sso74-x509-postgresql-persistent.json ADD deploy/template/sso73-x509-postgresql-persistent.json /home/keycloak-operator/deploy/template/sso73-x509-postgresql-persistent.json ADD deploy/template/sso72-x509-postgresql-persistent.json /home/keycloak-operator/deploy/template/sso72-x509-postgresql-persistent.json ADD deploy/template/prometheus-rule.yaml /home/keycloak-operator/deploy/template/prometheus-rule.yaml diff --git a/version/version.go b/version/version.go index 05e5eabb..eb60b361 100644 --- a/version/version.go +++ b/version/version.go @@ -1,5 +1,5 @@ package version var ( - Version = "1.9.5" + Version = "1.10.0" )