Revert "Switch from legacy to new style keycloak container"

The image change switches from Wildfly to Quarkus, which seems to come with undocumented impact to H2 databases because Keycloak maintainers consider that "for development purposes only" and not to be used in production. When reintroducing this change, we'll include an actual RDBMS in order to ease future upgrade work. Retain the added test that exercises the admin credentials and API, but adjust it back to the path used by the legacy image. This reverts commit fb47277a56df671bbab389ce10a89d976308d232. Change-Id: I0908490cea852853f086e594a816343edaf6a454
2024-01-29 19:09:07 +00:00 · 2024-01-29 19:09:07 +00:00 · 2891745508
commit 2891745508
parent d4c209e7a4
2 changed files with 12 additions and 12 deletions
--- a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
+++ b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2
@ -4,18 +4,17 @@ version: '2'

 services:
  keycloak:
-    image: quay.io/keycloak/keycloak:19.0
+    image: quay.io/keycloak/keycloak:legacy
    network_mode: host
    restart: always
    environment:
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}"
+      - KEYCLOAK_USER=admin
+      - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}"
+      - DB_VENDOR=h2
+      - PROXY_ADDRESS_FORWARDING=true
    command:
-      - 'start'
-      - '--hostname-strict=false'
-      - '--http-enabled=true'
-      - '--http-host=127.0.0.1'
-      - '--proxy=edge'
+      -Djboss.bind.address.private=127.0.0.1
+      -Djboss.bind.address=127.0.0.1
    volumes:
      - /var/keycloak/data:/opt/jboss/keycloak/standalone/data
      - /var/log/keycloak:/opt/jboss/keycloak/standalone/log
--- a/testinfra/test_keycloak.py
+++ b/testinfra/test_keycloak.py
@ -29,9 +29,9 @@ def test_keycloak_openid_config(host):
    # the proxy headers and is not hard-coded configuration.
    cmd = host.run('curl --insecure '
                   '--resolve keycloak.opendev.org:443:127.0.0.1 '
-                   'https://keycloak.opendev.org/realms/master'
+                   'https://keycloak.opendev.org/auth/realms/master'
                   '/.well-known/openid-configuration')
-    assert ('"issuer":"https://keycloak.opendev.org/realms/master"'
+    assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"'
            in cmd.stdout)

 def test_keycloak_admin_api(host):
@ -47,7 +47,7 @@ def test_keycloak_admin_api(host):
                   '-d "grant_type=password" '
                   '-d "client_id=admin-cli" '
                   'https://keycloak.opendev.org'
-                   '/realms/master/protocol/openid-connect/token')
+                   '/auth/realms/master/protocol/openid-connect/token')
    token = json.loads(cmd.stdout)
    assert token["token_type"] == "Bearer"
    cmd = host.run('curl --insecure '
@ -55,5 +55,6 @@ def test_keycloak_admin_api(host):
                   '-H "Authorization: Bearer %s" '
                   '-H "Content-Type: application/json" '
                   'https://keycloak.opendev.org'
-                   '/admin/realms/master/users/count' % token["access_token"])
+                   '/auth/admin/realms/master/users/count'
+                   % token["access_token"])
    assert cmd.stdout == "1"