From 2891745508ff392618bf13da549d5662d567fd0a Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Mon, 29 Jan 2024 19:09:07 +0000 Subject: [PATCH] Revert "Switch from legacy to new style keycloak container" The image change switches from Wildfly to Quarkus, which seems to come with undocumented impact to H2 databases because Keycloak maintainers consider that "for development purposes only" and not to be used in production. When reintroducing this change, we'll include an actual RDBMS in order to ease future upgrade work. Retain the added test that exercises the admin credentials and API, but adjust it back to the path used by the legacy image. This reverts commit fb47277a56df671bbab389ce10a89d976308d232. Change-Id: I0908490cea852853f086e594a816343edaf6a454 --- .../keycloak/templates/docker-compose.yaml.j2 | 15 +++++++-------- testinfra/test_keycloak.py | 9 +++++---- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 index d4ea7c5610..303c5d9468 100644 --- a/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 +++ b/playbooks/roles/keycloak/templates/docker-compose.yaml.j2 @@ -4,18 +4,17 @@ version: '2' services: keycloak: - image: quay.io/keycloak/keycloak:19.0 + image: quay.io/keycloak/keycloak:legacy network_mode: host restart: always environment: - KEYCLOAK_ADMIN: admin - KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}" + - KEYCLOAK_USER=admin + - KEYCLOAK_PASSWORD="{{ keycloak_admin_password }}" + - DB_VENDOR=h2 + - PROXY_ADDRESS_FORWARDING=true command: - - 'start' - - '--hostname-strict=false' - - '--http-enabled=true' - - '--http-host=127.0.0.1' - - '--proxy=edge' + -Djboss.bind.address.private=127.0.0.1 + -Djboss.bind.address=127.0.0.1 volumes: - /var/keycloak/data:/opt/jboss/keycloak/standalone/data - /var/log/keycloak:/opt/jboss/keycloak/standalone/log diff --git a/testinfra/test_keycloak.py b/testinfra/test_keycloak.py index 8e272cd542..7e63228084 100644 --- a/testinfra/test_keycloak.py +++ b/testinfra/test_keycloak.py @@ -29,9 +29,9 @@ def test_keycloak_openid_config(host): # the proxy headers and is not hard-coded configuration. cmd = host.run('curl --insecure ' '--resolve keycloak.opendev.org:443:127.0.0.1 ' - 'https://keycloak.opendev.org/realms/master' + 'https://keycloak.opendev.org/auth/realms/master' '/.well-known/openid-configuration') - assert ('"issuer":"https://keycloak.opendev.org/realms/master"' + assert ('"issuer":"https://keycloak.opendev.org/auth/realms/master"' in cmd.stdout) def test_keycloak_admin_api(host): @@ -47,7 +47,7 @@ def test_keycloak_admin_api(host): '-d "grant_type=password" ' '-d "client_id=admin-cli" ' 'https://keycloak.opendev.org' - '/realms/master/protocol/openid-connect/token') + '/auth/realms/master/protocol/openid-connect/token') token = json.loads(cmd.stdout) assert token["token_type"] == "Bearer" cmd = host.run('curl --insecure ' @@ -55,5 +55,6 @@ def test_keycloak_admin_api(host): '-H "Authorization: Bearer %s" ' '-H "Content-Type: application/json" ' 'https://keycloak.opendev.org' - '/admin/realms/master/users/count' % token["access_token"]) + '/auth/admin/realms/master/users/count' + % token["access_token"]) assert cmd.stdout == "1"