feat: Update keycloak from 6.0.1 to 15. (#86)

* Update keycloak from 6.0.1 to 15. Signed-off-by: Oleksandr Andriienko <oandriie@redhat.com>
2021-09-10 10:55:20 +03:00 · 2021-09-10 10:55:20 +03:00 · 71c2ea50a6
parent 72d2a354d5
commit 71c2ea50a6
5 changed files with 16 additions and 24 deletions
--- a/assembly/assembly-root-war/src/main/webapp/_app/keycloackLoader.js
+++ b/assembly/assembly-root-war/src/main/webapp/_app/keycloackLoader.js
@ -110,8 +110,8 @@ export class KeycloakLoader {
                    onLoad: 'login-required',
                    checkLoginIframe: false,
                    useNonce: useNonce,
-                    scope: 'email profile',
-                    redirectUri: keycloakSettings['che.keycloak.redirect_url.ide']
+                    scope: 'openid',
+                    redirectUri: decodeURIComponent(location.href)
                })
                .success(() => {
                    resolve(keycloak);
--- a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
+++ b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
@ -74,8 +74,13 @@ spec:
        - name: CHE_HOST
          value: {{ template "cheHost" . }}
 {{- if .Values.global.useInternalClusterSVCNames }}
-        - name: KEYCLOAK_HOSTNAME
-          value: {{ template "keycloakHost" . }}
+        {{- if .Values.global.tls.enabled }}
+        - name: KEYCLOAK_FRONTEND_URL
+          value: https://{{ template "keycloakHost" . }}/auth
+        {{- else }}
+        - name: KEYCLOAK_FRONTEND_URL
+          value: http://{{ template "keycloakHost" . }}/auth
+        {{- end }}
 {{- end }}
        - name: ROUTING_SUFFIX
          value: {{ .Values.global.ingressDomain }}
--- a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/ingress.yaml
+++ b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/ingress.yaml
@ -18,6 +18,7 @@ metadata:
    component: keycloak
  annotations:
    kubernetes.io/ingress.class: {{ .Values.global.ingress.class | quote }}
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout: "3600"
    {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout: "3600"
 {{- if .Values.global.tls.enabled }}
--- a/dockerfiles/keycloak/Dockerfile
+++ b/dockerfiles/keycloak/Dockerfile
@ -6,15 +6,15 @@
 # SPDX-License-Identifier: EPL-2.0
 #

-FROM jboss/keycloak:6.0.1
+FROM quay.io/keycloak/keycloak:15.0.2
+
 ADD che /opt/jboss/keycloak/themes/che
 ADD che-username-readonly /opt/jboss/keycloak/themes/che-username-readonly
 ADD . /scripts/
 ADD cli /scripts/cli
-RUN ln -s /opt/jboss/tools/docker-entrypoint.sh && \
-    curl -sSL https://github.com/che-incubator/KEYCLOAK-10169-OpenShift4-User-Provider/releases/download/6.0.1-openshift-v4/openshift4-extension-6.0.1.jar -o /opt/jboss/keycloak/standalone/deployments/openshift4-extension-6.0.1.jar && \
-    unzip -j /opt/jboss/keycloak/standalone/deployments/openshift4-extension-6.0.1.jar -d /opt/jboss/keycloak/themes/base/admin/resources/partials \
-    theme-resources/resources/realm-identity-provider-openshift-v4.html theme-resources/resources/realm-identity-provider-openshift-v4-ext.html
+USER root
+RUN microdnf install findutils && microdnf clean all && \
+    ln -s /opt/jboss/tools/docker-entrypoint.sh && chmod +x /opt/jboss/tools/docker-entrypoint.sh

 USER root
 RUN chown -R 1000:0 /scripts && \
--- a/dockerfiles/keycloak/kc_realm_user.sh
+++ b/dockerfiles/keycloak/kc_realm_user.sh
@ -66,12 +66,6 @@ cat /scripts/che-realm.json.erb | \
                                sed -e "s@<%= scope\.lookupvar('che::che_server_url') %>@${PROTOCOL}://${CHE_HOST}@" \
                                > /scripts/che-realm.json

-echo "Creating Admin user..."
-
-if [ $KEYCLOAK_USER ] && [ $KEYCLOAK_PASSWORD ]; then
-    /opt/jboss/keycloak/bin/add-user-keycloak.sh --user $KEYCLOAK_USER --password $KEYCLOAK_PASSWORD
-fi
-
 # Handle CA certificates
 KEYSTORE_PATH=/scripts/openshift.jks
 TRUST_STORE_PASSWORD=${TRUSTPASS:-openshift}
@ -96,10 +90,6 @@ if [ -f "$KEYSTORE_PATH" ]; then
    /opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/cli/add_openshift_certificate.cli && rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
 fi

-# Patch configuration to allow to set 'keycloak.hostname.fixed.alwaysHttps'
-sed -i 's|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/>|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/><property name="alwaysHttps" value="${keycloak.hostname.fixed.alwaysHttps:false}"/>|g' /opt/jboss/keycloak/standalone/configuration/standalone.xml
-sed -i 's|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/>|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/><property name="alwaysHttps" value="${keycloak.hostname.fixed.alwaysHttps:false}"/>|g' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
-
 # POSTGRES_PORT is assigned by Kubernetes controller
 # and it isn't fit to docker-entrypoin.sh.
 unset POSTGRES_PORT
@ -112,8 +102,4 @@ SYS_PROPS="-Dkeycloak.migration.action=import \
    -Dkeycloak.migration.dir=/scripts/ \
    -Djboss.bind.address=0.0.0.0"

-if [ $KEYCLOAK_HOSTNAME ] && [ $PROTOCOL == "https" ]; then
-  SYS_PROPS+=" -Dkeycloak.hostname.fixed.alwaysHttps=true"
-fi
-
-exec /opt/jboss/docker-entrypoint.sh $SYS_PROPS
+exec /opt/jboss/tools/docker-entrypoint.sh $SYS_PROPS