feat(RHIDP-9113): Update Keycloak configuration for Red Hat Build of Keycloak (RHBK)

ci-scripts/rhdh-setup/create_resource.sh

@@ -195,7 +195,7 @@ get_group_path_by_name() {
   local group_name="$input"
   token=$(get_token)
 
-  response=$(curl -s -k --location --request GET "$(keycloak_url)/auth/admin/realms/backstage/groups?search=${group_name}" \
+  response=$(curl -s -k --location --request GET "$(keycloak_url)/admin/realms/backstage/groups?search=${group_name}" \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $token" 2>&1)
 
@@ -221,7 +221,7 @@ get_group_id_by_name() {
   group_name="$1"
   token=$(get_token)
 
-  response=$(curl -s -k --location --request GET "$(keycloak_url)/auth/admin/realms/backstage/groups?search=${group_name}" \
+  response=$(curl -s -k --location --request GET "$(keycloak_url)/admin/realms/backstage/groups?search=${group_name}" \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $token" 2>&1)
 
@@ -269,7 +269,7 @@ assign_parent_group() {
   attempt=1
   while (( attempt <= max_attempts )); do
     token=$(get_token)
-    response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups/${parent_id}/children" \
+    response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups/${parent_id}/children" \
       -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
       --data-raw '{"name":"'"${child_name}"'"}' 2>&1)"
     if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -296,7 +296,7 @@ create_group() {
       groupname="g${idx}"
       while ((attempt <= max_attempts)); do
         token=$(get_token)
-        response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
+        response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups" \
           -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
           --data-raw '{"name":"'"${groupname}"'"}' 2>&1)"
         if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -319,7 +319,7 @@ create_group() {
     groupname="g${idx}"
     while ((attempt <= max_attempts)); do
       token=$(get_token)
-      response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/groups" \
+      response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/groups" \
         -H 'Content-Type: application/json' -H "Authorization: Bearer $token" \
         --data-raw '{"name":"'"${groupname}"'"}' 2>&1)"
       if [ "${PIPESTATUS[0]}" -eq 0 ] && ! echo "$response" | grep -q 'error' >&/dev/null; then
@@ -443,8 +443,8 @@ create_user() {
   groups="$groups]"
   while ((attempt <= max_attempts)); do
     token=$(get_token)
-    username="t${0}"
-    response="$(curl -s -k --location --request POST "$(keycloak_url)/auth/admin/realms/backstage/users" \
+    username="t_${0}"
+    response="$(curl -s -k --location --request POST "$(keycloak_url)/admin/realms/backstage/users" \
       -H 'Content-Type: application/json' \
       -H 'Authorization: Bearer '"$token" \
       --data-raw '{"firstName":"'"${username}"'","lastName":"tester", "email":"'"${username}"'@test.com","emailVerified":"true", "enabled":"true", "username":"'"${username}"'","groups":'"$groups"',"credentials":[{"type":"password","value":"'"${KEYCLOAK_USER_PASS}"'","temporary":false}]}' 2>&1)"
@@ -499,7 +499,13 @@ log_token_err() {
 }
 
 keycloak_token() {
-  curl -s -k "$(keycloak_url)/auth/realms/master/protocol/openid-connect/token" -d username=admin -d "password=$1" -d 'grant_type=password' -d 'client_id=admin-cli' | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
+  client_secret=$(oc -n "${RHDH_NAMESPACE}" get secret keycloak-client-secret-backstage -o template --template='{{.data.CLIENT_SECRET}}' | base64 -d)
+  curl -s -k "$(keycloak_url)/realms/backstage/protocol/openid-connect/token" \
+    -d username=guru \
+    -d "password=$1" \
+    -d 'grant_type=password' \
+    -d 'client_id=backstage' \
+    -d "client_secret=$client_secret" | jq -r ".expires_in_timestamp = $(python3 -c 'from datetime import datetime, timedelta; t_add=int(30); print(int((datetime.now() + timedelta(seconds=t_add)).timestamp()))')"
 }
 
 rhdh_token() {
@@ -526,7 +532,7 @@ rhdh_token() {
     --data-urlencode "redirect_uri=${REDIRECT_URL}" \
     --data-urlencode "scope=openid email profile" \
     --data-urlencode "response_type=code" \
-    "$(keycloak_url)/auth/realms/$REALM/protocol/openid-connect/auth" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
+    "$(keycloak_url)/realms/$REALM/protocol/openid-connect/auth" 2>&1| tee "$TMP_DIR/auth_url.log" | grep -oE 'action="[^"]+"' | grep -oE '"[^"]+"' | tr -d '"')
 
   execution=$(echo "$AUTH_URL" | grep -oE 'execution=[^&]+' | grep -oE '[^=]+$')
   tab_id=$(echo "$AUTH_URL" | grep -oE 'tab_id=[^&]+' | grep -oE '[^=]+$')
@@ -588,7 +594,7 @@ get_token() {
         log_token_err "Unable to get $token_type token, re-attempting"
       fi
     else
-      keycloak_pass=$(oc -n "${RHDH_NAMESPACE}" get secret credential-rhdh-sso -o template --template='{{.data.ADMIN_PASSWORD}}' | base64 -d)
+      keycloak_pass=$(oc -n "${RHDH_NAMESPACE}" get secret perf-test-secrets -o template --template='{{.data.keycloak_user_pass}}' | base64 -d)
       if ! keycloak_token "$keycloak_pass" >"$token_file"; then
         log_token_err "Unable to get $token_type token, re-attempting"
       fi

ci-scripts/rhdh-setup/deploy.sh

@@ -61,6 +61,7 @@ export GROUP_COUNT="${GROUP_COUNT:-1}"
 export API_COUNT="${API_COUNT:-1}"
 export COMPONENT_COUNT="${COMPONENT_COUNT:-1}"
 export KEYCLOAK_USER_PASS=${KEYCLOAK_USER_PASS:-$(mktemp -u XXXXXXXXXX)}
+export KEYCLOAK_ADMIN_PASS=${KEYCLOAK_ADMIN_PASS:-admin}
 export AUTH_PROVIDER="${AUTH_PROVIDER:-''}"
 export ENABLE_RBAC="${ENABLE_RBAC:-false}"
 export ENABLE_ORCHESTRATOR="${ENABLE_ORCHESTRATOR:-false}"
@@ -234,11 +235,32 @@ keycloak_install() {
     )
     envsubst <template/keycloak/keycloak-op.yaml | $clin apply -f -
     envsubst <template/backstage/perf-test-secrets.yaml | $clin apply -f -
-    grep -m 1 "rhsso-operator" <($clin get pods -w)
-    wait_to_start deployment rhsso-operator 300 300
+    grep -m 1 "rhbk-operator" <($clin get pods -w)
+    wait_to_start deployment rhbk-operator 300 300
+
+    export KEYCLOAK_DB_PASSWORD
+    KEYCLOAK_DB_PASSWORD=$(mktemp -u XXXXXXXXXX)
+    export KEYCLOAK_DB_STORAGE
+    KEYCLOAK_DB_STORAGE=${KEYCLOAK_DB_STORAGE:-${RHDH_DB_STORAGE:-1Gi}}
+
+    log_info "Creating Keycloak PostgreSQL database with storage: $KEYCLOAK_DB_STORAGE"
+    envsubst <template/keycloak/keycloak-postgresql.yaml | $clin apply -f -
+    wait_to_start statefulset keycloak-postgresql 300 300
+
+    $clin create secret generic keycloak-db-user --from-literal=keycloak-db-user=keycloak --dry-run=client -o yaml | $clin apply -f -
+
     envsubst <template/keycloak/keycloak.yaml | $clin apply -f -
-    wait_to_start statefulset keycloak 450 600
-    envsubst <template/keycloak/keycloakRealm.yaml | $clin apply -f -
+    wait_to_start statefulset rhdh-keycloak 450 600
+
+    $clin create secret generic credential-rhdh-keycloak \
+        --from-literal=ADMIN_PASSWORD="$KEYCLOAK_ADMIN_PASS" \
+        --dry-run=client -o yaml | $clin apply -f -
+
+    $clin create route edge keycloak \
+        --service=rhdh-keycloak-service \
+        --port=8080 \
+        --dry-run=client -o yaml | $clin apply -f -
+
     if [ "$INSTALL_METHOD" == "helm" ]; then
         export OAUTH2_REDIRECT_URI="https://${RHDH_HELM_RELEASE_NAME}-developer-hub-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/oauth2/callback"
     elif [ "$INSTALL_METHOD" == "olm" ]; then
@@ -248,9 +270,9 @@ keycloak_install() {
             export OAUTH2_REDIRECT_URI="https://backstage-developer-hub-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/oauth2/callback"
         fi
     fi
-    envsubst <template/keycloak/keycloakClient.yaml | $clin apply -f -
     # shellcheck disable=SC2016
-    envsubst '${KEYCLOAK_USER_PASS}' <template/keycloak/keycloakUser.yaml | $clin apply -f -
+    envsubst '${KEYCLOAK_CLIENT_SECRET} ${OAUTH2_REDIRECT_URI} ${KEYCLOAK_USER_PASS} ${KEYCLOAK_ADMIN_PASS}' <template/keycloak/keycloakRealmImport.yaml | $clin apply -f -
+    $clin create secret generic keycloak-client-secret-backstage --from-literal=CLIENT_ID=backstage --from-literal=CLIENT_SECRET="$KEYCLOAK_CLIENT_SECRET" --dry-run=client -o yaml | oc apply -f -
 }
 
 create_users_groups() {

ci-scripts/rhdh-setup/template/backstage/helm/chart-values.image-override.yaml

@@ -8,6 +8,25 @@ global:
     plugins:
       - package: ./dynamic-plugins/dist/backstage-community-plugin-catalog-backend-module-keycloak-dynamic
         disabled: false
+        pluginConfig:
+          catalog:
+            providers:
+              keycloakOrg:
+                default:
+                  baseUrl: ${KEYCLOAK_BASE_URL}
+                  realm: ${KEYCLOAK_REALM}
+                  loginRealm: ${KEYCLOAK_LOGIN_REALM}
+                  clientId: ${CLIENT_ID}
+                  clientSecret: ${CLIENT_SECRET}
+                  userQuerySize: 1000
+                  groupQuerySize: 1000
+                  schedule:
+                    frequency:
+                      minutes: 30
+                    timeout:
+                      minutes: 1
+                    initialDelay:
+                      seconds: 15
       - package: ./dynamic-plugins/dist/backstage-community-plugin-analytics-provider-segment
         disabled: true
       # TechDocs
@@ -57,7 +76,7 @@ upstream:
             key: github.token
             name: "{{ .Release.Name }}-plugin-secrets"
       - name: KEYCLOAK_BASE_URL
-        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
       - name: KEYCLOAK_LOGIN_REALM
         value: "backstage"
       - name: KEYCLOAK_REALM

ci-scripts/rhdh-setup/template/backstage/helm/chart-values.yaml

@@ -8,6 +8,25 @@ global:
     plugins:
       - package: ./dynamic-plugins/dist/backstage-community-plugin-catalog-backend-module-keycloak-dynamic
         disabled: false
+        pluginConfig:
+          catalog:
+            providers:
+              keycloakOrg:
+                default:
+                  baseUrl: ${KEYCLOAK_BASE_URL}
+                  realm: ${KEYCLOAK_REALM}
+                  loginRealm: ${KEYCLOAK_LOGIN_REALM}
+                  clientId: ${CLIENT_ID}
+                  clientSecret: ${CLIENT_SECRET}
+                  userQuerySize: 1000
+                  groupQuerySize: 1000
+                  schedule:
+                    frequency:
+                      minutes: 30
+                    timeout:
+                      minutes: 1
+                    initialDelay:
+                      seconds: 15
       - package: ./dynamic-plugins/dist/backstage-community-plugin-analytics-provider-segment
         disabled: true
       # TechDocs
@@ -57,7 +76,7 @@ upstream:
             key: github.token
             name: "{{ .Release.Name }}-plugin-secrets"
       - name: KEYCLOAK_BASE_URL
-        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+        value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
       - name: KEYCLOAK_LOGIN_REALM
         value: "backstage"
       - name: KEYCLOAK_REALM

ci-scripts/rhdh-setup/template/backstage/helm/oauth2-container-patch.yaml

@@ -18,7 +18,7 @@ extraContainers:
             key: keycloak_cookie_secret
             name: perf-test-secrets
       - name: OAUTH2_PROXY_OIDC_ISSUER_URL
-        value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage
+        value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/realms/backstage
       - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
         value: "true"
       - name: OAUTH2_PROXY_LOGGING_LEVEL

ci-scripts/rhdh-setup/template/backstage/olm/backstage.yaml

@@ -18,7 +18,7 @@ spec:
     extraEnvs:
       envs:
         - name: KEYCLOAK_BASE_URL
-          value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth"
+          value: "https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}"
         - name: KEYCLOAK_LOGIN_REALM
           value: "backstage"
         - name: KEYCLOAK_REALM

ci-scripts/rhdh-setup/template/backstage/olm/rhdh-oauth2.deployment.yaml

@@ -40,7 +40,7 @@ spec:
                   key: keycloak_cookie_secret
                   name: perf-test-secrets
             - name: OAUTH2_PROXY_OIDC_ISSUER_URL
-              value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/auth/realms/backstage
+              value: https://keycloak-${RHDH_NAMESPACE}.${OPENSHIFT_APP_DOMAIN}/realms/backstage
             - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
               value: "true"
           image: quay.io/oauth2-proxy/oauth2-proxy:v7.12.0

ci-scripts/rhdh-setup/template/keycloak/keycloak-op.yaml

@@ -1,18 +1,18 @@
 apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
-  name: rhsso-operator-group
+  name: rhbk-operator-group
 spec:
   targetNamespaces:
     - ${RHDH_NAMESPACE}
 ---
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
-  name: rhsso-operator
+  name: rhbk-operator
 spec:
-  channel: stable
-  name: rhsso-operator
+  channel: stable-v26.2
+  name: rhbk-operator
   source: redhat-operators
   sourceNamespace: openshift-marketplace
   installPlanApproval: Automatic

ci-scripts/rhdh-setup/template/keycloak/keycloak-postgresql.yaml

@@ -0,0 +1,103 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+type: Opaque
+stringData:
+  postgres-password: ${KEYCLOAK_DB_PASSWORD}
+  password: ${KEYCLOAK_DB_PASSWORD}
+  replication-password: ${KEYCLOAK_DB_PASSWORD}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+spec:
+  type: ClusterIP
+  ports:
+    - name: tcp-postgresql
+      port: 5432
+      targetPort: tcp-postgresql
+  selector:
+    app: keycloak-postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: keycloak-postgresql
+  labels:
+    app: keycloak-postgresql
+spec:
+  serviceName: keycloak-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak-postgresql
+  template:
+    metadata:
+      labels:
+        app: keycloak-postgresql
+    spec:
+      containers:
+        - name: postgresql
+          image: registry.redhat.io/rhel9/postgresql-15:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: tcp-postgresql
+              containerPort: 5432
+          env:
+            - name: POSTGRESQL_USER
+              value: keycloak
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-postgresql
+                  key: password
+            - name: POSTGRESQL_DATABASE
+              value: keycloak
+            - name: POSTGRESQL_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-postgresql
+                  key: postgres-password
+            - name: PGDATA
+              value: /var/lib/pgsql/data/userdata
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/pgsql/data
+          livenessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - exec pg_isready -U keycloak -d keycloak -h 127.0.0.1 -p 5432
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+          readinessProbe:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - exec pg_isready -U keycloak -d keycloak -h 127.0.0.1 -p 5432
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: ${KEYCLOAK_DB_STORAGE}