Support Keycloak 22, Drop EL7 and Debian 10 (#297)

EL7 and Debian 10 don't have new enough OpenJDK The use_truststore_spi propery for keycloak_ldap_user_provider has default switched to 'always' and 'ldapsOnly' option removed Force IPv4 during tests
treydock · Jul 19, 2023 · d41d2dd · d41d2dd
1 parent b99c30d
commit d41d2dd
Show file tree

Hide file tree

Showing 20 changed files with 35 additions and 120 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -24,7 +24,7 @@ jobs:
             puppet: 8
             fixtures: .fixtures.yml
             allow_failure: false
-          - ruby: 2.7.6
+          - ruby: 2.7.7
             puppet: 7
             fixtures: .fixtures-latest.yml
             allow_failure: true
@@ -56,28 +56,26 @@ jobs:
       fail-fast: false
       matrix:
         set:
-          - "el7"
           - "el8"
           - "el9"
-          - "debian-10"
           - "debian-11"
           - "ubuntu-2004"
           - "ubuntu-2204"
         puppet:
           - "puppet7"
           - "puppet8"
         keycloak_version:
-          - "21.0.1"
+          - "22.0.0"
         keycloak_full:
           - "no"
         include:
           - set: "el8"
             puppet: "puppet7"
-            keycloak_version: "21.0.1"
+            keycloak_version: "22.0.0"
             keycloak_full: "yes"
           - set: "el8"
             puppet: "puppet8"
-            keycloak_version: "21.0.1"
+            keycloak_version: "22.0.0"
             keycloak_full: "yes"
     env:
       BUNDLE_WITHOUT: development:release

diff --git a/.sync.yml b/.sync.yml
@@ -15,27 +15,26 @@ Rakefile:
   acceptance_name: '${{ matrix.puppet }} ${{ matrix.set }} (keycloak=${{ matrix.keycloak_version }} full=${{ matrix.keycloak_full }})'
   acceptance_matrix:
     set:
-      - el7
+      - ---el7
       - el8
       - el9
-      - debian-10
       - debian-11
       - ubuntu-2004
       - ubuntu-2204
     puppet:
       - puppet7
       - puppet8
     keycloak_version:
-      - '21.0.1'
+      - '22.0.0'
     keycloak_full: ['no']
   acceptance_includes:
     - set: el8
       puppet: puppet7
-      keycloak_version: 21.0.1
+      keycloak_version: 22.0.0
       keycloak_full: 'yes'
     - set: el8
       puppet: puppet8
-      keycloak_version: 21.0.1
+      keycloak_version: 22.0.0
       keycloak_full: 'yes'
 .gitignore:
   paths:
@@ -51,11 +50,10 @@ Rakefile:
           Enabled: false
 appveyor.yml:
   delete: true
-spec/acceptance/nodesets/debian-9.yml:
+spec/acceptance/nodesets/el7.yml:
   delete: true
 spec/acceptance/nodesets/debian-10.yml:
-  packages:
-    - iproute2
+  delete: true
 spec/acceptance/nodesets/debian-11.yml:
   packages:
     - iproute2

diff --git a/README.md b/README.md
@@ -175,6 +175,7 @@ This module may work on earlier versions but this is the only version tested.
 | 18.x             | 8.x                             |
 | 19.x - 21.x      | 9.x                             |
 | 21.x             | 10.x                            |
+| 22.x             | 11.x                            |
 
 ## Usage
 
@@ -190,18 +191,18 @@ Install a specific version of Keycloak.
 
 ```puppet
 class { 'keycloak':
-  version => '18.0.0',
+  version => '22.0.0',
   db      => 'mariadb',
 }
 ```
 
 Upgrading Keycloak version works by changing `version` parameter as long as the `db` parameter is not the default of `dev-file`. An upgrade involves installing the new version without touching the old version, updating the symlink which defaults to `/opt/keycloak`, applying all changes to new version and then restarting the `keycloak` service.
 
-If the previous `version` was `18.0.0` using the following will upgrade to `19.0.0`:
+If the previous `version` was `22.0.0` using the following will upgrade to `23.0.0`:
 
 ```puppet
 class { 'keycloak':
-  version => '19.0.0',
+  version => '23.0.0',
   db      => 'mariadb',
 }
 ```
@@ -283,7 +284,7 @@ A simple example of deploying a custom SPI from a URL:
 keycloak::spi_deployment { 'duo-spi':
   ensure        => 'present',
   deployed_name => 'DuoUniversalKeycloakAuthenticator-jar-with-dependencies.jar',
-  source        => 'https://github.com/instipod/DuoUniversalKeycloakAuthenticator/releases/download/1.0.4/DuoUniversalKeycloakAuthenticator-jar-with-dependencies-1.0.4.jar',
+  source        => 'https://github.com/instipod/DuoUniversalKeycloakAuthenticator/releases/download/1.0.5/DuoUniversalKeycloakAuthenticator-jar-with-dependencies-1.0.5.jar',
 }
 ```
 
@@ -615,12 +616,9 @@ keycloak_required_action { 'webauthn-register on master':
 
 This module has been tested on:
 
-* RedHat/CentOS 7 x86_64
 * RedHat/Rocky/AlmaLinux 8 x86_64
 * RedHat/Rocky/AlmaLinux 9 x86_64
-* Debian 10 x86_64
 * Debian 11 x86_64
-* Ubuntu 18.04 x86_64
 * Ubuntu 20.04 x86_64
 * Ubuntu 22.04 x86_64
 

diff --git a/data/os/Debian/10.yaml b/data/os/Debian/10.yaml
diff --git a/data/os/RedHat/7.yaml b/data/os/RedHat/7.yaml
diff --git a/lib/puppet/type/keycloak_ldap_user_provider.rb b/lib/puppet/type/keycloak_ldap_user_provider.rb
@@ -73,8 +73,8 @@
 
   newproperty(:use_truststore_spi) do
     desc 'useTruststoreSpi'
-    defaultto 'ldapsOnly'
-    newvalues('always', 'ldapsOnly', 'never')
+    defaultto 'always'
+    newvalues('always', 'never')
     munge { |v| v }
   end
 

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -27,11 +27,11 @@
     ensure  => 'directory',
     owner   => $keycloak::user,
     group   => $keycloak::group,
-    mode    => '0755',
+    mode    => $keycloak::conf_dir_mode,
     purge   => $keycloak::conf_dir_purge,
     force   => $keycloak::conf_dir_purge,
     recurse => $keycloak::conf_dir_purge,
-    ignore  => ['cache-ispn.xml', 'README.md'],
+    ignore  => $keycloak::conf_dir_purge_ignore,
     notify  => Class['keycloak::service'],
   }
 

diff --git a/manifests/freeipa_user_provider.pp b/manifests/freeipa_user_provider.pp
@@ -67,7 +67,7 @@
     rdn_ldap_attribute                       => 'uid',
     search_scope                             => '1',
     use_kerberos_for_password_authentication => 'false',
-    use_truststore_spi                       => 'ldapsOnly',
+    use_truststore_spi                       => 'always',
     user_object_classes                      => ['inetOrgPerson', ' organizationalPerson'],
     username_ldap_attribute                  => 'uid',
     users_dn                                 => $users_dn,

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -222,15 +222,15 @@
 #   Only necessary to set if the URL path to Keycloak is modified
 class keycloak (
   Boolean $manage_install       = true,
-  String $version               = '21.0.1',
+  String $version               = '22.0.0',
   Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]] $package_url= undef,
   Optional[Stdlib::Absolutepath] $install_dir = undef,
   Array[String[1]] $java_package_dependencies = [],
   Enum['include','class'] $java_declare_method = 'class',
-  String[1] $java_package = 'java-11-openjdk-devel',
-  Stdlib::Absolutepath $java_home = '/usr/lib/jvm/java-11-openjdk',
-  Stdlib::Absolutepath $java_alternative_path = '/usr/lib/jvm/java-11-openjdk/bin/java',
-  String[1] $java_alternative = '/usr/lib/jvm/java-11-openjdk/bin/java',
+  String[1] $java_package = 'java-17-openjdk-devel',
+  Stdlib::Absolutepath $java_home = '/usr/lib/jvm/java-17-openjdk',
+  Stdlib::Absolutepath $java_alternative_path = '/usr/lib/jvm/java-17-openjdk/bin/java',
+  String[1] $java_alternative = '/usr/lib/jvm/java-17-openjdk/bin/java',
   String $service_name          = 'keycloak',
   String $service_ensure        = 'running',
   Boolean $service_enable       = true,

diff --git a/metadata.json b/metadata.json
@@ -41,17 +41,10 @@
     {
       "operatingsystem": "RedHat",
       "operatingsystemrelease": [
-        "7",
         "8",
         "9"
       ]
     },
-    {
-      "operatingsystem": "CentOS",
-      "operatingsystemrelease": [
-        "7"
-      ]
-    },
     {
       "operatingsystem": "Rocky",
       "operatingsystemrelease": [
@@ -69,7 +62,6 @@
     {
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
-        "10",
         "11"
       ]
     },

diff --git a/spec/acceptance/1_class_spec.rb b/spec/acceptance/1_class_spec.rb
@@ -70,7 +70,7 @@ class { 'keycloak':
       pp = <<-PUPPET_PP
       class { 'keycloak':
         http_relative_path => '/auth',
-        java_opts          => '-Xmx512m -Xms64m',
+        java_opts          => '-Xmx512m -Xms64m -Djava.net.preferIPv4Stack=true',
         configs            => {
           'metrics-enabled' => true,
         },

diff --git a/spec/acceptance/nodesets/debian-10.yml b/spec/acceptance/nodesets/debian-10.yml
diff --git a/spec/acceptance/nodesets/el7.yml b/spec/acceptance/nodesets/el7.yml
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -8,7 +8,7 @@
       let(:facts) do
         facts.merge(concat_basedir: '/dne')
       end
-      let(:version) { '21.0.1' }
+      let(:version) { '22.0.0' }
 
       case facts[:osfamily]
       when %r{RedHat}

diff --git a/spec/defines/freeipa_user_provider_spec.rb b/spec/defines/freeipa_user_provider_spec.rb
@@ -31,7 +31,7 @@
           rdn_ldap_attribute: 'uid',
           search_scope: '1',
           use_kerberos_for_password_authentication: 'false',
-          use_truststore_spi: 'ldapsOnly',
+          use_truststore_spi: 'always',
           user_object_classes: ['inetOrgPerson', ' organizationalPerson'],
           username_ldap_attribute: 'uid',
           users_dn: 'cn=users,cn=accounts,dc=example,dc=org',

diff --git a/spec/defines/partial_import_spec.rb b/spec/defines/partial_import_spec.rb
@@ -8,7 +8,7 @@
       let(:facts) do
         facts.merge(concat_basedir: '/dne')
       end
-      let(:version) { '21.0.1' }
+      let(:version) { '22.0.0' }
       let(:title) { 'test' }
       let(:params) do
         {

diff --git a/spec/defines/spi_deployment_spec.rb b/spec/defines/spi_deployment_spec.rb
@@ -8,7 +8,7 @@
       let(:facts) do
         facts.merge(concat_basedir: '/dne')
       end
-      let(:version) { '21.0.1' }
+      let(:version) { '22.0.0' }
       let(:title) { 'duo-spi' }
       let(:params) { { deployed_name: 'keycloak-duo-spi-jar-with-dependencies.jar', source: 'https://example.com/files/keycloak-duo-spi-jar-with-dependencies.jar' } }
 

diff --git a/spec/fixtures/DuoUniversalKeycloakAuthenticator-jar-with-dependencies.jar b/spec/fixtures/DuoUniversalKeycloakAuthenticator-jar-with-dependencies.jar
diff --git a/spec/spec_helper_acceptance_setup.rb b/spec/spec_helper_acceptance_setup.rb
@@ -3,7 +3,7 @@
 RSpec.configure do |c|
   c.add_setting :keycloak_version
   keycloak_version = if ENV['BEAKER_keycloak_version'].nil? || ENV['BEAKER_keycloak_version'].empty?
-                       '21.0.1'
+                       '22.0.0'
                      else
                        ENV['BEAKER_keycloak_version']
                      end
@@ -28,26 +28,17 @@
   - name: "Common"
     path: "common.yaml"
 HIERA_YAML
-centos7_yaml = <<-EL7_YAML
-postgresql::server::service_reload: 'systemctl reload postgresql 2>/dev/null 1>/dev/null'
-EL7_YAML
-ubuntu1804_yaml = <<-UBUNTU18_YAML
-keycloak::db: mysql
-UBUNTU18_YAML
 common_yaml = <<-COMMON_YAML
 ---
 keycloak::version: '#{RSpec.configuration.keycloak_version}'
 keycloak::http_host: '127.0.0.1'
 keycloak::db: mariadb
 keycloak::proxy: edge
+# Force only listen on IPv4 for testing
+keycloak::java_opts: '-Djava.net.preferIPv4Stack=true'
 postgresql::server::service_status: 'service postgresql status 2>/dev/null 1>/dev/null'
 COMMON_YAML
 
 create_remote_file(hosts, '/etc/puppetlabs/puppet/hiera.yaml', hiera_yaml)
 on hosts, 'mkdir -p /etc/puppetlabs/puppet/data'
 create_remote_file(hosts, '/etc/puppetlabs/puppet/data/common.yaml', common_yaml)
-on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/CentOS'
-create_remote_file(hosts, '/etc/puppetlabs/puppet/data/os/CentOS/7.yaml', centos7_yaml)
-on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/Ubuntu'
-create_remote_file(hosts, '/etc/puppetlabs/puppet/data/os/Ubuntu/18.04.yaml', ubuntu1804_yaml)
-on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/Debian'
diff --git a/spec/unit/puppet/type/keycloak_ldap_user_provider_spec.rb b/spec/unit/puppet/type/keycloak_ldap_user_provider_spec.rb
@@ -79,8 +79,8 @@
     }.to raise_error(%r{foo})
   end
 
-  it 'defaults to use_truststore_spi=ldapsOnly' do
-    expect(resource[:use_truststore_spi]).to eq('ldapsOnly')
+  it 'defaults to use_truststore_spi=always' do
+    expect(resource[:use_truststore_spi]).to eq('always')
   end
 
   it 'does not allow invalid use_truststore_spi' do