Skip to content

Commit

Permalink
make keycloak-26.1 a version stream package
Browse files Browse the repository at this point in the history 
Signed-off-by: hectorj2f <[email protected]>
  • Loading branch information
@hectorj2f
hectorj2f committed Feb 14, 2025
1 parent 39a708f commit 803ef27
Show file tree
Hide file tree
Showing 3 changed files with 294 additions and 0 deletions.
266 changes: 266 additions & 0 deletions keycloak-26.1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,266 @@
package:
name: keycloak-26.1
version: "26.1.1"
epoch: 0
description: Open Source Identity and Access Management For Modern Applications and Services
copyright:
- license: Apache-2.0
dependencies:
runtime:
- bash # Keycloak helper scripts require bash, aren't compatible with busybox.
- openjdk-21-default-jdk # TODO: Change to JRE

# Create a new major-version variable that contains only the major version
# to use in the bitnami/compat pipeline to find out the correct folder for the image.
# e.g. 25.0.2 will create a new var major-version=25
var-transforms:
- from: ${{package.version}}
match: ^(\d+).*
replace: $1
to: major-version

environment:
contents:
packages:
- bash
- build-base
- busybox
- ca-certificates-bundle
- gcc-13-default
- openjdk-21-default-jdk
- wolfi-base
- wolfi-baselayout
environment:
LANG: en_US.UTF-8
JAVA_HOME: /usr/lib/jvm/java-21-openjdk

pipeline:
- uses: git-checkout
with:
repository: https://github.com/keycloak/keycloak
tag: ${{package.version}}
expected-commit: 217a341f3789368d1379185b80b1dd11d7f1e884

# patch instead of pombump because the type/scope fields added by pombump
# break the build
- uses: patch
with:
patches: pom.patch

- runs: |
gcc napi-static-assert.c -o /tmp/preload.so -fPIC -shared -ldl
- runs: |
# Keycloak installation. Note we use the maven wrapper as configured in
# the source repo to build - ensures the correct maven version for
# building the project, preventing issues such as CI hangs.
# Build keycloak-server. Depends on `keycloak-js-adapter-jar`.
# Gross hack to work around broken NAPI ast-grep module that has
# undefined symbol: static_assert
export LD_PRELOAD=/tmp/preload.so
./mvnw clean install -DskipTests=true -Pdistribution -q
unset LD_PRELOAD
mkdir -p ${{targets.destdir}}/usr/share/java
unzip -d ${{targets.destdir}}/usr/share/java quarkus/dist/target/keycloak-*.zip
cp -avR ${{targets.destdir}}/usr/share/java/keycloak-* ${{targets.destdir}}/usr/share/java/keycloak
# Create an empty data directory for keycloak. Required by the UI to store some data.
mkdir -p ${{targets.destdir}}/usr/share/java/keycloak/data
mkdir -p ${{targets.destdir}}/usr/bin
for i in kc.sh kcadm.sh kcreg.sh; do
ln -sf /usr/share/java/keycloak/bin/$i ${{targets.destdir}}/usr/bin/$i
done
# images like keycloak-operator may need it as they expect it to find keycloak in /opt/keycloak
# For ref: https://github.com/keycloak/keycloak/blob/4b194d00bed51458acb3d125eba9a0ba654c930a/operator/Dockerfile#L11
subpackages:
- name: keycloak-compat
pipeline:
- runs: |
mkdir -p "${{targets.subpkgdir}}"/opt
ln -s /usr/share/java/keycloak "${{targets.subpkgdir}}"/opt/
# https://github.com/bitnami/containers/tree/main/bitnami/keycloak/24/debian-12
- name: ${{package.name}}-bitnami-compat
description: "compat package with bitnami/keycloak image"
dependencies:
runtime:
- coreutils # Keycloak Helm Chart scripts require coreutils, aren't compatible with busybox. (i.e., `cp` with `--preserve` option)
- krb5
- libaio
- procps
- zlib
- wait-for-port
- net-tools
- posix-libc-utils
- su-exec
pipeline:
- uses: bitnami/compat
with:
image: keycloak
version-path: ${{vars.major-version}}/debian-12
- runs: |
mkdir -p ${{targets.contextdir}}/bitnami/keycloak
mkdir -p ${{targets.contextdir}}/opt/bitnami/keycloak
mkdir -p ${{targets.contextdir}}/docker-entrypoint-initdb.d
for dir in bin conf conf.default lib providers themes; do
mkdir -p ${{targets.contextdir}}/opt/bitnami/keycloak/$dir
done
chmod g+rwX ${{targets.contextdir}}/opt/bitnami
# Copy keycloak files to /opt/bitnami/keycloak for compatibility with
# their Helm Chart, which copies the directories into an emptyDir in
# an initContainer
cp -r ${{targets.destdir}}/usr/share/java/keycloak/* ${{targets.contextdir}}/opt/bitnami/keycloak
# Replace the incorrect Java paths in the Bitnami scripts
sed -i 's/JAVA_HOME="\/opt\/bitnami\/java"/JAVA_HOME="\/usr\/lib\/jvm\/java-21-openjdk"/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak-env.sh
sed -i 's/\/opt\/bitnami\/java\/lib\/security/\/usr\/lib\/jvm\/java-21-openjdk\/conf\/security/g' ${{targets.contextdir}}/opt/bitnami/scripts/java/postunpack.sh
# Disable some commands used in Bitnami scripts. These commands more likely fail in this since this image take non root approach
sed -i 's/chown -R "$KEYCLOAK_DAEMON_USER" "$dir"/# chown -R "$KEYCLOAK_DAEMON_USER" "$dir"/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak/postunpack.sh
sed -i 's/ensure_user_exists/# ensure_user_exists/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak/postunpack.sh
sed -i 's/am_i_root/# am_i_root/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak/setup.sh
sed -i 's/hostname --fqdn/hostname -f/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak-env.sh
# The `--userspec`` flag belongs to GNU's chroot, whereas we are use BusyBox's. As a workaround, use `su-exec` instead.
sed -i 's|exec chroot --userspec="$userspec" /|exec chroot / su-exec "$userspec"|' ${{targets.contextdir}}/opt/bitnami/scripts/libos.sh
sed -i 's|chroot --userspec="$userspec" /|chroot / su-exec "$userspec"|' ${{targets.contextdir}}/opt/bitnami/scripts/libos.sh
# Use package path while unpacking
find . -iname "*.sh" -exec sed 's#/opt/bitnami#${{targets.contextdir}}/opt/bitnami#g' -i {} \;
${{targets.contextdir}}/opt/bitnami/scripts/keycloak/postunpack.sh || true
# Restore path
find ${{targets.contextdir}}/opt/bitnami -type f -exec sed 's#${{targets.contextdir}}##g' -i {} \;
# Link binaries used by Bitnami config
ln -sf /opt/bitnami/scripts/keycloak/entrypoint.sh ${{targets.contextdir}}/entrypoint.sh
ln -sf /opt/bitnami/scripts/keycloak/run.sh ${{targets.contextdir}}/run.sh
scriptlets:
post-install: |
#!/bin/sh
# Copy required provider files.
cp -avR /usr/share/java/keycloak/providers/* ${{targets.contextdir}}/opt/bitnami/keycloak/providers/
test:
environment:
contents:
packages:
- curl
- postgresql
- postgresql-client
- shadow
- sudo-rs
- jq
- keycloak
- keycloak-compat
- keycloak-bitnami-compat
accounts:
groups:
- groupname: nonroot
gid: 65532
users:
- username: nonroot
gid: 65532
uid: 65532
run-as: 0
environment:
PGDATA: /tmp/test_db
PGUSER: bn_keycloak
PGDB: bitnami_keycloak
ALLOW_EMPTY_PASSWORD: yes
JAVA_HOME: /usr/lib/jvm/default-jvm
pipeline:
- name: "version and help tests"
runs: |
/opt/bitnami/keycloak/bin/kc.sh --version
/opt/bitnami/keycloak/bin/kc.sh --help
/opt/bitnami/keycloak/bin/kcadm.sh --help
/opt/bitnami/keycloak/bin/kcreg.sh --help
- working-directory: /tmp
pipeline:
- name: "Test database creation"
with:
setup: echo "127.0.0.1 postgresql" >> /etc/hosts
runs: |
useradd $PGUSER
sudo -u $PGUSER initdb -D $PGDATA
sudo -u $PGUSER pg_ctl -D $PGDATA -l /tmp/logfile start
sudo -u $PGUSER createdb $PGDB
sudo -u $PGUSER psql -lqt | cut -d \| -f 1 | grep -qw $PGDB
- name: "start daemon on localhost"
uses: test/daemon-check-output
with:
setup: |
#!/bin/sh -e
echo "127.0.0.1 postgresql" >> /etc/hosts
echo "$(hostname) postgresql" >> /etc/hosts
start: |
env "BITNAMI_APP_NAME=keycloak" \
"APP_VERSION=${{package.version}}" \
"PATH=/opt/bitnami/keycloak/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
"KEYCLOAK_ENABLE_HEALTH_ENDPOINTS=true" \
/opt/bitnami/scripts/keycloak/entrypoint.sh \
/opt/bitnami/scripts/keycloak/run.sh
timeout: 60
expected_output: |
Welcome to the Bitnami keycloak container
keycloak setup finished!
server listening on
Keycloak ${{package.version}}
Profile dev activated.
post: |
#!/bin/sh -e
url=http://localhost:9000/health/ready
response=$(curl -fsS --connect-timeout 5 --max-time 10 --retry 5 --retry-delay 0 --retry-max-time 40 "$url") || {
echo "curl ${url} failed $?"
exit 1
}
echo "$response" | jq .status | grep -q UP || {
echo "response from $url did not contain \"UP\""
echo "response: $response"
exit 1
}
echo "$url had expected output: $response"
test:
pipeline:
- name: "start daemon on localhost"
uses: test/daemon-check-output
with:
start: "kc.sh start --hostname=localhost --https-key-store-password=MYPASSWORD"
timeout: 60
expected_output: |
Listening on
Keycloak ${{package.version}}
Profile prod activated
setup: |
#!/bin/sh -ex
echo "127.0.0.1 $(hostname)" >> /etc/hosts
kspath=/usr/share/java/keycloak/conf/server.keystore
keytool -v \
-keystore $kspath \
-alias localhost \
-genkeypair -sigalg SHA512withRSA -keyalg RSA -dname CN=localhost \
-storepass MYPASSWORD || {
echo "failed [$?] to create keystore with keytool at $kspath"
exit 1
}
- name: "version and help tests"
runs: |
kc.sh --version
kc.sh --help
kcadm.sh --help
kcreg.sh --help
update:
# The upstream repos releases contains a 'nightly' release. Which we want to
# exclude from discovery.
ignore-regex-patterns:
- ".*nightly.*"
enabled: true
github:
identifier: keycloak/keycloak
3 changes: 3 additions & 0 deletions keycloak-26.1/napi-static-assert.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
int static_assert(void *f()) {
return 0;
}
25 changes: 25 additions & 0 deletions keycloak-26.1/pom.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
diff --git a/pom.xml b/pom.xml
index 3404e1d..b324888 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1288,6 +1288,20 @@
<version>${infinispan.version}</version>
</dependency>

+ <dependency>
+ <groupId>io.quarkus.http</groupId>
+ <artifactId>quarkus-http-core</artifactId>
+ <version>5.3.4</version>
+ <type>jar</type>
+ <scope>import</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-common</artifactId>
+ <version>4.1.115.Final</version>
+ </dependency>
+
</dependencies>
</dependencyManagement>

0 comments on commit 803ef27

Please sign in to comment.