Merge pull request #3860 from uselagoon/keycloak-26

chore: update keycloak to version 26
uselagoon · Feb 6, 2025 · d593e38 · d593e38
2 parents 42f9e0d + aaedcbe
commit d593e38
Show file tree

Hide file tree

Showing 9 changed files with 185 additions and 50 deletions.
diff --git a/.gitignore b/.gitignore
@@ -15,6 +15,7 @@ local-dev/kubectl
 local-dev/jq
 local-dev/stern
 local-dev/go
+local-dev/certificates
 **/v8-*
 node_modules/
 build/*

diff --git a/Makefile b/Makefile
diff --git a/docs/contributing-to-lagoon/developing-lagoon.md b/docs/contributing-to-lagoon/developing-lagoon.md
@@ -87,6 +87,24 @@ At the end of the process, the command will provide some useful information that
 !!! warning
     This can take some time to complete as it will install a lot of components necessary to make Lagoon work. This includes things like ingress-nginx, harbor, and all the additional services to make exploring Lagoon easy.
 
+### Local development certificates
+
+The local stack deploys with a locally generated CA certificate. This certificate is used by the local stack to provision certificates for services deployed in the local stack.
+
+The certificate `local-dev/certificates/rootCA.pem` is generated automatically when starting the local stack, along with the key. These are stored locally, and ignored by git. Don't share them!
+
+When accessing components of the stack (ui, api, keycloak, anything deployed), you may be presented with certificate warnings. If you have `mkcert` installed, you can use the following target to install the generated certificate into your computers trust store.
+
+```
+make install-ca
+
+# uninstall if required
+make uninstall-ca
+```
+
+For information on `mkcert`, see https://github.com/FiloSottile/mkcert#installation.
+
+Alternatively, you can manually add the generated certificate into your browsers website trusts. You can use your favorite search engine for how to do this, each browser is a little bit different.
 
 ### Local stack setup options
 

diff --git a/services/api/package.json b/services/api/package.json
@@ -22,7 +22,7 @@
   "license": "MIT",
   "dependencies": {
     "@lagoon/commons": "4.0.0",
-    "@s3pweb/keycloak-admin-client-cjs": "^25.0.2",
+    "@s3pweb/keycloak-admin-client-cjs": "^26.0.0",
     "@supercharge/request-ip": "^1.1.2",
     "apollo-server-express": "^2.14.2",
     "aws-sdk": "^2.378.0",

diff --git a/services/keycloak/Dockerfile b/services/keycloak/Dockerfile
@@ -1,4 +1,4 @@
-FROM maven:3.8.2-jdk-11 as builder
+FROM maven:3.9.9-eclipse-temurin-21-alpine as builder
 # build the custom token mapper in builder
 COPY custom-mapper/. .
 RUN mvn clean compile package
@@ -17,7 +17,7 @@ COPY javascript /tmp/lagoon-scripts
 
 RUN cd /tmp/lagoon-scripts && zip -r ../lagoon-scripts.jar *
 
-FROM quay.io/keycloak/keycloak:24.0.5
+FROM quay.io/keycloak/keycloak:26.0.7
 COPY --from=ubi-micro-build /mnt/rootfs /
 
 ARG LAGOON_VERSION
@@ -89,7 +89,7 @@ COPY entrypoints/default-keycloak-entrypoint.sh /lagoon/entrypoints/99-default-k
 COPY startup-scripts /opt/keycloak/startup-scripts
 COPY themes/lagoon /opt/keycloak/themes/lagoon
 COPY --from=commons /tmp/lagoon-scripts.jar /opt/keycloak/providers/lagoon-scripts.jar
-COPY --from=builder /target/custom-protocol-mapper-1.0.0.jar /opt/keycloak/providers/custom-protocol-mapper-1.0.0.jar
+COPY --from=builder /target/custom-protocol-mapper-1.1.0.jar /opt/keycloak/providers/custom-protocol-mapper-1.1.0.jar
 
 COPY lagoon-realm-base-import.json /lagoon/seed/lagoon-realm-base-import.json
 

diff --git a/services/keycloak/custom-mapper/pom.xml b/services/keycloak/custom-mapper/pom.xml
@@ -6,11 +6,11 @@
 
     <groupId>net.cake.keycloak.custom</groupId>
     <artifactId>custom-protocol-mapper</artifactId>
-    <version>1.0.0</version>
+    <version>1.1.0</version>
     <packaging>jar</packaging>
 
     <properties>
-        <keycloak.version>17.0.1</keycloak.version>
+        <keycloak.version>26.0.7</keycloak.version>
     </properties>
 
     <dependencies>
@@ -52,7 +52,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.7.0</version>
+                <version>3.13.0</version>
                 <configuration>
                     <forceJavacCompilerUse>true</forceJavacCompilerUse>
                     <source>1.8</source>
@@ -62,7 +62,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-shade-plugin</artifactId>
-                <version>3.1.0</version>
+                <version>3.6.0</version>
                 <executions>
                     <!-- Run shade goal on package phase -->
                     <execution>

diff --git a/services/keycloak/entrypoints/default-keycloak-entrypoint.sh b/services/keycloak/entrypoints/default-keycloak-entrypoint.sh
@@ -4,15 +4,4 @@ export KC_DB_USERNAME=$DB_USER
 export KC_DB_PASSWORD=$DB_PASSWORD
 export KC_DB_URL=jdbc:$DB_VENDOR://$DB_ADDR:3306/$DB_DATABASE
 
-export KC_PROXY=${KC_PROXY:-edge}
-export KC_HOSTNAME_STRICT=${KC_HOSTNAME_STRICT:-false}
-export KC_HOSTNAME_STRICT_HTTPS=${KC_HOSTNAME_STRICT_HTTPS:-false}
-export KC_HTTP_RELATIVE_PATH=${KC_HTTP_RELATIVE_PATH:-/auth}
-export KC_HOSTNAME_URL=${KEYCLOAK_FRONTEND_URL}
-
-export KC_HOSTNAME_ADMIN_URL=${KEYCLOAK_FRONTEND_URL}
-
-export KC_DB_POOL_MAX_SIZE=${KEYCLOAK_DS_MAX_POOL_SIZE:-20}
-export KC_DB_POOL_MIN_SIZE=${KEYCLOAK_DS_MIN_POOL_SIZE:-0}
-
 KEYCLOAK_USER=$KEYCLOAK_ADMIN_USER KEYCLOAK_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD KEYCLOAK_ADMIN=$KEYCLOAK_ADMIN_USER /lagoon/kc-startup.sh "$@"
diff --git a/services/keycloak/entrypoints/kc-startup.sh b/services/keycloak/entrypoints/kc-startup.sh
@@ -6,4 +6,23 @@ shopt -s failglob
 
 /opt/keycloak/startup-scripts/00-configure-lagoon.sh & disown
 
-/opt/keycloak/bin/kc.sh "$@" --features="scripts,token-exchange,admin-fine-grained-authz"
+# https://www.keycloak.org/docs/latest/upgrading/#new-hostname-options
+# https://www.keycloak.org/server/hostname
+# "--hostname-backchannel-dynamic"
+# Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.
+# Set to true if your application accesses Keycloak via a private network. If set to true, hostname option needs to be specified as a full URL.
+
+# https://www.keycloak.org/server/hostname#_using_edge_tls_termination replaces `KC_PROXY=edge`
+# --proxy-headers xforwarded
+# --http-enabled
+
+# it is also possible to expose the admin console on a different hostname using the `--hostname-admin` flag, which could support in the future with a different
+# variable than `KEYCLOAK_FRONTEND_URL` perhaps `KEYCLOAK_ADMIN_URL`
+/opt/keycloak/bin/kc.sh "$@" --features="scripts,token-exchange,admin-fine-grained-authz" \
+    --proxy-headers xforwarded \
+    --http-enabled true \
+    --http-relative-path ${KC_HTTP_RELATIVE_PATH:-/auth} \
+    --hostname-backchannel-dynamic true \
+    --hostname-strict ${KC_HOSTNAME_STRICT:-false} \
+    --hostname ${KEYCLOAK_FRONTEND_URL} \
+    --hostname-admin ${KEYCLOAK_FRONTEND_URL}
diff --git a/yarn.lock b/yarn.lock
@@ -703,10 +703,10 @@
   resolved "https://registry.yarnpkg.com/@js-sdsl/ordered-map/-/ordered-map-4.4.2.tgz#9299f82874bab9e4c7f9c48d865becbfe8d6907c"
   integrity sha512-iUKgm52T8HOE/makSxjqoWhe95ZJA1/G1sYsGev2JDKUSS14KAgg1LHb+Ba+IPow0xflbnSkOsZcO08C7w1gYw==
 
-"@keycloak/keycloak-admin-client@25.0.4":
-  version "25.0.4"
-  resolved "https://registry.yarnpkg.com/@keycloak/keycloak-admin-client/-/keycloak-admin-client-25.0.4.tgz#2ec46bab133cc807df78ffd7ca7bba47ec8ed000"
-  integrity sha512-mZVFwly7cHZq1XpvJrrOutU0qrUbGo8NUdpb7PS4309x8yG2a4/WyZfh2lgiopBRQ6R/b24RsuHa4GetQPqT+g==
+"@keycloak/keycloak-admin-client@26.0.6":
+  version "26.0.6"
+  resolved "https://registry.yarnpkg.com/@keycloak/keycloak-admin-client/-/keycloak-admin-client-26.0.6.tgz#b2ac56de7f4251c8a6a938745843e98000498646"
+  integrity sha512-pZmaSAyg+LwQ3qnZF+01ZkURpcoEdLAloUK5KOZjE9jyNd86EHdx98/XmTYaJIuQ6ydMXxTWWc5Grq18H+PvJQ==
   dependencies:
     camelize-ts "^3.0.0"
     url-join "^5.0.0"
@@ -926,12 +926,12 @@
   resolved "https://registry.yarnpkg.com/@rtsao/scc/-/scc-1.1.0.tgz#927dd2fae9bc3361403ac2c7a00c32ddce9ad7e8"
   integrity sha512-zt6OdqaDoOnJ1ZYsCYGt9YmWzDXl4vQdKTyJev62gFhRGKdx7mcT54V9KIjg+d2wi9EXsPvAPKe7i7WjfVWB8g==
 
-"@s3pweb/keycloak-admin-client-cjs@^25.0.2":
-  version "25.0.4"
-  resolved "https://registry.yarnpkg.com/@s3pweb/keycloak-admin-client-cjs/-/keycloak-admin-client-cjs-25.0.4.tgz#925aa0f780233992e44d09a1efbfcbf4718f924a"
-  integrity sha512-0qQYvmftr4rZKO1JuDq077odNwQ8rS/FGlvBOSOoncvM2i7HljEHvMcsAHR3gNrOkawVlPoYwA+zZdtHICIU4A==
+"@s3pweb/keycloak-admin-client-cjs@^26.0.0":
+  version "26.0.6"
+  resolved "https://registry.yarnpkg.com/@s3pweb/keycloak-admin-client-cjs/-/keycloak-admin-client-cjs-26.0.6.tgz#49b81da9980d2d3d058a616c8677d64d08a43a34"
+  integrity sha512-cF4SZcxj/CUK0hZ1dHmyPjVI1BcLvz7u6S8e9YUfqy7wweZScIl1/VpxPgfA9aaLCAcE6kAv++BjcQcvxzkmSg==
   dependencies:
-    "@keycloak/keycloak-admin-client" "25.0.4"
+    "@keycloak/keycloak-admin-client" "26.0.6"
 
 "@sinclair/typebox@^0.27.8":
   version "0.27.8"