diff --git a/doc/kubernetes/modules/ROOT/pages/openshift/cross-site-rosa.adoc b/doc/kubernetes/modules/ROOT/pages/openshift/cross-site-rosa.adoc index e147b0b83..b267d7768 100644 --- a/doc/kubernetes/modules/ROOT/pages/openshift/cross-site-rosa.adoc +++ b/doc/kubernetes/modules/ROOT/pages/openshift/cross-site-rosa.adoc @@ -92,3 +92,10 @@ Note: SSH repositories may not work in Github Actions as SSH keys may not be con |=== +=== Using AWS JDBC driver + +AWS provides a https://github.com/awslabs/aws-advanced-jdbc-wrapper[JDBC driver wrapper] that is compatible with Aurora PostgreSQL we are using in our setup. This driver provides some additional features when using compatible databases. This wrapper is enabled by default in the Cross-site deployment. + +To disable the AWS JDBC driver, set the `KC_USE_AWS_JDBC_WRAPPER` variable to `false`. + +To specify the version of the AWS JDBC driver, set the `KC_AWS_JDBC_WRAPPER_URL` variable to the URL of corresponding jar file. diff --git a/provision/keycloak-tasks/Taskfile.yaml b/provision/keycloak-tasks/Taskfile.yaml index 8079bca2b..364b79989 100644 --- a/provision/keycloak-tasks/Taskfile.yaml +++ b/provision/keycloak-tasks/Taskfile.yaml @@ -57,3 +57,6 @@ tasks: default: cmds: - task: utils:install-keycloak + uninstall: + cmds: + - task: utils:uninstall-keycloak diff --git a/provision/keycloak-tasks/Utils.yaml b/provision/keycloak-tasks/Utils.yaml index bbf74c406..611721212 100644 --- a/provision/keycloak-tasks/Utils.yaml +++ b/provision/keycloak-tasks/Utils.yaml @@ -43,6 +43,26 @@ tasks: - quarkus/dist/target/keycloak-*.tar.gz - operator/target/keycloak-*.jar + install-keycloak-build-configs: + desc: "Install the Keycloak build configs" + internal: true + requires: + vars: + - NAMESPACE + - KUBECONFIG + cmds: + - KUBECONFIG="{{.KUBECONFIG}}" oc create namespace "{{.NAMESPACE}}" || true + - > + KUBECONFIG="{{.KUBECONFIG}}" helm upgrade --install keycloak-build-config --namespace "{{.NAMESPACE}}" ./keycloak-image-helm + --set namespace={{.NAMESPACE}} + --set customImage={{if .KC_REPOSITORY}}true{{else}}false{{end}} + {{ if eq .KC_USE_AWS_JDBC_WRAPPER "false"}}--set useAWSJDBCWrapper={{.KC_USE_AWS_JDBC_WRAPPER}}{{end}} + {{ if .KC_AWS_JDBC_WRAPPER_URL}}--set jdbcWrapperURL={{.KC_AWS_JDBC_WRAPPER_URL}}{{end}} + status: + - test -n "$(KUBECONFIG="{{.KUBECONFIG}}" helm list --namespace {{.NAMESPACE}} --filter keycloak-build-config -q)" + preconditions: + - test -f {{.KUBECONFIG}} + prepare-keycloak-images-openshift: desc: "Create images for the current build of Keycloak distribution" label: "{{.TASK}}-{{.ROSA_CLUSTER_NAME}}" @@ -58,17 +78,8 @@ tasks: ARCHIVE_NAME: sh: ls .task/keycloak/quarkus/dist/target/keycloak-*.tar.gz | xargs -n 1 basename cmds: - - KUBECONFIG="{{.KUBECONFIG}}" oc create namespace "{{.NAMESPACE}}" || true - - KUBECONFIG={{.KUBECONFIG}} helm uninstall --namespace {{.NAMESPACE}} keycloak-build-config || true - # Create custom Keycloak resources for both Keycloak and Keycloak operator - - > - KUBECONFIG="{{.KUBECONFIG}}" helm upgrade --install keycloak-build-config --namespace "{{.NAMESPACE}}" - --set "namespace={{.NAMESPACE}}" - --set "archiveName={{.ARCHIVE_NAME}}" - ./keycloak-image-helm - # Start Keycloak image build - - cp "$(ls .task/keycloak/quarkus/dist/target/keycloak-*.tar.gz)" ".task/keycloak/quarkus/container/" + - cp "$(ls .task/keycloak/quarkus/dist/target/keycloak-*.tar.gz)" ".task/keycloak/quarkus/container/keycloak.tar.gz" - KUBECONFIG="{{.KUBECONFIG}}" oc start-build -n {{.NAMESPACE}} keycloak --from-dir ".task/keycloak/quarkus/container" --follow - echo "image-registry.openshift-image-registry.svc:5000/{{.NAMESPACE}}/keycloak:latest" > .task/var-CUSTOM_CONTAINER_IMAGE_FILE @@ -78,11 +89,23 @@ tasks: sources: - quarkus/dist/target/keycloak-*.tar.gz - operator/target/keycloak-*.jar - status: - - test -n "$(KUBECONFIG="{{.KUBECONFIG}}" helm list --namespace {{.NAMESPACE}} --filter keycloak-build-config -q)" preconditions: - test -f {{.KUBECONFIG}} + prepare-keycloak-image-with-aws-jdbc-wrapper-openshift: + desc: "Create images for the current build of Keycloak distribution" + label: "{{.TASK}}-{{.ROSA_CLUSTER_NAME}}" + internal: true + requires: + vars: + - NAMESPACE + - KUBECONFIG + - ROSA_CLUSTER_NAME + cmds: + # Creates .task if it does not exist + - if [ ! -d .task ]; then mkdir .task; fi + - echo "image-registry.openshift-image-registry.svc:5000/{{.NAMESPACE}}/keycloak-with-aws-jdbc-wrapper:latest" > .task/var-CUSTOM_CONTAINER_IMAGE_FILE + install-keycloak-operator: desc: "Install the Keycloak operator" internal: true @@ -156,12 +179,22 @@ tasks: - ROSA_CLUSTER_NAME vars: CURRENT_KC_CONTAINER_IMAGE: '{{ ternary "$(cat .task/var-CUSTOM_CONTAINER_IMAGE_FILE 2> /dev/null || echo \"\")" .KC_CONTAINER_IMAGE (empty .KC_CONTAINER_IMAGE) }}' + KC_USE_AWS_JDBC_WRAPPER: '{{ .KC_USE_AWS_JDBC_WRAPPER | default "true" }}' cmds: + - task: install-keycloak-build-configs + vars: + NAMESPACE: "{{.NAMESPACE}}" + KUBECONFIG: "{{.KUBECONFIG}}" - task: '{{if .KC_REPOSITORY}}prepare-custom-images{{else}}no-op{{end}}' vars: KUBECONFIG: "{{.KUBECONFIG}}" NAMESPACE: "{{.NAMESPACE}}" ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" + - task: '{{if eq .KC_USE_AWS_JDBC_WRAPPER "true"}}prepare-keycloak-image-with-aws-jdbc-wrapper-openshift{{else}}no-op{{end}}' + vars: + NAMESPACE: "{{.NAMESPACE}}" + KUBECONFIG: "{{.KUBECONFIG}}" + ROSA_CLUSTER_NAME: "{{.ROSA_CLUSTER_NAME}}" - task: install-keycloak-operator vars: NAMESPACE: "{{.NAMESPACE}}" diff --git a/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-build-config.yaml b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-build-config.yaml index 0e2c3a6ed..5baf2b086 100644 --- a/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-build-config.yaml +++ b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-build-config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.customImage }} kind: ImageStream apiVersion: image.openshift.io/v1 metadata: @@ -34,3 +35,4 @@ spec: kind: ImageStreamTag name: ubi9:latest type: Docker +{{ end }} diff --git a/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-nightly-imagestream.yaml b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-nightly-imagestream.yaml new file mode 100644 index 000000000..92158d9e8 --- /dev/null +++ b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-nightly-imagestream.yaml @@ -0,0 +1,20 @@ +{{- if and (.Values.useAWSJDBCWrapper) (not .Values.customImage) }} +kind: ImageStream +apiVersion: image.openshift.io/v1 +metadata: + name: keycloak + namespace: {{ .Values.namespace }} +spec: + lookupPolicy: + local: false + tags: + - name: latest + from: + kind: DockerImage + name: quay.io/keycloak/keycloak:nightly + generation: 2 + importPolicy: + importMode: Legacy + referencePolicy: + type: Source +{{ end }} diff --git a/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-operator-build-config.yaml b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-operator-build-config.yaml index d27539621..c7f7b6431 100644 --- a/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-operator-build-config.yaml +++ b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-operator-build-config.yaml @@ -1,3 +1,4 @@ +{{- if .Values.customImage }} kind: ImageStream apiVersion: image.openshift.io/v1 metadata: @@ -31,3 +32,4 @@ spec: kind: ImageStreamTag name: ubi9:latest type: Docker + {{ end }} diff --git a/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-with-AWS-JDBC-wrapper.yaml b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-with-AWS-JDBC-wrapper.yaml new file mode 100644 index 000000000..a07507b4d --- /dev/null +++ b/provision/keycloak-tasks/keycloak-image-helm/templates/keycloak-with-AWS-JDBC-wrapper.yaml @@ -0,0 +1,43 @@ +{{- if .Values.useAWSJDBCWrapper }} +kind: ImageStream +apiVersion: image.openshift.io/v1 +metadata: + name: keycloak-with-aws-jdbc-wrapper + namespace: {{ .Values.namespace }} + labels: + build: keycloak +spec: + lookupPolicy: + local: false +--- +apiVersion: build.openshift.io/v1 +kind: BuildConfig +metadata: + labels: + build: keycloak + name: keycloak-with-aws-jdbc-wrapper + namespace: {{ .Values.namespace }} +spec: + output: + to: + kind: ImageStreamTag + name: keycloak-with-aws-jdbc-wrapper:latest + runPolicy: Serial + triggers: + - type: "ImageChange" + imageChange: + from: + kind: "ImageStreamTag" + name: "keycloak:latest" + strategy: + dockerStrategy: + from: + kind: "ImageStreamTag" + name: "keycloak:latest" + forcePull: true + source: + dockerfile: | + FROM keycloak:latest + ADD --chmod=0666 {{ .Values.jdbcWrapperURL }} /opt/keycloak/providers/ + ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] +{{ end }} diff --git a/provision/keycloak-tasks/keycloak-image-helm/templates/ubi9-imagestream.yaml b/provision/keycloak-tasks/keycloak-image-helm/templates/ubi9-imagestream.yaml index d88bf7675..cab665d49 100644 --- a/provision/keycloak-tasks/keycloak-image-helm/templates/ubi9-imagestream.yaml +++ b/provision/keycloak-tasks/keycloak-image-helm/templates/ubi9-imagestream.yaml @@ -1,3 +1,4 @@ +{{- if .Values.customImage }} kind: ImageStream apiVersion: image.openshift.io/v1 metadata: @@ -16,3 +17,4 @@ spec: importMode: Legacy referencePolicy: type: Source +{{ end }} diff --git a/provision/keycloak-tasks/keycloak-image-helm/values.yaml b/provision/keycloak-tasks/keycloak-image-helm/values.yaml index ddf7f53f9..8886816ae 100644 --- a/provision/keycloak-tasks/keycloak-image-helm/values.yaml +++ b/provision/keycloak-tasks/keycloak-image-helm/values.yaml @@ -3,3 +3,6 @@ # Declare variables to be passed into your templates. namespace: keycloak +customImage: false +useAWSJDBCWrapper: true +jdbcWrapperURL: https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/2.3.3/aws-advanced-jdbc-wrapper-2.3.3.jar diff --git a/provision/minikube/keycloak/templates/aurora/aurora-service.yaml b/provision/minikube/keycloak/templates/aurora/aurora-service.yaml index d4d4f3a74..368afec9e 100644 --- a/provision/minikube/keycloak/templates/aurora/aurora-service.yaml +++ b/provision/minikube/keycloak/templates/aurora/aurora-service.yaml @@ -1,4 +1,4 @@ -{{ if eq .Values.database "aurora-postgres" }} +{{ if and (eq .Values.database "aurora-postgres") (not .Values.useAWSJDBCWrapper) }} kind: Service apiVersion: v1 metadata: diff --git a/provision/minikube/keycloak/templates/keycloak.yaml b/provision/minikube/keycloak/templates/keycloak.yaml index 58c1b1581..fc714002c 100644 --- a/provision/minikube/keycloak/templates/keycloak.yaml +++ b/provision/minikube/keycloak/templates/keycloak.yaml @@ -26,7 +26,11 @@ spec: db: {{ if or (eq .Values.database "aurora-postgres") (eq .Values.database "postgres") (eq .Values.database "postgres+infinispan") }} vendor: postgres +{{- if .Values.useAWSJDBCWrapper}} + url: jdbc:aws-wrapper:postgresql://{{ .Values.dbUrl }}:5432/keycloak +{{- else }} url: jdbc:postgresql://postgres:5432/keycloak +{{ end }} {{ end }} poolMinSize: {{ .Values.dbPoolMinSize }} # <1> poolInitialSize: {{ .Values.dbPoolInitialSize }} @@ -61,6 +65,10 @@ spec: key: {{ base .Values.infinispan.configFile }} # <1> # end::keycloak-ispn[] {{- end }} +{{ if .Values.useAWSJDBCWrapper }} + transaction: + xaEnabled: false +{{ end }} # tag::keycloak-ispn[] additionalOptions: # end::keycloak-ispn[] @@ -130,6 +138,10 @@ spec: name: keycloak-jgroups-pkcs12-password key: password {{- end }} +{{ if .Values.useAWSJDBCWrapper }} + - name: db-driver + value: software.amazon.jdbc.Driver +{{ end }} http: tlsSecret: keycloak-tls-secret instances: {{ .Values.instances }} @@ -243,9 +255,13 @@ spec: # command: # - 'true' volumeMounts: + {{- range $path, $size := .Files.Glob "providers/**" }} + {{- $name := base $path }} - name: keycloak-providers - mountPath: /opt/keycloak/providers + mountPath: /opt/keycloak/providers/{{ $name }} + subPath: {{ $name }} readOnly: true + {{- end -}} {{ if .Values.infinispan.jgroupsTls }} - name: cache-embedded-mtls-volume mountPath: /etc/cache-embedded-mtls diff --git a/provision/minikube/keycloak/values.yaml b/provision/minikube/keycloak/values.yaml index 7563dff12..fa0dbc9d8 100644 --- a/provision/minikube/keycloak/values.yaml +++ b/provision/minikube/keycloak/values.yaml @@ -18,6 +18,7 @@ dbPoolInitialSize: 15 dbPoolMaxSize: 15 dbPoolMinSize: 15 dbUrl: '' +useAWSJDBCWrapper: true storage: '' database: postgres disableCaches: false diff --git a/provision/rosa-cross-dc/Taskfile.yaml b/provision/rosa-cross-dc/Taskfile.yaml index 0e9cc92fc..ee0cad45d 100644 --- a/provision/rosa-cross-dc/Taskfile.yaml +++ b/provision/rosa-cross-dc/Taskfile.yaml @@ -601,6 +601,17 @@ tasks: - > echo 'WARNING: use the information above to configure your Keycloak deployment!' + route53-test-primary-used: + desc: "Checks if the primary cluster is active and prints it to the console" + dir: "{{.ROUTE53_DIR}}" + deps: + - common:split + - common:env + requires: + vars: + - KC_CLIENT_URL + cmd: (./route53_test_primary_used.sh {{substr 7 999999 .KC_CLIENT_URL}} && echo "Primary cluster is active") || echo "Primary cluster is NOT active" + dataset-import: internal: true requires: