Merge pull request #401 from openshift-cherrypick-robot/cherry-pick-3…

…87-to-release-1.0 [release-1.0] Remove dependency on sigstore-ocp
securesign · May 30, 2024 · ac6ec58 · ac6ec58
2 parents 0641747 + 95afaf3
commit ac6ec58
Show file tree

Hide file tree

Showing 19 changed files with 235 additions and 15 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -161,14 +161,14 @@ jobs:
           sleep 1
           kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml
 
-          kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/operator/overlay/kind
+          kubectl create --kustomize ci/keycloak/operator/overlay/kind
           until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ]
           do
             echo "Waiting for keycloak operator. Pods in keycloak-system namespace:"
             kubectl get pods -n keycloak-system
             sleep 10
           done
-          kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/resources/overlay/kind
+          kubectl create --kustomize ci/keycloak/resources/overlay/kind
           until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]]
           do
             printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system)

diff --git a/.github/workflows/upgrade.yml b/.github/workflows/upgrade.yml
@@ -173,14 +173,14 @@ jobs:
           sleep 1
           kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml
 
-          kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/operator/overlay/kind
+          kubectl create --kustomize ci/keycloak/operator/overlay/kind
           until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ]
           do
             echo "Waiting for keycloak operator. Pods in keycloak-system namespace:"
             kubectl get pods -n keycloak-system
             sleep 10
           done
-          kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/resources/overlay/kind
+          kubectl create --kustomize ci/keycloak/resources/overlay/kind
           until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]]
           do
             printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system)

diff --git a/ci/keycloak/operator/base/kustomization.yaml b/ci/keycloak/operator/base/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- namespace.yaml
+- subscription.yaml
+
+namespace: keycloak-system
diff --git a/ci/keycloak/operator/base/namespace.yaml b/ci/keycloak/operator/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak-system
diff --git a/ci/keycloak/operator/base/subscription.yaml b/ci/keycloak/operator/base/subscription.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: rhsso-operator
+spec:
+  channel: stable
+  installPlanApproval: Automatic
+  name: rhsso-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: keycloak-system-trusted-artifact-signer
+spec:
+  targetNamespaces:
+  - keycloak-system
+  upgradeStrategy: Default
diff --git a/ci/keycloak/operator/overlay/kind/kustomization.yaml b/ci/keycloak/operator/overlay/kind/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+patches:
+- path: patch.yaml
+
+
diff --git a/ci/keycloak/operator/overlay/kind/patch.yaml b/ci/keycloak/operator/overlay/kind/patch.yaml
@@ -0,0 +1,9 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: rhsso-operator
+spec:
+  channel: alpha
+  name: keycloak-operator
+  source: operatorhubio-catalog
+  sourceNamespace: olm
diff --git a/ci/keycloak/resources/base/keycloak.yaml b/ci/keycloak/resources/base/keycloak.yaml
@@ -0,0 +1,14 @@
+apiVersion: keycloak.org/v1alpha1
+kind: Keycloak
+metadata:
+  labels:
+    app: sso
+  name: keycloak
+spec:
+  externalAccess:
+    enabled: true
+  instances: 1
+  keycloakDeploymentSpec:
+    imagePullPolicy: Always
+  postgresDeploymentSpec:
+    imagePullPolicy: Always
diff --git a/ci/keycloak/resources/base/kustomization.yaml b/ci/keycloak/resources/base/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: keycloak-system
+
+resources:
+- keycloak.yaml
+- realm.yaml
+- tas-client.yaml
+- user.yaml
diff --git a/ci/keycloak/resources/base/realm.yaml b/ci/keycloak/resources/base/realm.yaml
@@ -0,0 +1,16 @@
+apiVersion: keycloak.org/v1alpha1
+kind: KeycloakRealm
+metadata:
+  labels:
+    app: sso
+  name: trusted-artifact-signer
+spec:
+  instanceSelector:
+    matchLabels:
+      app: sso
+  realm:
+    displayName: Red-Hat-Trusted-Artifact-Signer
+    enabled: true
+    id: trusted-artifact-signer
+    realm: trusted-artifact-signer
+    sslRequired: none
diff --git a/ci/keycloak/resources/base/tas-client.yaml b/ci/keycloak/resources/base/tas-client.yaml
@@ -0,0 +1,55 @@
+apiVersion: keycloak.org/v1alpha1
+kind: KeycloakClient
+metadata:
+  labels:
+    app: sso
+  name: trusted-artifact-signer
+spec:
+  client:
+    attributes:
+      request.object.signature.alg: RS256
+      user.info.response.signature.alg: RS256
+    clientAuthenticatorType: client-secret
+    clientId: trusted-artifact-signer
+    defaultClientScopes:
+    - profile
+    - email
+    description: Client for Red Hat Trusted Artifact Signer authentication
+    directAccessGrantsEnabled: true
+    implicitFlowEnabled: false
+    name: trusted-artifact-signer
+    protocol: openid-connect
+    protocolMappers:
+    - config:
+        claim.name: email
+        id.token.claim: "true"
+        jsonType.label: String
+        user.attribute: email
+        userinfo.token.claim: "true"
+      name: email
+      protocol: openid-connect
+      protocolMapper: oidc-usermodel-property-mapper
+    - config:
+        claim.name: email-verified
+        id.token.claim: "true"
+        user.attribute: emailVerified
+        userinfo.token.claim: "true"
+      name: email-verified
+      protocol: openid-connect
+      protocolMapper: oidc-usermodel-property-mapper
+    - config:
+        claim.name: aud
+        claim.value: trusted-artifact-signer
+        id.token.claim: "true"
+        access.token.claim: "true"
+        userinfo.token.claim: "true"
+      name: audience
+      protocol: openid-connect
+      protocolMapper: oidc-hardcoded-claim-mapper
+    publicClient: true
+    standardFlowEnabled: true
+    redirectUris:
+    - "*"
+  realmSelector:
+    matchLabels:
+      app: sso
diff --git a/ci/keycloak/resources/base/user.yaml b/ci/keycloak/resources/base/user.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: keycloak.org/v1alpha1
+kind: KeycloakUser
+metadata:
+  labels:
+    app: sso
+  name: jdoe
+spec:
+  realmSelector:
+    matchLabels:
+      app: sso
+  user:
+    email: jdoe@redhat.com
+    enabled: true
+    emailVerified: true
+    credentials:
+      - type: "password"
+        value: "secure"
+    firstName: Jane
+    lastName: Doe
+    username: jdoe
diff --git a/ci/keycloak/resources/example-user.yaml b/ci/keycloak/resources/example-user.yaml
@@ -0,0 +1,21 @@
+apiVersion: keycloak.org/v1alpha1
+kind: KeycloakUser
+metadata:
+  labels:
+    app: sso
+  name: UPDATE
+  namespace: keycloak-system
+spec:
+  realmSelector:
+    matchLabels:
+      app: sso
+  user:
+    credentials:
+    - type: password
+      value: UPDATE
+    email: user@email.com
+    emailVerified: true
+    enabled: true
+    firstName: UPDATE
+    lastName: UPDATE
+    username: UPDATE
diff --git a/ci/keycloak/resources/overlay/kind/keycloak-svc.yaml b/ci/keycloak/resources/overlay/kind/keycloak-svc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-internal
+spec:
+  selector:
+    app: keycloak
+    component: keycloak
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
diff --git a/ci/keycloak/resources/overlay/kind/keycloak_patch.yaml b/ci/keycloak/resources/overlay/kind/keycloak_patch.yaml
@@ -0,0 +1,8 @@
+apiVersion: keycloak.org/v1alpha1
+kind: Keycloak
+metadata:
+  name: keycloak
+spec:
+  externalAccess:
+    enabled: false
+
diff --git a/ci/keycloak/resources/overlay/kind/kustomization.yaml b/ci/keycloak/resources/overlay/kind/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: keycloak-system
+
+resources:
+  - ../../base
+  - keycloak-svc.yaml
+
+patches:
+- path: keycloak_patch.yaml
+- path: realm_patch.yaml
diff --git a/ci/keycloak/resources/overlay/kind/realm_patch.yaml b/ci/keycloak/resources/overlay/kind/realm_patch.yaml
@@ -0,0 +1,7 @@
+apiVersion: keycloak.org/v1alpha1
+kind: KeycloakRealm
+metadata:
+  name: trusted-artifact-signer
+spec:
+  realm:
+    sslRequired: none
diff --git a/ci/openshift/tas-keycloak-install.sh b/ci/openshift/tas-keycloak-install.sh
@@ -34,27 +34,20 @@ check_pod_status() {
 
 # Install SSO Operator and Keycloak service
 install_sso_keycloak() {
-    pushd /tmp
-    git clone https://github.com/securesign/sigstore-ocp
-    git fetch -a -v
-    cd sigstore-ocp
-    git checkout main
-    oc apply --kustomize keycloak/operator/base
+    oc apply --kustomize ci/keycloak/operator/base
     check_pod_status "keycloak-system" "rhsso-operator"
     # Check the return value from the function
     if [ $? -ne 0 ]; then
         echo "Pod status check failed. Exiting the script."
         exit 1
     fi
-    oc apply --kustomize keycloak/resources/base
+    oc apply --kustomize ci/keycloak/resources/base
     check_pod_status "keycloak-system" "keycloak-postgresql"
     # Check the return value from the function
     if [ $? -ne 0 ]; then
         echo "Pod status check failed. Exiting the script."
         exit 1
     fi
-    cd ../ && rm -rf sigstore-ocp
-    popd
 }
 
 # Install Red Hat SSO Operator and setup Keycloak service

diff --git a/hack/up.sh b/hack/up.sh
@@ -35,14 +35,14 @@ sleep 1
 kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml
 
 #install keycloak from Kind overlay
-kubectl create --kustomize ${HOME}/git/sigstore-ocp/keycloak/operator/overlay/kind
+kubectl create --kustomize ci/keycloak/operator/overlay/kind
 until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ]
 do
   echo "Waiting for keycloak operator. Pods in keycloak-system namespace:"
   kubectl get pods -n keycloak-system
   sleep 10
 done
-kubectl create --kustomize ${HOME}/git/sigstore-ocp/keycloak/resources/overlay/kind
+kubectl create --kustomize ci/keycloak/resources/overlay/kind
 until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]]
 do
   printf "Waiting for keycloak deployment. \n Keycloak ready: %s \n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system)