From 9dc66ea61de907149ae77a2a6f2ba56a36afbadb Mon Sep 17 00:00:00 2001 From: Jan Bouska Date: Thu, 23 May 2024 11:39:12 +0200 Subject: [PATCH] Remove dependency on sigstore-ocp --- .github/workflows/main.yml | 4 +- .github/workflows/upgrade.yml | 4 +- ci/keycloak/operator/base/kustomization.yaml | 8 +++ ci/keycloak/operator/base/namespace.yaml | 4 ++ ci/keycloak/operator/base/subscription.yaml | 20 +++++++ .../operator/overlay/kind/kustomization.yaml | 10 ++++ ci/keycloak/operator/overlay/kind/patch.yaml | 9 +++ ci/keycloak/resources/base/keycloak.yaml | 14 +++++ ci/keycloak/resources/base/kustomization.yaml | 10 ++++ ci/keycloak/resources/base/realm.yaml | 16 ++++++ ci/keycloak/resources/base/tas-client.yaml | 55 +++++++++++++++++++ ci/keycloak/resources/base/user.yaml | 21 +++++++ ci/keycloak/resources/example-user.yaml | 21 +++++++ .../resources/overlay/kind/keycloak-svc.yaml | 12 ++++ .../overlay/kind/keycloak_patch.yaml | 8 +++ .../resources/overlay/kind/kustomization.yaml | 12 ++++ .../resources/overlay/kind/realm_patch.yaml | 7 +++ ci/openshift/tas-keycloak-install.sh | 11 +--- hack/up.sh | 4 +- 19 files changed, 235 insertions(+), 15 deletions(-) create mode 100644 ci/keycloak/operator/base/kustomization.yaml create mode 100644 ci/keycloak/operator/base/namespace.yaml create mode 100644 ci/keycloak/operator/base/subscription.yaml create mode 100644 ci/keycloak/operator/overlay/kind/kustomization.yaml create mode 100644 ci/keycloak/operator/overlay/kind/patch.yaml create mode 100644 ci/keycloak/resources/base/keycloak.yaml create mode 100644 ci/keycloak/resources/base/kustomization.yaml create mode 100644 ci/keycloak/resources/base/realm.yaml create mode 100644 ci/keycloak/resources/base/tas-client.yaml create mode 100644 ci/keycloak/resources/base/user.yaml create mode 100644 ci/keycloak/resources/example-user.yaml create mode 100644 ci/keycloak/resources/overlay/kind/keycloak-svc.yaml create mode 100644 ci/keycloak/resources/overlay/kind/keycloak_patch.yaml create mode 100644 ci/keycloak/resources/overlay/kind/kustomization.yaml create mode 100644 ci/keycloak/resources/overlay/kind/realm_patch.yaml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 83ab3e34e..1f86b4c4d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -161,14 +161,14 @@ jobs: sleep 1 kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml - kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/operator/overlay/kind + kubectl create --kustomize ci/keycloak/operator/overlay/kind until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ] do echo "Waiting for keycloak operator. Pods in keycloak-system namespace:" kubectl get pods -n keycloak-system sleep 10 done - kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/resources/overlay/kind + kubectl create --kustomize ci/keycloak/resources/overlay/kind until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] do printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system) diff --git a/.github/workflows/upgrade.yml b/.github/workflows/upgrade.yml index eed4178ce..8940a6cee 100644 --- a/.github/workflows/upgrade.yml +++ b/.github/workflows/upgrade.yml @@ -173,14 +173,14 @@ jobs: sleep 1 kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml - kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/operator/overlay/kind + kubectl create --kustomize ci/keycloak/operator/overlay/kind until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ] do echo "Waiting for keycloak operator. Pods in keycloak-system namespace:" kubectl get pods -n keycloak-system sleep 10 done - kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/resources/overlay/kind + kubectl create --kustomize ci/keycloak/resources/overlay/kind until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] do printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system) diff --git a/ci/keycloak/operator/base/kustomization.yaml b/ci/keycloak/operator/base/kustomization.yaml new file mode 100644 index 000000000..e51e997c3 --- /dev/null +++ b/ci/keycloak/operator/base/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- namespace.yaml +- subscription.yaml + +namespace: keycloak-system diff --git a/ci/keycloak/operator/base/namespace.yaml b/ci/keycloak/operator/base/namespace.yaml new file mode 100644 index 000000000..3705b5c16 --- /dev/null +++ b/ci/keycloak/operator/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: keycloak-system diff --git a/ci/keycloak/operator/base/subscription.yaml b/ci/keycloak/operator/base/subscription.yaml new file mode 100644 index 000000000..acd8325f3 --- /dev/null +++ b/ci/keycloak/operator/base/subscription.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: rhsso-operator +spec: + channel: stable + installPlanApproval: Automatic + name: rhsso-operator + source: redhat-operators + sourceNamespace: openshift-marketplace +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: keycloak-system-trusted-artifact-signer +spec: + targetNamespaces: + - keycloak-system + upgradeStrategy: Default diff --git a/ci/keycloak/operator/overlay/kind/kustomization.yaml b/ci/keycloak/operator/overlay/kind/kustomization.yaml new file mode 100644 index 000000000..9d3946a6b --- /dev/null +++ b/ci/keycloak/operator/overlay/kind/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: +- path: patch.yaml + + diff --git a/ci/keycloak/operator/overlay/kind/patch.yaml b/ci/keycloak/operator/overlay/kind/patch.yaml new file mode 100644 index 000000000..3e1ed4376 --- /dev/null +++ b/ci/keycloak/operator/overlay/kind/patch.yaml @@ -0,0 +1,9 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: rhsso-operator +spec: + channel: alpha + name: keycloak-operator + source: operatorhubio-catalog + sourceNamespace: olm diff --git a/ci/keycloak/resources/base/keycloak.yaml b/ci/keycloak/resources/base/keycloak.yaml new file mode 100644 index 000000000..954730127 --- /dev/null +++ b/ci/keycloak/resources/base/keycloak.yaml @@ -0,0 +1,14 @@ +apiVersion: keycloak.org/v1alpha1 +kind: Keycloak +metadata: + labels: + app: sso + name: keycloak +spec: + externalAccess: + enabled: true + instances: 1 + keycloakDeploymentSpec: + imagePullPolicy: Always + postgresDeploymentSpec: + imagePullPolicy: Always diff --git a/ci/keycloak/resources/base/kustomization.yaml b/ci/keycloak/resources/base/kustomization.yaml new file mode 100644 index 000000000..b5dffdcdb --- /dev/null +++ b/ci/keycloak/resources/base/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: keycloak-system + +resources: +- keycloak.yaml +- realm.yaml +- tas-client.yaml +- user.yaml diff --git a/ci/keycloak/resources/base/realm.yaml b/ci/keycloak/resources/base/realm.yaml new file mode 100644 index 000000000..fd50275fa --- /dev/null +++ b/ci/keycloak/resources/base/realm.yaml @@ -0,0 +1,16 @@ +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakRealm +metadata: + labels: + app: sso + name: trusted-artifact-signer +spec: + instanceSelector: + matchLabels: + app: sso + realm: + displayName: Red-Hat-Trusted-Artifact-Signer + enabled: true + id: trusted-artifact-signer + realm: trusted-artifact-signer + sslRequired: none diff --git a/ci/keycloak/resources/base/tas-client.yaml b/ci/keycloak/resources/base/tas-client.yaml new file mode 100644 index 000000000..36d8dd280 --- /dev/null +++ b/ci/keycloak/resources/base/tas-client.yaml @@ -0,0 +1,55 @@ +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakClient +metadata: + labels: + app: sso + name: trusted-artifact-signer +spec: + client: + attributes: + request.object.signature.alg: RS256 + user.info.response.signature.alg: RS256 + clientAuthenticatorType: client-secret + clientId: trusted-artifact-signer + defaultClientScopes: + - profile + - email + description: Client for Red Hat Trusted Artifact Signer authentication + directAccessGrantsEnabled: true + implicitFlowEnabled: false + name: trusted-artifact-signer + protocol: openid-connect + protocolMappers: + - config: + claim.name: email + id.token.claim: "true" + jsonType.label: String + user.attribute: email + userinfo.token.claim: "true" + name: email + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + - config: + claim.name: email-verified + id.token.claim: "true" + user.attribute: emailVerified + userinfo.token.claim: "true" + name: email-verified + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + - config: + claim.name: aud + claim.value: trusted-artifact-signer + id.token.claim: "true" + access.token.claim: "true" + userinfo.token.claim: "true" + name: audience + protocol: openid-connect + protocolMapper: oidc-hardcoded-claim-mapper + publicClient: true + standardFlowEnabled: true + redirectUris: + - "*" + realmSelector: + matchLabels: + app: sso diff --git a/ci/keycloak/resources/base/user.yaml b/ci/keycloak/resources/base/user.yaml new file mode 100644 index 000000000..f9006a82a --- /dev/null +++ b/ci/keycloak/resources/base/user.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakUser +metadata: + labels: + app: sso + name: jdoe +spec: + realmSelector: + matchLabels: + app: sso + user: + email: jdoe@redhat.com + enabled: true + emailVerified: true + credentials: + - type: "password" + value: "secure" + firstName: Jane + lastName: Doe + username: jdoe diff --git a/ci/keycloak/resources/example-user.yaml b/ci/keycloak/resources/example-user.yaml new file mode 100644 index 000000000..dad28b651 --- /dev/null +++ b/ci/keycloak/resources/example-user.yaml @@ -0,0 +1,21 @@ +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakUser +metadata: + labels: + app: sso + name: UPDATE + namespace: keycloak-system +spec: + realmSelector: + matchLabels: + app: sso + user: + credentials: + - type: password + value: UPDATE + email: user@email.com + emailVerified: true + enabled: true + firstName: UPDATE + lastName: UPDATE + username: UPDATE diff --git a/ci/keycloak/resources/overlay/kind/keycloak-svc.yaml b/ci/keycloak/resources/overlay/kind/keycloak-svc.yaml new file mode 100644 index 000000000..56a61b803 --- /dev/null +++ b/ci/keycloak/resources/overlay/kind/keycloak-svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: keycloak-internal +spec: + selector: + app: keycloak + component: keycloak + ports: + - protocol: TCP + port: 80 + targetPort: 8080 diff --git a/ci/keycloak/resources/overlay/kind/keycloak_patch.yaml b/ci/keycloak/resources/overlay/kind/keycloak_patch.yaml new file mode 100644 index 000000000..7aa62fd26 --- /dev/null +++ b/ci/keycloak/resources/overlay/kind/keycloak_patch.yaml @@ -0,0 +1,8 @@ +apiVersion: keycloak.org/v1alpha1 +kind: Keycloak +metadata: + name: keycloak +spec: + externalAccess: + enabled: false + diff --git a/ci/keycloak/resources/overlay/kind/kustomization.yaml b/ci/keycloak/resources/overlay/kind/kustomization.yaml new file mode 100644 index 000000000..731942a78 --- /dev/null +++ b/ci/keycloak/resources/overlay/kind/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: keycloak-system + +resources: + - ../../base + - keycloak-svc.yaml + +patches: +- path: keycloak_patch.yaml +- path: realm_patch.yaml diff --git a/ci/keycloak/resources/overlay/kind/realm_patch.yaml b/ci/keycloak/resources/overlay/kind/realm_patch.yaml new file mode 100644 index 000000000..43aa66f30 --- /dev/null +++ b/ci/keycloak/resources/overlay/kind/realm_patch.yaml @@ -0,0 +1,7 @@ +apiVersion: keycloak.org/v1alpha1 +kind: KeycloakRealm +metadata: + name: trusted-artifact-signer +spec: + realm: + sslRequired: none diff --git a/ci/openshift/tas-keycloak-install.sh b/ci/openshift/tas-keycloak-install.sh index 3c2c69f1c..69ca2d7ce 100755 --- a/ci/openshift/tas-keycloak-install.sh +++ b/ci/openshift/tas-keycloak-install.sh @@ -34,27 +34,20 @@ check_pod_status() { # Install SSO Operator and Keycloak service install_sso_keycloak() { - pushd /tmp - git clone https://github.com/securesign/sigstore-ocp - git fetch -a -v - cd sigstore-ocp - git checkout main - oc apply --kustomize keycloak/operator/base + oc apply --kustomize ci/keycloak/operator/base check_pod_status "keycloak-system" "rhsso-operator" # Check the return value from the function if [ $? -ne 0 ]; then echo "Pod status check failed. Exiting the script." exit 1 fi - oc apply --kustomize keycloak/resources/base + oc apply --kustomize ci/keycloak/resources/base check_pod_status "keycloak-system" "keycloak-postgresql" # Check the return value from the function if [ $? -ne 0 ]; then echo "Pod status check failed. Exiting the script." exit 1 fi - cd ../ && rm -rf sigstore-ocp - popd } # Install Red Hat SSO Operator and setup Keycloak service diff --git a/hack/up.sh b/hack/up.sh index 1d24a1d0a..50df2e2b8 100644 --- a/hack/up.sh +++ b/hack/up.sh @@ -35,14 +35,14 @@ sleep 1 kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml #install keycloak from Kind overlay -kubectl create --kustomize ${HOME}/git/sigstore-ocp/keycloak/operator/overlay/kind +kubectl create --kustomize ci/keycloak/operator/overlay/kind until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ] do echo "Waiting for keycloak operator. Pods in keycloak-system namespace:" kubectl get pods -n keycloak-system sleep 10 done -kubectl create --kustomize ${HOME}/git/sigstore-ocp/keycloak/resources/overlay/kind +kubectl create --kustomize ci/keycloak/resources/overlay/kind until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] do printf "Waiting for keycloak deployment. \n Keycloak ready: %s \n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system)