Update keycloak-operator to 26.2.0 (#640)

* Update keycloak-operator to 26.2.0

* Fix deployment process for Keycloak 26.x (#789)

* Remove deprecated options from keycloak config

Docs [1] imply that hostname-strict-https option
is now deprecated.

[1] https://www.keycloak.org/docs/latest/upgrading/#new-hostname-options

* Set keycloak hostname to full URL

Without the protocol part, Keycloak cannot determine whether to
enforce strict https or not [1].

[1] https://www.keycloak.org/docs/latest/upgrading/#new-hostname-options

* Test temp-admin username for bootstrap admin user

* Update process for setting Keycloak admin password

Keycloak 26.0.0 introduced a new approach for bootstrapping
admin accounts in the master realm [1], involving a temporary
admin account that should be used for bootstrapping the
master realm.

Refactor the Keycloak admin account bootstrapping process
to create a new "admin" account with the "admin" realm-role
rather than reusing the existing admin account. Also
delete the temporary admin-bootstrapping account.

[1] https://www.keycloak.org/docs/latest/release_notes/index.html#admin-bootstrapping-and-recovery

* Fix apt locking failures in CI

* Get an admin token from the new admin user

* Move deleting the bootstrap admin to the end

* Fix conditional syntax

---------

Co-authored-by: mkjpryor <[email protected]>
Co-authored-by: Matt Anson <[email protected]>

Author: 3 people

roles/community_images/tasks/main.yml

@@ -1,13 +1,20 @@
 ---
 
 - block:
+    - name: Update apt cache
+      apt:
+        update_cache: true
+      register: cache_updated
+      changed_when: false
+      until:
+        - cache_updated is success
+
     - name: Ensure required packages are available
       apt:
         name:
           - python3-pip
           - qemu-utils
         state: present
-        update_cache: yes
 
     - name: Ensure OpenStack CLI (and SDK) are available
       pip:

roles/keycloak/defaults/main.yml

@@ -45,7 +45,7 @@ keycloak_spec_defaults:
   http:
     httpEnabled: true
   hostname:
-    hostname: "{{ keycloak_ingress_host }}"
+    hostname: "{{ keycloak_base_url }}"
     strict: false
     strictBackchannel: false
   db: >-
@@ -98,12 +98,9 @@ keycloak_spec_defaults:
       if keycloak_trust_bundle
       else {}
     }}
-  # Use the additional options to disable strict HTTPS if TLS is disabled
   additionalOptions:
     - name: metrics-enabled
       value: "true"
-    - name: hostname-strict-https
-      value: "{{ 'true' if keycloak_ingress_tls_enabled else 'false' }}"
 keycloak_spec_overrides: {}
 keycloak_spec: "{{ keycloak_spec_defaults | combine(keycloak_spec_overrides, recursive = True) }}"
 
@@ -195,7 +192,7 @@ keycloak_ingress_spec: >-
   }}
 
 # The version of the Keycloak operator to install
-keycloak_operator_version: 25.0.6
+keycloak_operator_version: 26.2.0
 # The base URL for the Keycloak operator manifests
 keycloak_operator_base_url: https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources
 
@@ -244,6 +241,8 @@ keycloak_admin_password: "{{ undef(hint = 'keycloak_admin_password is not define
 keycloak_admin_creds_secret_name: "{{ keycloak_name }}-admin-creds"
 # The name of the secret containing the initial admin password
 keycloak_initial_admin_secret_name: "{{ keycloak_name }}-initial-admin"
+# The bootstrap admin username
+keycloak_bootstrap_admin_username: "temp-admin"
 
 # The base URL of Keycloak
 keycloak_base_url: >-

roles/keycloak/tasks/main.yml

@@ -219,24 +219,24 @@
 
 # If the token request fails with an auth error, try using the initial password to
 # update the password to the one from config
-- name: Update Keycloak admin password
+- name: Update Keycloak admin password and remove bootstrap admin user
   block:
-    - name: Get initial admin password
+    - name: Get bootstrap admin password
       command: >-
         kubectl get secret {{ keycloak_initial_admin_secret_name }}
           --namespace {{ keycloak_namespace }}
           --output go-template='{% raw %}{{ .data.password | base64decode }}{% endraw %}'
       register: keycloak_initial_admin_password_cmd
 
-    - name: Get Keycloak admin token using initial admin password
+    - name: Get Keycloak admin token using bootstrap admin password
       uri:
         url: "{{ keycloak_base_url }}/realms/master/protocol/openid-connect/token"
         method: POST
         body_format: form-urlencoded
         body:
           grant_type: password
           client_id: admin-cli
-          username: "{{ keycloak_admin_username }}"
+          username: "{{ keycloak_bootstrap_admin_username }}"
           password: "{{ keycloak_initial_admin_password_cmd.stdout }}"
         ca_path: "{{ keycloak_ca_path }}"
         validate_certs: "{{ keycloak_validate_certs }}"
@@ -246,6 +246,24 @@
       set_fact:
         keycloak_admin_token: "{{ keycloak_admin_token_initial_req.json.access_token }}"
 
+    - name: Create Keycloak admin user
+      uri:
+        url: "{{ keycloak_base_url }}/admin/realms/master/users"
+        method: POST
+        headers:
+          authorization: "Bearer {{ keycloak_admin_token }}"
+        body_format: json
+        body:
+          username: "{{ keycloak_admin_username }}"
+          enabled: true
+          credentials:
+            - type: "password"
+              temporary: false
+              value: "{{ keycloak_admin_password }}"
+        ca_path: "{{ keycloak_ca_path }}"
+        validate_certs: "{{ keycloak_validate_certs }}"
+        status_code: [201]
+
     - name: Get Keycloak master realm users
       uri:
         url: "{{ keycloak_base_url }}/admin/realms/master/users"
@@ -256,17 +274,26 @@
         validate_certs: "{{ keycloak_validate_certs }}"
       register: keycloak_realm_users_req
 
-    - name: Set Keycloak admin password
+    - name: Get Keycloak master realm roles
       uri:
-        url: "{{ keycloak_base_url }}/admin/realms/master/users/{{ keycloak_admin_user_id }}/reset-password"
-        method: PUT
+        url: "{{ keycloak_base_url }}/admin/realms/master/roles"
+        method: GET
+        headers:
+          authorization: "Bearer {{ keycloak_admin_token }}"
+        ca_path: "{{ keycloak_ca_path }}"
+        validate_certs: "{{ keycloak_validate_certs }}"
+      register: keycloak_realm_roles_req
+
+    - name: Add the Keycloak admin realm role to the admin user
+      uri:
+        url: "{{ keycloak_base_url }}/admin/realms/master/users/{{ keycloak_admin_user_id }}/role-mappings/realm"
+        method: POST
         headers:
           authorization: "Bearer {{ keycloak_admin_token }}"
         body_format: json
         body:
-          type: password
-          temporary: false
-          value: "{{ keycloak_admin_password }}"
+          - id: "{{ keycloak_admin_role_id }}"
+            name: "admin"
         ca_path: "{{ keycloak_ca_path }}"
         validate_certs: "{{ keycloak_validate_certs }}"
         status_code: [204]
@@ -278,6 +305,14 @@
               first |
               json_query("id")
           }}
+        keycloak_admin_role_id: >-
+          {{-
+            keycloak_realm_roles_req.json |
+              selectattr("name", "eq", "admin") |
+              first |
+              json_query("id")
+          }}
+
   when: keycloak_admin_token_req.status != 200
 
 - name: Configure SSL requirement for master realm
@@ -292,3 +327,24 @@
     ca_path: "{{ keycloak_ca_path }}"
     validate_certs: "{{ keycloak_validate_certs }}"
     status_code: [204]
+
+- name: Delete the Keycloak bootstrap admin user
+  uri:
+    url: "{{ keycloak_base_url }}/admin/realms/master/users/{{ keycloak_bootstrap_admin_user_id }}"
+    method: DELETE
+    headers:
+      authorization: "Bearer {{ keycloak_admin_token }}"
+    ca_path: "{{ keycloak_ca_path }}"
+    validate_certs: "{{ keycloak_validate_certs }}"
+    status_code: [204]
+  when:
+    - keycloak_realm_users_req is defined
+    - keycloak_bootstrap_admin_username in (keycloak_realm_users_req.json | map(attribute="username"))
+  vars:
+    keycloak_bootstrap_admin_user_id: >-
+      {{-
+        keycloak_realm_users_req.json |
+          selectattr("username", "eq", keycloak_bootstrap_admin_username) |
+          first |
+          json_query("id")
+      }}