feat(keycloak): v24 (#53)

closes #51

Author: leiicamundi

.github/renovate.json5

@@ -4,7 +4,7 @@
     ":dependencyDashboard",
     ":semanticCommits",
     ":enablePreCommit",
-    ":docker"
+    ":docker",
   ],
   "automerge": false,
   "packageRules": [
@@ -16,7 +16,7 @@
       "matchFileNames": [".watch-latest/Dockerfile"],
       "matchUpdateTypes": ["major"],
       "enabled": true,
-      "addLabels": ["dependencies", "docker"]
+      "addLabels": ["dependencies", "docker", "hold"],
     },
     {
       "matchManagers": ["dockerfile"],
@@ -26,14 +26,14 @@
       "matchFileNames": ["keycloak-*/Dockerfile"],
       "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(:?-(?<compatibility>.+)(?<build>\\d+)-r(?<revision>\\d+))?$",
       "enabled": true,
-      "addLabels": ["dependencies", "docker"]
+      "addLabels": ["dependencies", "docker"],
     },
     {
       "matchManagers": ["dockerfile"],
       "matchDatasources": ["docker"],
       "matchFileNames": ["keycloak-*/Dockerfile"],
       "matchUpdateTypes": ["major"],
-      "enabled": false
-    }
+      "enabled": false,
+    },
   ]
 }

.github/workflows/build-images.yml

@@ -272,6 +272,23 @@ jobs:
             secret/data/products/infrastructure-experience/ci/common AURORA_POSTGRESQL_PASSWORD | postgres_superuser_password;
             secret/data/products/infrastructure-experience/ci/common AURORA_POSTGRESQL_USERNAME | postgres_superuser;
 
+            secret/data/products/infrastructure-experience/ci/common DOCKERHUB_USER;
+            secret/data/products/infrastructure-experience/ci/common DOCKERHUB_PASSWORD;
+
+      - name: Login to the dockerhub registry # prevents pull limit rate
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
+        with:
+          registry: "${{ vars.CONTAINER_REGISTRY }}"
+          username: "${{ steps.secrets.outputs.DOCKERHUB_USER }}"
+          password: "${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}"
+
+      - name: Login to the registry
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
+        with:
+          registry: ${{ vars.CONTAINER_REGISTRY_CI }}
+          username: ${{ steps.secrets.outputs.MACHINE_USR }}
+          password: ${{ steps.secrets.outputs.MACHINE_PWD }}
+
       - name: Compute AWS variables
         if: startsWith(matrix.runner_desc.runner, 'aws')
         run: |
@@ -329,13 +346,6 @@ jobs:
           echo "postgres_host=${postgres_host}" >> "$GITHUB_ENV"
           echo "postgres_host=${postgres_host}"
 
-      - name: Login to the registry
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
-        with:
-          registry: ${{ vars.CONTAINER_REGISTRY_CI }}
-          username: ${{ steps.secrets.outputs.MACHINE_USR }}
-          password: ${{ steps.secrets.outputs.MACHINE_PWD }}
-
       # The self-hosted runner doesn't provide a postgres client and the prerequisites for make,
       # so we need to install them manually
       - name: Install required packages
@@ -402,9 +412,9 @@ jobs:
           KEYCLOAK_JDBC_PARAMS: "${{ matrix.runner_desc.keycloak_db_jdbc_query }}"
           KC_DB_DRIVER: "${{ matrix.runner_desc.keycloak_db_driver }}"
 
-          KEYCLOAK_LOG_LEVEL: "INFO,software.amazon.jdbc:FINEST"
+          KEYCLOAK_LOG_LEVEL: "INFO,software.amazon.jdbc:INFO"
 
-          COMPOSE_POSTGRES_IMAGE: "public.ecr.aws/docker/library/postgres:${{ env.postgres_version }}"
+          COMPOSE_POSTGRES_IMAGE: "docker.io/postgres:${{ env.postgres_version }}"
           COMPOSE_POSTGRES_DEPLOY_REPLICAS: "${{ matrix.runner_desc.postgres_replicas }}"
           COMPOSE_KEYCLOAK_DEPENDS_ON: "${{ env.compose_keycloak_depends_on }}"
           COMPOSE_KEYCLOAK_VOLUME_1: "${{ env.compose_keycloak_volume_1 || '/dev/null:/dummynull1' }}"

.watch-latest/Dockerfile

@@ -2,4 +2,4 @@
 # It is its only purpose.
 
 # Note: When renovate alerts about a new version of keycloak, please follow the `DEVELOPER.md` new release procedure.
-FROM docker.io/bitnami/keycloak:23
+FROM docker.io/bitnami/keycloak:24

README.md

@@ -24,7 +24,7 @@ To start the image, run:
 ```bash
 docker run --name mykeycloak -p 8443:8443 \
         -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
-        docker.io/camunda/keycloak:23
+        docker.io/camunda/keycloak:24
 ```
 
 Keycloak will start in production mode, using secured HTTPS communication and will be available at [https://localhost:8443](https://localhost:8443).
@@ -81,7 +81,7 @@ Don't forget to set the `serviceAccountName` of the deployment/statefulset to po
 To use this image in the Helm chart [bitnami/keycloak](https://artifacthub.io/packages/helm/bitnami/keycloak), update the image used and add the necessary extra environment variables:
 
 ```yaml
-image: docker.io/camunda/keycloak:23
+image: docker.io/camunda/keycloak:24
 extraEnvVars:
   - name: KEYCLOAK_EXTRA_ARGS
     value: "--db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO"

docker-compose.yml

@@ -6,7 +6,7 @@ volumes:
 
 services:
   postgres:
-      image: ${COMPOSE_POSTGRES_IMAGE:-public.ecr.aws/docker/library/postgres:latest}
+      image: ${COMPOSE_POSTGRES_IMAGE:-docker.io/postgres:latest}
       volumes:
         - postgres_data:/var/lib/postgresql/data
       environment:

keycloak-24/Dockerfile

@@ -0,0 +1,75 @@
+ARG BASE_IMAGE_NAME="docker.io/bitnami/keycloak:24.0.2-debian-12-r0"
+# List of all available images with associated sha: https://hub.docker.com/r/bitnami/keycloak/tags
+# Note: use the global image digest to make this image platform agnostic (see: https://github.com/camunda/zeebe/pull/14186)
+ARG BASE_IMAGE_DIGEST="sha256:c597a98f26fc4e7ab9a2e2a555113c8b91b8018f66946cc77a4224f1e595c95e"
+
+# Building builder image
+# hadolint ignore=DL3006
+FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} as builder
+# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
+ARG AWS_JDBC_WRAPPER_VERSION
+
+USER 0
+
+# install maven (silence alert about version pinning of maven)
+# hadolint ignore=DL3008
+RUN mkdir /home/keycloak && chown keycloak /home/keycloak && \
+    apt-get update && apt-get install maven -y --no-install-recommends
+
+USER 1001
+
+WORKDIR /home/keycloak
+
+# download the wrapper from github, then fetch the dependencies from maven
+ADD --chown=1001 "https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" "/opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar"
+ADD --chown=1001 "https://repo1.maven.org/maven2/software/amazon/jdbc/aws-advanced-jdbc-wrapper/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.pom" /home/keycloak/pom.xml
+
+RUN cat /home/keycloak/pom.xml && mvn install && \
+    cp /home/keycloak/.m2/repository/software/amazon/awssdk/*/*/*.jar /opt/bitnami/keycloak/providers/
+
+RUN /opt/bitnami/keycloak/bin/kc.sh build
+
+##### FINAL Keycloak IMAGE #####
+
+# hadolint ignore=DL3006
+FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
+# leave the values below unset to use the default value at the top of the file
+ARG BASE_IMAGE_NAME
+ARG BASE_IMAGE_DIGEST
+
+# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
+ARG AWS_JDBC_WRAPPER_VERSION
+
+# Copy the previously built aws jdbc drivers
+COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/
+
+# common, k8s, openshift and OCI labels:
+# OCI: https://github.com/opencontainers/image-spec/blob/main/annotations.md
+# OCP: https://docs.openshift.com/container-platform/4.10/openshift_images/create-images.html#defining-image-metadata
+LABEL maintainer="Camunda" \
+      name="camunda/keycloak" \
+      summary="Keycloak bitnami with AWS wrapper" \
+      io.k8s.description="Keycloak bitnami with AWS wrapper." \
+      io.k8s.display-name="keycloak" \
+      description="Keycloak bitnami with AWS JDBC wrapper." \
+      jdbc.aws-jdbc-wrapper.version="${AWS_JDBC_WRAPPER_VERSION}" \
+      org.opencontainers.image.authors="Camunda" \
+      org.opencontainers.image.vendor="Camunda" \
+      org.opencontainers.image.documentation="https://hub.docker.com/camunda/keycloak/" \
+      org.opencontainers.image.licenses="Apache License 2.0" \
+      org.opencontainers.image.base.name="docker.io/library/${BASE_IMAGE_NAME}" \
+      org.opencontainers.image.base.digest="${BASE_IMAGE_DIGEST}" \
+      io.openshift.tags="bpmn,identity,keycloak,camunda,bitnami" \
+      io.openshift.min-memory="1Gi" \
+      io.openshift.min-cpu="1"
+
+      # cpu and ram allocation reference: https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing
+
+      # the following labels are generated at buildtime - see https://github.com/docker/metadata-action
+      # org.opencontainers.image.title
+      # org.opencontainers.image.description
+      # org.opencontainers.image.url
+      # org.opencontainers.image.created
+      # org.opencontainers.image.revision
+      # org.opencontainers.image.source
+      # org.opencontainers.image.version