ACS-9047 Use Keycloak 26 #320
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Alfresco Identity Service CI | |
on: | |
push: | |
branches: | |
- master | |
- AUTH-** | |
- OPSEXP-** | |
- feature/** | |
- fix/** | |
- release/** | |
workflow_dispatch: | |
schedule: | |
- cron: "0 5 * * 3" | |
env: | |
S3_ARTIFACTS_BUCKET: ${{ secrets.S3_ARTIFACTS_BUCKET }} | |
AUTH0_CLIENT_ID: ${{ secrets.AUTH0_CLIENT_ID }} | |
AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }} | |
MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }} | |
MAVEN_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} | |
HELM_DOCS_VERSION: 1.11.0 | |
AWS_REGION: eu-west-1 | |
jobs: | |
pre-commit: | |
name: "Pre-commit" | |
runs-on: ubuntu-latest | |
steps: | |
- name: "Install helm-docs" | |
run: | | |
curl -fsSL https://github.com/norwoodj/helm-docs/releases/download/v$HELM_DOCS_VERSION/helm-docs_${HELM_DOCS_VERSION}_$(uname)_x86_64.tar.gz | sudo tar xz -C /usr/local/bin/ helm-docs | |
helm-docs --version | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
build: | |
name: "Build" | |
runs-on: ubuntu-latest | |
needs: pre-commit | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: "Build" | |
id: build | |
run: | | |
source distribution/build.properties | |
export KEYCLOAK_VERSION=${KEYCLOAK_VERSION} | |
echo "KEYCLOAK_VERSION=${KEYCLOAK_VERSION}" | |
# build and package | |
cd distribution | |
make || { echo "Command failed with error code $?"; sleep 1; exit 1; } | |
# upload ZIP file to S3 bucket | |
aws s3 cp alfresco-keycloak-${KEYCLOAK_VERSION}.md5 s3://${S3_ARTIFACTS_BUCKET}/ci-${BUILD_NUMBER}/ | |
aws s3 cp alfresco-keycloak-${KEYCLOAK_VERSION}.zip s3://${S3_ARTIFACTS_BUCKET}/ci-${BUILD_NUMBER}/ | |
test_linux: | |
name: "Test on Linux" | |
runs-on: ubuntu-latest | |
needs: build | |
if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: "Test" | |
run: | | |
source distribution/build.properties | |
export KEYCLOAK_VERSION=${KEYCLOAK_VERSION} | |
echo "KEYCLOAK_VERSION=${KEYCLOAK_VERSION}" | |
aws s3 cp s3://${S3_ARTIFACTS_BUCKET}/ci-${BUILD_NUMBER}/alfresco-keycloak-${KEYCLOAK_VERSION}.zip . | |
./distribution/tests/endpoints.sh | |
test_windows: | |
name: "Test on Windows" | |
runs-on: windows-latest | |
needs: build | |
if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: "Get BUILD_NUMBER" | |
run: | | |
echo "BUILD_NUMBER=$env:GITHUB_RUN_NUMBER" | Out-File -FilePath $env:GITHUB_ENV -Append | |
echo $env:GITHUB_RUN_NUMBER | |
- name: "Test" | |
run: | | |
$Props = convertfrom-stringdata (get-content ./distribution/build.properties -raw) | |
$env:KEYCLOAK_VERSION = $Props.'KEYCLOAK_VERSION' | |
echo "KEYCLOAK_VERSION=$env:KEYCLOAK_VERSION" | |
aws s3 ls s3://$env:S3_ARTIFACTS_BUCKET/ci-$env:BUILD_NUMBER/ | |
aws s3 cp s3://$env:S3_ARTIFACTS_BUCKET/ci-$env:BUILD_NUMBER/alfresco-keycloak-$env:KEYCLOAK_VERSION.zip . | |
unzip alfresco-keycloak-$env:KEYCLOAK_VERSION.zip | |
cd alfresco-keycloak-$env:KEYCLOAK_VERSION/bin | |
powershell -Command Get-ExecutionPolicy | |
powershell -Command 'Set-ExecutionPolicy unrestricted' | |
powershell -Command $env:GITHUB_WORKSPACE/distribution/tests/endpoints_ps.ps1 | |
powershell -Command $env:GITHUB_WORKSPACE/distribution/tests/endpoints_bat.ps1 | |
test_helm: | |
name: "Test Helm Chart" | |
runs-on: ubuntu-latest | |
needs: build | |
if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Login to Quay.io | |
uses: docker/login-action@v3 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: Setup cluster | |
uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- name: Create registries auth secret | |
run: | | |
kubectl create secret generic regcred \ | |
--from-file=.dockerconfigjson=$HOME/.docker/config.json \ | |
--type=kubernetes.io/dockerconfigjson | |
- name: "Prepare test environment" | |
run: | | |
openssl aes-256-cbc -K ${{ secrets.ENCRYPTED_E69BEC42AE64_KEY }} -iv ${{ secrets.ENCRYPTED_E69BEC42AE64_IV }} -in test/scripts/config-files/realmRsaKeys.json.enc -out test/scripts/config-files/realmRsaKeys.json -d | |
- name: "Set KC_BUILD_NAME" | |
run: | | |
KC_BUILD_NAME=$(echo ${BRANCH_NAME} | cut -c1-28 | tr /_ - | tr -d [:punct:] | awk '{print tolower($0)}')-${BUILD_NUMBER} | |
echo "KC_BUILD_NAME=$KC_BUILD_NAME" >> "$GITHUB_ENV" | |
echo $KC_BUILD_NAME | |
- name: "Test" | |
run: | | |
set +e | |
export HOST=localhost | |
export release_name_kc=kc | |
export openldap_release=openldap | |
# install openldap | |
helm upgrade --install $openldap_release --repo https://geek-cookbook.github.io/helm-openldap openldap --version 1.2.9 \ | |
-f test/scripts/ldap-config.yaml \ | |
--wait | |
# install Keycloak | |
helm dep up helm/alfresco-keycloak | |
helm upgrade --install $release_name_kc helm/alfresco-keycloak \ | |
--values helm/alfresco-keycloak/ci/ci-values.yaml \ | |
--set ingress.hostName=$HOST \ | |
--set realm.alfresco.client.redirectUris[0]="https://${HOST}\*" \ | |
--set realm.alfresco.client.webOrigins[0]="https://${HOST}\*" \ | |
--set keycloakx.command[0]="/opt/keycloak/bin/kc.sh" \ | |
--set keycloakx.command[1]="start" \ | |
--set keycloakx.command[2]="--import-realm" \ | |
--set keycloakx.command[3]="--http-relative-path=/auth" \ | |
--set keycloakx.command[4]="--hostname=https://${HOST}/auth" \ | |
--set keycloakx.imagePullSecrets[0].name="regcred" \ | |
--wait | |
# Set IDP Config | |
./test/scripts/set_idp_config.sh | |
postman_image=postman/newman_alpine33:3.9.2 | |
# run Keycloak checks | |
docker run -a STDOUT --volume $PWD/test/postman:/etc/newman --network host $postman_image run "keycloak-test-collection.json" --insecure --global-var "keycloak_host=$HOST" | |
TEST_RESULT=$? | |
echo "TEST_RESULT=${TEST_RESULT}" | |
if [[ "${TEST_RESULT}" == "0" ]]; then | |
docker run -a STDOUT --volume $PWD/test/postman:/etc/newman --network host $postman_image run "change-keycloak-access-token-lifespan-collection.json" --insecure --global-var "keycloak_host=$HOST" | |
./test/helm/delete_keycloak_pods.sh | |
docker run -a STDOUT --volume $PWD/test/postman:/etc/newman --network host $postman_image run "check-keycloak-access-token-lifespan-change-persisted.json" --insecure --global-var "keycloak_host=$HOST" | |
TEST_RESULT=$? | |
echo "TEST_RESULT=${TEST_RESULT}" | |
fi | |
if [[ "${TEST_RESULT}" == "0" ]]; then | |
docker run -a STDOUT --volume $PWD/test/postman:/etc/newman --network host $postman_image run "ldap-user-provider-tests.postman_collection.json" -d "ldap-test-data.json" --insecure --global-var "keycloak_host=$HOST" | |
TEST_RESULT=$? | |
echo "TEST_RESULT=${TEST_RESULT}" | |
fi | |
if [[ "${TEST_RESULT}" == "0" ]]; then | |
cd test/scripts | |
./auth0-api.sh create $KC_BUILD_NAME https://$HOST | |
./configure-saml-kc.sh app_name=$KC_BUILD_NAME kc_base_url=https://$HOST | |
cd ../saml | |
export KEYCLOAK_HOSTNAME=$HOST | |
export KEYCLOAK_ISSUER=https://$HOST/auth/realms/alfresco | |
mvn -B -ntp clean test | |
TEST_RESULT=$? | |
echo "TEST_RESULT=${TEST_RESULT}" | |
cd ../.. | |
fi | |
if [[ "${{ github.event.head_commit.message }}" != *"[keep env]"* ]]; then | |
cd test/scripts | |
./auth0-api.sh delete $KC_BUILD_NAME | |
fi | |
if [[ "${TEST_RESULT}" == "1" ]]; then | |
echo "Tests failed, exiting" | |
exit 1 | |
fi | |
- name: "Show cluster status after install" | |
if: always() | |
run: | | |
helm ls --all-namespaces | |
kubectl get all --all-namespaces | |
kubectl describe pod | |
test_upgrade: | |
name: "Test Upgrade" | |
runs-on: ubuntu-latest | |
needs: build | |
if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: "Prepare test environment" | |
run: | | |
openssl aes-256-cbc -K ${{ secrets.ENCRYPTED_E69BEC42AE64_KEY }} -iv ${{ secrets.ENCRYPTED_E69BEC42AE64_IV }} -in test/scripts/config-files/realmRsaKeys.json.enc -out test/scripts/config-files/realmRsaKeys.json -d | |
- name: "Set KC_BUILD_NAME" | |
run: | | |
KC_BUILD_NAME=$(echo ${BRANCH_NAME} | cut -c1-28 | tr /_ - | tr -d [:punct:] | awk '{print tolower($0)}')-${BUILD_NUMBER} | |
echo "KC_BUILD_NAME=$KC_BUILD_NAME" >> "$GITHUB_ENV" | |
echo $KC_BUILD_NAME | |
- name: "Test" | |
run: | | |
cd test/saml | |
mvn -B -ntp clean package -DskipTests | |
./upgrade/test-upgrade.sh | |
cleanup: | |
name: "Cleanup" | |
runs-on: ubuntu-latest | |
needs: [test_linux, test_windows, test_helm, test_upgrade] | |
if: always() | |
steps: | |
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected] | |
- uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: "Clean up S3" | |
run: aws s3 rm s3://${S3_ARTIFACTS_BUCKET}/ci-${BUILD_NUMBER}/ --recursive |