Skip to content

ACS-7744 Bump Keycloak to 24.0.3 (#167) #205

ACS-7744 Bump Keycloak to 24.0.3 (#167)

ACS-7744 Bump Keycloak to 24.0.3 (#167) #205

Workflow file for this run

name: Alfresco Identity Service CI
on:
push:
branches:
- master
- AUTH-**
- OPSEXP-**
- feature/**
- fix/**
- release/**
workflow_dispatch:
schedule:
- cron: "0 5 * * 3"
env:
S3_ARTIFACTS_BUCKET: ${{ secrets.S3_ARTIFACTS_BUCKET }}
AUTH0_CLIENT_ID: ${{ secrets.AUTH0_CLIENT_ID }}
AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }}
MAVEN_USERNAME: ${{ secrets.NEXUS_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
HELM_DOCS_VERSION: 1.11.0
AWS_REGION: eu-west-1
jobs:
pre-commit:
name: "Pre-commit"
runs-on: ubuntu-latest
steps:
- name: "Install helm-docs"
run: |
curl -fsSL https://github.com/norwoodj/helm-docs/releases/download/v$HELM_DOCS_VERSION/helm-docs_${HELM_DOCS_VERSION}_$(uname)_x86_64.tar.gz | sudo tar xz -C /usr/local/bin/ helm-docs
helm-docs --version
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
build:
name: "Build"
runs-on: ubuntu-latest
needs: pre-commit
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: "Build"
id: build
run: |
source distribution/build.properties
export KEYCLOAK_VERSION=${KEYCLOAK_VERSION}
echo "KEYCLOAK_VERSION=${KEYCLOAK_VERSION}"
# build and package
cd distribution
make || { echo "Command failed with error code $?"; sleep 1; exit 1; }
# upload ZIP file to S3 bucket
aws s3 cp alfresco-keycloak-${KEYCLOAK_VERSION}.md5 s3://${S3_ARTIFACTS_BUCKET}/ci-${BUILD_NUMBER}/
aws s3 cp alfresco-keycloak-${KEYCLOAK_VERSION}.zip s3://${S3_ARTIFACTS_BUCKET}/ci-${BUILD_NUMBER}/
test_linux:
name: "Test on Linux"
runs-on: ubuntu-latest
needs: build
if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }}
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: "Test"
run: |
source distribution/build.properties
export KEYCLOAK_VERSION=${KEYCLOAK_VERSION}
echo "KEYCLOAK_VERSION=${KEYCLOAK_VERSION}"
aws s3 cp s3://${S3_ARTIFACTS_BUCKET}/ci-${BUILD_NUMBER}/alfresco-keycloak-${KEYCLOAK_VERSION}.zip .
./distribution/tests/endpoints.sh
test_windows:
name: "Test on Windows"
runs-on: windows-latest
needs: build
if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }}
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: "Get BUILD_NUMBER"
run: |
echo "BUILD_NUMBER=$env:GITHUB_RUN_NUMBER" | Out-File -FilePath $env:GITHUB_ENV -Append
echo $env:GITHUB_RUN_NUMBER
- name: "Test"
run: |
$Props = convertfrom-stringdata (get-content ./distribution/build.properties -raw)
$env:KEYCLOAK_VERSION = $Props.'KEYCLOAK_VERSION'
echo "KEYCLOAK_VERSION=$env:KEYCLOAK_VERSION"
aws s3 ls s3://$env:S3_ARTIFACTS_BUCKET/ci-$env:BUILD_NUMBER/
aws s3 cp s3://$env:S3_ARTIFACTS_BUCKET/ci-$env:BUILD_NUMBER/alfresco-keycloak-$env:KEYCLOAK_VERSION.zip .
unzip alfresco-keycloak-$env:KEYCLOAK_VERSION.zip
cd alfresco-keycloak-$env:KEYCLOAK_VERSION/bin
powershell -Command Get-ExecutionPolicy
powershell -Command 'Set-ExecutionPolicy unrestricted'
powershell -Command $env:GITHUB_WORKSPACE/distribution/tests/endpoints_ps.ps1
powershell -Command $env:GITHUB_WORKSPACE/distribution/tests/endpoints_bat.ps1
test_helm:
name: "Test Helm Chart"
runs-on: ubuntu-latest
needs: build
if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }}
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Setup cluster
uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- name: Create registries auth secret
run: |
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
- name: "Prepare test environment"
run: |
openssl aes-256-cbc -K ${{ secrets.ENCRYPTED_E69BEC42AE64_KEY }} -iv ${{ secrets.ENCRYPTED_E69BEC42AE64_IV }} -in test/scripts/config-files/realmRsaKeys.json.enc -out test/scripts/config-files/realmRsaKeys.json -d
- name: "Set KC_BUILD_NAME"
run: |
KC_BUILD_NAME=$(echo ${BRANCH_NAME} | cut -c1-28 | tr /_ - | tr -d [:punct:] | awk '{print tolower($0)}')-${BUILD_NUMBER}
echo "KC_BUILD_NAME=$KC_BUILD_NAME" >> "$GITHUB_ENV"
echo $KC_BUILD_NAME
- name: "Test"
run: |
set +e
export HOST=localhost
export release_name_kc=kc
export openldap_release=openldap
# install openldap
helm upgrade --install $openldap_release --repo https://geek-cookbook.github.io/helm-openldap openldap --version 1.2.9 \
-f test/scripts/ldap-config.yaml \
--wait
# install Keycloak
helm dep up helm/alfresco-keycloak
helm upgrade --install $release_name_kc helm/alfresco-keycloak \
--values helm/alfresco-keycloak/ci/ci-values.yaml \
--set ingress.hostName=$HOST \
--set realm.alfresco.client.redirectUris[0]="https://${HOST}\*" \
--set realm.alfresco.client.webOrigins[0]="https://${HOST}\*" \
--set keycloakx.command[0]="/opt/keycloak/bin/kc.sh" \
--set keycloakx.command[1]="start" \
--set keycloakx.command[2]="--import-realm" \
--set keycloakx.command[3]="--http-relative-path=/auth" \
--set keycloakx.command[4]="--hostname=${HOST}" \
--set keycloakx.imagePullSecrets[0].name="regcred" \
--wait
# Set IDP Config
./test/scripts/set_idp_config.sh
postman_image=postman/newman_alpine33:3.9.2
# run Keycloak checks
docker run -a STDOUT --volume $PWD/test/postman:/etc/newman --network host $postman_image run "keycloak-test-collection.json" --insecure --global-var "keycloak_host=$HOST"
TEST_RESULT=$?
echo "TEST_RESULT=${TEST_RESULT}"
if [[ "${TEST_RESULT}" == "0" ]]; then
docker run -a STDOUT --volume $PWD/test/postman:/etc/newman --network host $postman_image run "change-keycloak-access-token-lifespan-collection.json" --insecure --global-var "keycloak_host=$HOST"
./test/helm/delete_keycloak_pods.sh
docker run -a STDOUT --volume $PWD/test/postman:/etc/newman --network host $postman_image run "check-keycloak-access-token-lifespan-change-persisted.json" --insecure --global-var "keycloak_host=$HOST"
TEST_RESULT=$?
echo "TEST_RESULT=${TEST_RESULT}"
fi
if [[ "${TEST_RESULT}" == "0" ]]; then
docker run -a STDOUT --volume $PWD/test/postman:/etc/newman --network host $postman_image run "ldap-user-provider-tests.postman_collection.json" -d "ldap-test-data.json" --insecure --global-var "keycloak_host=$HOST"
TEST_RESULT=$?
echo "TEST_RESULT=${TEST_RESULT}"
fi
if [[ "${TEST_RESULT}" == "0" ]]; then
cd test/scripts
./auth0-api.sh create $KC_BUILD_NAME https://$HOST
./configure-saml-kc.sh app_name=$KC_BUILD_NAME kc_base_url=https://$HOST
cd ../saml
export KEYCLOAK_HOSTNAME=$HOST
export KEYCLOAK_ISSUER=https://$HOST/auth/realms/alfresco
mvn -B -ntp clean test
TEST_RESULT=$?
echo "TEST_RESULT=${TEST_RESULT}"
cd ../..
fi
if [[ "${{ github.event.head_commit.message }}" != *"[keep env]"* ]]; then
cd test/scripts
./auth0-api.sh delete $KC_BUILD_NAME
fi
if [[ "${TEST_RESULT}" == "1" ]]; then
echo "Tests failed, exiting"
exit 1
fi
- name: "Show cluster status after install"
if: always()
run: |
helm ls --all-namespaces
kubectl get all --all-namespaces
kubectl describe pod
test_upgrade:
name: "Test Upgrade"
runs-on: ubuntu-latest
needs: build
if: ${{ !contains(github.event.head_commit.message, '[skip tests]') }}
steps:
- uses: actions/checkout@v4
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: "Prepare test environment"
run: |
openssl aes-256-cbc -K ${{ secrets.ENCRYPTED_E69BEC42AE64_KEY }} -iv ${{ secrets.ENCRYPTED_E69BEC42AE64_IV }} -in test/scripts/config-files/realmRsaKeys.json.enc -out test/scripts/config-files/realmRsaKeys.json -d
- name: "Set KC_BUILD_NAME"
run: |
KC_BUILD_NAME=$(echo ${BRANCH_NAME} | cut -c1-28 | tr /_ - | tr -d [:punct:] | awk '{print tolower($0)}')-${BUILD_NUMBER}
echo "KC_BUILD_NAME=$KC_BUILD_NAME" >> "$GITHUB_ENV"
echo $KC_BUILD_NAME
- name: "Test"
run: |
cd test/saml
mvn -B -ntp clean package -DskipTests
./upgrade/test-upgrade.sh
cleanup:
name: "Cleanup"
runs-on: ubuntu-latest
needs: [test_linux, test_windows, test_helm, test_upgrade]
if: always()
steps:
- uses: Alfresco/alfresco-build-tools/.github/actions/[email protected]
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_S3_PIPELINE_AMPS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_S3_PIPELINE_AMPS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: "Clean up S3"
run: aws s3 rm s3://${S3_ARTIFACTS_BUCKET}/ci-${BUILD_NUMBER}/ --recursive