Enhance Keycloak 26 truststore file and sa certs import (#2338)

YCShen1010 · web-flow · commit 4a24ead8e040 · 2025-03-19T09:33:41.000+08:00
* remove truststore startup configmap for keycloak 24 and 26

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

* create convert keycloak certs job

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

* updates rules

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

* add spec.truststores for keycloak 24+

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

* generate secrets conversion script

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

* create cpfs-utils image as env value

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

* add untils image to non olm

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

---------

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;
diff --git a/api/v3/commonservice_types.go b/api/v3/commonservice_types.go
@@ -47,6 +47,7 @@ type CSData struct {
 	ExcludedCatalog         string
 	StatusMonitoredServices string
 	ServiceNames            map[string][]string
+	UtilsImage              string
 }
 
 // +kubebuilder:pruning:PreserveUnknownFields
diff --git a/bundle/manifests/ibm-common-service-operator.clusterserviceversion.yaml b/bundle/manifests/ibm-common-service-operator.clusterserviceversion.yaml
@@ -23,7 +23,7 @@ metadata:
     capabilities: Seamless Upgrades
     cloudPakThemesVersion: styles4100.css
     containerImage: icr.io/cpopen/common-service-operator:4.12.0
-    createdAt: "2025-02-20T00:28:09Z"
+    createdAt: "2025-03-18T21:27:31Z"
     description: The IBM Cloud Pak foundational services operator is used to deploy IBM foundational services.
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "true"
@@ -383,6 +383,8 @@ spec:
                             fieldPath: metadata.annotations['olm.targetNamespaces']
                       - name: OPERATOR_NAME
                         value: ibm-common-service-operator
+                      - name: UTILS_IMAGE
+                        value: icr.io/cpopen/cpfs/cpfs-utils:latest
                     image: icr.io/cpopen/common-service-operator:4.12.0
                     imagePullPolicy: IfNotPresent
                     livenessProbe:
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -74,6 +74,8 @@ spec:
               fieldPath: metadata.annotations['olm.targetNamespaces']
         - name: OPERATOR_NAME
           value: "ibm-common-service-operator"
+        - name: UTILS_IMAGE
+          value: icr.io/cpopen/cpfs/cpfs-utils:latest
         resources:
           limits:
             cpu: 500m
diff --git a/internal/controller/bootstrap/init.go b/internal/controller/bootstrap/init.go
@@ -117,6 +117,7 @@ func NewNonOLMBootstrap(mgr manager.Manager) (bs *Bootstrap, err error) {
 		ExcludedCatalog:         constant.ExcludedCatalog,
 		StatusMonitoredServices: constant.StatusMonitoredServices,
 		ServiceNames:            constant.ServiceNames,
+		UtilsImage:              util.GetUtilsImage(),
 	}
 
 	bs = &Bootstrap{
@@ -162,6 +163,7 @@ func NewBootstrap(mgr manager.Manager) (bs *Bootstrap, err error) {
 		ExcludedCatalog:         constant.ExcludedCatalog,
 		StatusMonitoredServices: constant.StatusMonitoredServices,
 		ServiceNames:            constant.ServiceNames,
+		UtilsImage:              util.GetUtilsImage(),
 	}
 
 	bs = &Bootstrap{
diff --git a/internal/controller/common/util.go b/internal/controller/common/util.go
@@ -279,6 +279,14 @@ func GetWatchNamespace() string {
 	return ns
 }
 
+func GetUtilsImage() string {
+	image, found := os.LookupEnv("UTILS_IMAGE")
+	if !found {
+		return ""
+	}
+	return image
+}
+
 // GetNSSCMSynchronization returns whether NSS ConfigMap shchronization with OperatorGroup is enabled
 func GetNSSCMSynchronization() bool {
 	isEnable, found := os.LookupEnv("NSSCM_SYNC_MODE")
diff --git a/internal/controller/constant/odlm.go b/internal/controller/constant/odlm.go
@@ -784,9 +784,7 @@ spec:
                     privileged: false
                     readOnlyRootFilesystem: false
                 containers:
-                - command:
-                  - bash
-                  - '-c'
+                - command: ["bash", "-c"]
                   args:
                   - |
                     kubectl delete pods -l app.kubernetes.io/name=cloud-native-postgresql
@@ -831,19 +829,9 @@ spec:
         namespace: "{{ $.OperatorNs }}"
         data:
           rules:
-          - apiGroups:
-            - ""
-            resources:
-            - pods
-            - secrets
-            verbs:
-            - create
-            - update
-            - patch
-            - get
-            - list
-            - delete
-            - watch
+          - apiGroups: [""]
+            resources: ["pods", "secrets"]
+            verbs: ["create", "update", "patch", "get", "list", "delete", "watch"]
       - apiVersion: rbac.authorization.k8s.io/v1
         kind: RoleBinding
         name: edb-license-rolebinding
@@ -1041,6 +1029,94 @@ spec:
         force: true
         kind: ConfigMap
         name: cs-keycloak-user-profile
+      - apiVersion: v1
+        kind: ServiceAccount
+        name: convert-secret-sa
+      - apiVersion: rbac.authorization.k8s.io/v1
+        kind: Role
+        name: convert-secret-role
+        data:
+          rules:
+          - apiGroups: [""]
+            resources: ["configmaps", "secrets"]
+            verbs: ["create", "update", "patch", "get", "list", "delete", "watch"]
+      - apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        name: convert-secret-rolebinding
+        data:
+          subjects:
+          - kind: ServiceAccount
+            name: convert-secret-sa
+          roleRef:
+            kind: Role
+            name: convert-secret-role
+            apiGroup: rbac.authorization.k8s.io
+      - apiVersion: v1
+        kind: ConfigMap
+        name: convert-secrets
+        data:
+          data:
+            convert-secrets.sh: |
+              #!/usr/bin/env bash
+              # Check if the secret already exists
+              if oc get secret cs-keycloak-ca-certs >/dev/null 2>&1; then
+                echo "Secret cs-keycloak-ca-certs already exists. Skipping conversion."
+                exit 0
+              fi
+              
+              # Check if ConfigMap exists
+              if ! oc get configmap cs-keycloak-ca-certs >/dev/null 2>&1; then
+                echo "ConfigMap cs-keycloak-ca-certs not found. Nothing to conversion."
+                exit 0
+              fi
+              
+              # Extract certificate file names from ConfigMap
+              CERT_FILES=$(oc get configmap cs-keycloak-ca-certs -o yaml | yq e '.data | keys | .[]' -)              
+              
+              # Create a temporary directory
+              mkdir -p /tmp/certs
+              # Extract certificates from ConfigMap and save them as files
+              for CERT in $CERT_FILES; do
+                oc get configmap cs-keycloak-ca-certs -o yaml | yq e ".data[\"$CERT\"]"> /tmp/certs/$CERT
+              done
+              
+              # Create Secret from extracted certificates
+              oc create secret generic cs-keycloak-ca-certs \
+                $(for CERT in $CERT_FILES; do echo --from-file=/tmp/certs/$CERT; done)
+              
+              echo "Conversion complete. Secret created: cs-keycloak-ca-certs"
+      - apiVersion: batch/v1
+        kind: Job
+        force: true
+        name: convert-secret-job
+        data:
+          spec:
+            template:
+              spec:
+                affinity:
+                  nodeAffinity:
+                    requiredDuringSchedulingIgnoredDuringExecution:
+                      nodeSelectorTerms:
+                      - matchExpressions:
+                        - key: kubernetes.io/arch
+                          operator: In
+                          values:
+                          - amd64
+                          - ppc64le
+                          - s390x
+                restartPolicy: OnFailure
+                serviceAccountName: convert-secret-sa
+                containers:
+                  - name: convert-secret-job
+                    image: {{ .UtilsImage }}
+                    command: ["/bin/sh", "/mnt/scripts/convert-secrets.sh"]
+                    volumeMounts:
+                      - name: script-volume
+                        mountPath: /mnt/scripts
+                volumes:
+                  - name: script-volume
+                    configMap:
+                      name: convert-secrets
       - apiVersion: v1
         annotations:
           service.beta.openshift.io/serving-cert-secret-name: cpfs-opcon-cs-keycloak-tls-secret
@@ -1151,6 +1227,11 @@ spec:
                         - amd64
                         - ppc64le
                         - s390x
+            truststores:
+              my-truststore:
+                secret:
+                  name: cs-keycloak-ca-certs
+                  optional: true
             proxy:
               headers: xforwarded
             features:
@@ -1230,9 +1311,7 @@ spec:
                         required: true
                 spec:
                   containers:
-                    - command:
-                        - /bin/sh
-                        - /mnt/startup/cs-keycloak-entrypoint.sh
+                    - command: ["/bin/sh", "/mnt/startup/cs-keycloak-entrypoint.sh"]
                       volumeMounts:
                         - mountPath: /mnt/truststore
                           name: truststore-volume
@@ -1315,6 +1394,24 @@ spec:
                   kind: CustomResourceDefinition
                 key: .spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.scheduling
                 operator: DoesNotExist
+          - path: .spec.unsupported.podTemplate.spec.containers[0].command
+            operation: remove
+            matchExpressions:
+              - objectRef:
+                  name: keycloaks.k8s.keycloak.org
+                  apiVersion: apiextensions.k8s.io/v1
+                  kind: CustomResourceDefinition
+                key: .spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.truststores
+                operator: Exists
+          - path: .spec.truststores
+            operation: remove
+            matchExpressions:
+              - objectRef:
+                  name: keycloaks.k8s.keycloak.org
+                  apiVersion: apiextensions.k8s.io/v1
+                  kind: CustomResourceDefinition
+                key: .spec.versions[0].schema.openAPIV3Schema.properties.spec.properties.truststores
+                operator: DoesNotExist
       - apiVersion: v1
         kind: ConfigMap
         force: true
@@ -1482,9 +1579,7 @@ spec:
                     privileged: false
                     readOnlyRootFilesystem: false
                 containers:
-                - command:
-                  - bash
-                  - '-c'
+                - command: ["bash", "-c"]
                   args:
                   - |
                     kubectl delete pods -l app.kubernetes.io/name=cloud-native-postgresql
@@ -1529,19 +1624,9 @@ spec:
         namespace: "{{ .OperatorNs }}"
         data:
           rules:
-          - apiGroups:
-            - ""
-            resources:
-            - pods
-            - secrets
-            verbs:
-            - create
-            - update
-            - patch
-            - get
-            - list
-            - delete
-            - watch
+          - apiGroups: [""]
+            resources: ["pods", "secrets"]
+            verbs: ["create", "update", "patch", "get", "list", "delete", "watch"] 
       - apiVersion: rbac.authorization.k8s.io/v1
         kind: RoleBinding
         name: edb-license-rolebinding

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ type CSData struct {`
`47`	`47`	`ExcludedCatalog string`
`48`	`48`	`StatusMonitoredServices string`
`49`	`49`	`ServiceNames map[string][]string`
	`50`	`+ UtilsImage string`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`// +kubebuilder:pruning:PreserveUnknownFields`
Original file line number	Diff line number	Diff line change
`@@ -117,6 +117,7 @@ func NewNonOLMBootstrap(mgr manager.Manager) (bs *Bootstrap, err error) {`
`117`	`117`	`ExcludedCatalog: constant.ExcludedCatalog,`
`118`	`118`	`StatusMonitoredServices: constant.StatusMonitoredServices,`
`119`	`119`	`ServiceNames: constant.ServiceNames,`
	`120`	`+ UtilsImage: util.GetUtilsImage(),`
`120`	`121`	`}`
`121`	`122`
`122`	`123`	`bs = &Bootstrap{`
`@@ -162,6 +163,7 @@ func NewBootstrap(mgr manager.Manager) (bs *Bootstrap, err error) {`
`162`	`163`	`ExcludedCatalog: constant.ExcludedCatalog,`
`163`	`164`	`StatusMonitoredServices: constant.StatusMonitoredServices,`
`164`	`165`	`ServiceNames: constant.ServiceNames,`
	`166`	`+ UtilsImage: util.GetUtilsImage(),`
`165`	`167`	`}`
`166`	`168`
`167`	`169`	`bs = &Bootstrap{`