Merge pull request #205 from RS-PYTHON/cicd-improvements

RSPY-816 - CI/CD improvements

Author: vprivat-ads

.github/common/resources/configure-cluster.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+# Copyright 2025 CS Group
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -euo pipefail
+
+# --- Usage ---
+# ./configure-cluster.sh "<labels>" "<subdomains>"
+# Example :
+# ./configure-cluster.sh "node-role.kubernetes.io/infra= node-role.kubernetes.io/rs_env=" "iam kube oauth2-proxy"
+
+LABELS_INPUT="${1:-}"
+SUBDOMAINS_INPUT="${2:-}"
+
+if [[ -z "$LABELS_INPUT" || -z "$SUBDOMAINS_INPUT" ]]; then
+  echo "❌ Usage: $0 \"<labels>\" \"<subdomains>\""
+  echo "Example: $0 \"node-role.kubernetes.io/infra= node-role.kubernetes.io/rs_env=\" \"iam kube oauth2-proxy\""
+  exit 1
+fi
+
+# --- Convert inputs to arrays ---
+read -r -a SUBDOMAINS <<< "$SUBDOMAINS_INPUT"
+
+# --- Label the minikube node ---
+echo "🏷️  Applying labels to node 'minikube': $LABELS_INPUT"
+kubectl label node minikube "$LABELS_INPUT"
+
+# --- Extract domain and IP
+DOMAIN=$(yq e '.platform_domain_name' ./inventory/sample/host_vars/setup/main.yaml)
+MINIKUBE_IP=$(minikube ip)
+FIXED_IP="192.168.49.240"
+
+echo "🌐 Using domain: $DOMAIN"
+echo "💡 Minikube IP: $MINIKUBE_IP"
+
+# --- Ensure runner (GitHub host) can resolve app domains
+echo "🧩 Updating /etc/hosts..."
+for sd in "${SUBDOMAINS[@]}" ; do
+  echo "$FIXED_IP $sd.$DOMAIN" | sudo tee -a /etc/hosts
+done
+
+# --- Validate /etc/hosts resolution on the runner
+echo "🔍 Verifying host DNS resolution..."
+for sd in "${SUBDOMAINS[@]}" ; do
+  if dig +short "$sd.$DOMAIN" > /dev/null; then
+    echo "✅ $sd.$DOMAIN resolves on host"
+  else
+    echo "❌ Host DNS failed for $sd.$DOMAIN"
+    exit 2
+  fi
+done
+echo "✅ Host DNS resolution works"
+
+# --- Create MetalLB configmap to define fixed IP address range
+echo "⚙️ Applying MetalLB config..."
+kubectl apply -f .github/common/resources/test/metallb-configmap.yaml
+
+# --- Fetch current CoreDNS config
+echo "🧠 Patching CoreDNS..."
+kubectl -n kube-system get configmap coredns -o yaml > coredns-configmap.yaml
+# --- Build hosts entries from SUBDOMAINS
+HOSTS_BLOCK=""
+for sd in "${SUBDOMAINS[@]}"; do
+    HOSTS_BLOCK+="           $FIXED_IP ${sd}.${DOMAIN}\n"
+done
+# --- Inject hosts into coredns config map
+awk -v block="$HOSTS_BLOCK" '/192\.168\.49\.1/{printf "%s", block; ok=1} {print} END{exit ok?0:1}' \
+  coredns-configmap.yaml > coredns-configmap.yaml.patched.yaml || {
+  echo "❌ awk did not replace anything";
+  exit 3;
+}
+# --- Patch CoreDNS and restart
+kubectl -n kube-system patch configmap coredns --type merge -p "$(cat coredns-configmap.yaml.patched.yaml)"
+kubectl -n kube-system rollout restart deployment coredns
+
+# --- Wait for CoreDNS to be ready
+kubectl -n kube-system rollout status deployment coredns --timeout=60s
+# --- Create a temporary debug pod to verify DNS from inside cluster
+kubectl run dns-test --image=busybox:latest --restart=Never -- sleep 30 &
+sleep 1
+kubectl wait --for=condition=Ready pod/dns-test --timeout=30s || (echo "❌ dns-test pod not ready" && exit 4)
+
+# --- Verify DNS resolution inside the cluster
+echo "🔬 Testing DNS resolution inside the cluster..."
+for sd in "${SUBDOMAINS[@]}"; do
+  echo "🔍 Checking DNS for $sd.$DOMAIN..."
+  RESOLVED_IP=$(kubectl exec dns-test -- nslookup "$sd.$DOMAIN" 2>/dev/null | awk '/^Address: /{print $2; exit}')
+  if [[ "$RESOLVED_IP" == "$FIXED_IP" ]]; then
+    echo "✅ $sd.$DOMAIN resolves correctly to $RESOLVED_IP"
+  else
+    echo "❌ DNS resolution failed for $sd.$DOMAIN (expected $FIXED_IP, got ${RESOLVED_IP:-none})"
+    exit 5
+  fi
+done
+echo "✅ DNS resolution works correctly inside the cluster"
+# Clean up debug pod
+kubectl delete pod dns-test --ignore-not-found=true --grace-period=0 --force

.github/common/resources/configure-local-ca.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# --- Usage check
+if [ "$#" -lt 1 ]; then
+  echo "Usage: $0 <sd1:ns1> [<sd2:ns2> ...]"
+  exit 1
+fi
+
+# --- Directories
+RESOURCES_DIR=".github/common/resources/test"
+APP_CLUSTER_ISSUER="apps/02-cluster-issuer"
+APP_OAUTH2_PROXY="apps/oauth2-proxy"
+
+# --- Generate a local CA
+echo "Generating local CA..."
+openssl req -x509 -newkey rsa:4096 -days 1 -nodes \
+  -keyout local-ca.key -out local-ca.crt \
+  -subj "/CN=local CA/O=rspy/OU=dev" 2> /dev/null
+
+# --- Create local-ca-configmap.yaml
+echo "Creating ConfigMap..."
+while IFS= read -r line || [ -n "$line" ]; do
+  printf '    %s\n' "$line" >> "$RESOURCES_DIR/local-ca-configmap.yaml"
+done < local-ca.crt
+
+# --- Create local-ca-secret.yaml with inlined base64 data
+echo "Creating Secret..."
+sed -i \
+  -e "s!<crt>!$(base64 -w0 local-ca.crt)!g" \
+  -e "s!<key>!$(base64 -w0 local-ca.key)!g" \
+  "$RESOURCES_DIR/local-ca-secret.yaml"
+
+# --- Cleanup
+rm -f local-ca.crt local-ca.key
+
+# --- Copy CA issuer files
+echo "Copying issuer files..."
+cp "$RESOURCES_DIR/local-ca-secret.yaml" \
+   "$RESOURCES_DIR/local-ca-issuer.yaml" \
+   "$APP_CLUSTER_ISSUER/"
+
+# --- Handle all <sd>:<ns> pairs
+CERT_FILES=""
+for arg in "$@"; do
+  sd="${arg%%:*}"
+  ns="${arg##*:}"
+
+  echo "Processing subdomain: $sd (namespace: $ns)"
+  sed \
+    -e "s!<sd>!$sd!g" \
+    -e "s!<ns>!$ns!g" \
+    "$RESOURCES_DIR/certificate.yaml" \
+    > "$APP_CLUSTER_ISSUER/certificate-$sd.yaml"
+  CERT_FILES="${CERT_FILES}\\n- certificate-${sd}.yaml"
+done
+
+# --- Update kustomization.yaml
+echo "Updating kustomization.yaml..."
+sed -i "/- clusterIssuer.yaml/a\- local-ca-secret.yaml\\n- local-ca-issuer.yaml$CERT_FILES" "$APP_CLUSTER_ISSUER/kustomization.yaml"
+
+# --- Trust local CA in oauth2-proxy
+echo "Adding local CA trust to oauth2-proxy..."
+sed 's!<ns>!iam!g' \
+  "$RESOURCES_DIR/local-ca-configmap.yaml" \
+  > "$APP_OAUTH2_PROXY/local-ca-configmap.yaml"
+echo -e "resources:\n- local-ca-configmap.yaml\n" | tee -a $APP_OAUTH2_PROXY/kustomization.yaml > /dev/null
+cat <<'EOF' | tee -a $APP_OAUTH2_PROXY/values.yaml > /dev/null
+extraVolumes:
+  - name: local-ca
+    configMap:
+      name: local-ca-configmap
+extraVolumeMounts:
+  - name: local-ca
+    mountPath: /etc/ssl/certs/local-ca
+    readOnly: true
+EOF
+
+echo "✅ Done!"

.github/common/resources/convert-export-realm.py

@@ -0,0 +1,188 @@
+#!/usr/bin/env python3
+import sys
+import json
+import re
+from urllib.parse import urlparse
+from ruamel.yaml import YAML
+
+def remove_ids_and_containerids(obj):
+    if isinstance(obj, dict):
+        return {k: remove_ids_and_containerids(v) for k, v in obj.items() if k not in ("id", "containerId")}
+    elif isinstance(obj, list):
+        return [remove_ids_and_containerids(el) for el in obj]
+    else:
+        return obj
+
+def sort_lists(obj):
+    if isinstance(obj, dict):
+        return {k: sort_lists(v) for k, v in obj.items()}
+    elif isinstance(obj, list):
+        if all(not isinstance(el, (dict, list)) for el in obj):
+            return sorted(obj, key=lambda x: str(x))
+        if all(isinstance(el, dict) for el in obj) and obj:
+            recursed = [sort_lists(el) for el in obj]
+            def sort_key(el):
+                clientId = str(el.get("clientId", ""))
+                priority = el.get("priority")
+                if isinstance(priority, str) and priority.isdigit():
+                    priority = int(priority)
+                elif not isinstance(priority, int):
+                    priority = float("inf")
+                name = str(el.get("name", ""))
+                return (clientId, priority, name)
+            return sorted(recursed, key=sort_key)
+        return [sort_lists(el) for el in obj]
+    else:
+        return obj
+
+def extract_realm_name(obj):
+    # Try data['realm']['realm'] or data['realm'] as string
+    if isinstance(obj.get("realm"), dict):
+        return obj["realm"].get("realm")
+    elif isinstance(obj.get("realm"), str):
+        return obj["realm"]
+    return None
+
+def extract_platform_domain(obj):
+    # Scan all rootUrl/adminUrl values and pick domain
+    domains = set()
+    def scan(o):
+        if isinstance(o, dict):
+            for k, v in o.items():
+                if k in ("rootUrl", "adminUrl") and isinstance(v, str) and v.startswith("https://"):
+                    parsed = urlparse(v)
+                    host = parsed.hostname
+                    if host and "." in host:
+                        # remove subdomain (keep domain)
+                        parts = host.split(".")
+                        domains.add(".".join(parts[1:]))
+                else:
+                    scan(v)
+        elif isinstance(o, list):
+            for el in o:
+                scan(el)
+    scan(obj)
+    return list(domains)[0]
+
+def inject_realm_variables(obj, original_realm, variable="{{ keycloak.realm.name }}"):
+    if isinstance(obj, dict):
+        return {k: inject_realm_variables(v, original_realm, variable) for k, v in obj.items()}
+    elif isinstance(obj, list):
+        return [inject_realm_variables(el, original_realm, variable) for el in obj]
+    elif isinstance(obj, str):
+        s = obj
+        s = s.replace(f"/realms/{original_realm}/", f"/realms/{variable}/")
+        s = s.replace(f"/admin/{original_realm}/console/", f"/admin/{variable}/console/")
+        return s
+    else:
+        return obj
+
+def inject_platform_variables(obj, original_domain, variable="{{ platform_domain_name }}"):
+    if isinstance(obj, dict):
+        return {k: inject_platform_variables(v, original_domain, variable) for k, v in obj.items()}
+    elif isinstance(obj, list):
+        return [inject_platform_variables(el, original_domain, variable) for el in obj]
+    elif isinstance(obj, str):
+        s = re.sub(
+            r"https://([a-zA-Z0-9_-]+)\." + re.escape(original_domain),
+            r"https://\1." + variable,
+            obj
+        )
+        return s
+    else:
+        return obj
+
+def inject_client_secrets(obj):
+    if isinstance(obj, dict):
+        new_obj = {}
+        client_id = obj.get("clientId")
+        for k, v in obj.items():
+            if k == "secret" and isinstance(v, str) and v == "**********" and client_id:
+                new_obj[k] = f"{{{{ {client_id}_oidc_client_secret }}}}"
+            else:
+                new_obj[k] = inject_client_secrets(v)
+        return new_obj
+    elif isinstance(obj, list):
+        return [inject_client_secrets(el) for el in obj]
+    else:
+        return obj
+
+def inject_smtp_variables(realm_map):
+    """
+    Replace specific SMTP keys with variables in spec.realm.smtpServer.
+    Only handles the case where smtpServer is a dict under spec.realm.
+    Other keys are left unchanged.
+    """
+    smtp_server = realm_map.get("smtpServer")
+    smtp_map = {
+        "from": "{{ keycloak.smtp.from }}",
+        "host": "{{ keycloak.smtp.host }}",
+        "password": "{{ keycloak.smtp.password }}",
+        "port": "{{ keycloak.smtp.port }}",
+        "ssl": "{{ keycloak.smtp.ssl }}",
+        "starttls": "{{ keycloak.smtp.starttls }}",
+        "user": "{{ keycloak.smtp.user }}"
+    }
+    # Replace only the keys specified in smtp_map
+    for key, var in smtp_map.items():
+        if key in smtp_server:
+            smtp_server[key] = var
+    # Sort keys alphabetically
+    realm_map["smtpServer"] = dict(sorted(smtp_server.items()))
+    return realm_map
+
+def main(inpath, outpath):
+    with open(inpath, "r", encoding="utf-8") as f:
+        data = json.load(f)
+
+    cleaned = remove_ids_and_containerids(data)
+    sorted_cleaned = sort_lists(cleaned)
+
+    realm_map = sorted_cleaned if isinstance(sorted_cleaned, dict) else {"data": sorted_cleaned}
+
+    original_realm = extract_realm_name(realm_map)
+    original_domain = extract_platform_domain(realm_map)
+
+    realm_map = inject_realm_variables(realm_map, original_realm)
+    realm_map = inject_platform_variables(realm_map, original_domain)
+    realm_map = inject_client_secrets(realm_map)
+    realm_map = inject_smtp_variables(realm_map)
+
+    final = {
+        "apiVersion": "k8s.keycloak.org/v2alpha1",
+        "kind": "KeycloakRealmImport",
+        "metadata": {"name": "rspy", "namespace": "iam", "labels": {"wait-for-deployment": "Done"}},
+        "spec": {"keycloakCRName": "keycloak", "realm": realm_map},
+    }
+
+    yaml = YAML()
+    yaml.indent(mapping=2, sequence=4, offset=2)
+    yaml.width = 130
+    yaml.preserve_quotes = False
+
+    license_header = """# Copyright 2024 CS Group
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+
+    with open(outpath, "w", encoding="utf-8") as f:
+        f.write(license_header + "\n")
+        yaml.dump(final, f)
+
+    print(f"Transformation completed: {outpath}")
+
+if __name__ == "__main__":
+    if len(sys.argv) != 3:
+        print(f"Usage: {sys.argv[0]} <input.json> <output.yaml>", file=sys.stderr)
+        sys.exit(1)
+    main(sys.argv[1], sys.argv[2])