ga

Author: Shashankpgit

.github/workflows/blank.yml

@@ -0,0 +1,71 @@
+name: Build and Push Docker Images
+
+on:
+  push:
+    branches:
+      - '**'
+    paths:
+      - '.github/workflows/docker-build.yml'
+  workflow_dispatch:
+    inputs:
+      services:
+        description: 'Services to build (comma-separated or "all")'
+        required: true
+        default: 'all'
+        type: choice
+        options:
+          - all
+          - keycloak
+          - keycloak-21.1.2
+          - keycloak-postgres-query
+          - kong-api-scripts
+          - postgresql-backup
+          - redis-backup
+          - sunbird-yugabyte-migrations
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        service: 
+          - name: keycloak
+            path: scripts/keycloak
+          - name: keycloak-21.1.2
+            path: scripts/keycloak-21.1.2
+          - name: keycloak-postgres-query
+            path: scripts/keycloak-postgres-query
+          - name: kong-api-scripts
+            path: scripts/kong-api-scripts
+          - name: postgresql-backup
+            path: scripts/postgresql-backup
+          - name: redis-backup
+            path: scripts/redis-backup
+          - name: sunbird-yugabyte-migrations
+            path: scripts/sunbird-yugabyte-migrations
+    
+    steps:
+      - name: Checkout
+        if: ${{ github.event_name == 'push' || github.event.inputs.services == 'all' || contains(github.event.inputs.services, matrix.service.name) }}
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        if: ${{ github.event_name == 'push' || github.event.inputs.services == 'all' || contains(github.event.inputs.services, matrix.service.name) }}
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        if: ${{ github.event_name == 'push' || github.event.inputs.services == 'all' || contains(github.event.inputs.services, matrix.service.name) }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push
+        if: ${{ github.event_name == 'push' || github.event.inputs.services == 'all' || contains(github.event.inputs.services, matrix.service.name) }}
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.service.path }}
+          platforms: linux/amd64
+          push: true
+          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.service.name }}:latest

.github/workflows/docker-build.yml

@@ -0,0 +1,7 @@
+
+sunbird_admin_api_token: {{api_admin_jwt}}
+sunbird_anonymous_register_token: {{portal_anonymous_register_jwt}}
+sunbird_loggedin_register_token: {{portal_loggedin_register_jwt}}
+sunbird_anonymous_default_token: {{portal_anonymous_fallback_token_jwt}}
+sunbird_logged_default_token: {{portal_loggedin_fallback_token_jwt}}
+adminutil_learner_api_auth_key: {{adminutil_learner_api_token_jwt}}

scripts/global-values-jwt-tokens.yaml.tpl

@@ -0,0 +1,66 @@
+import os
+import jwt
+import sys
+
+# Predefined map of keys and secrets
+consumer_list = ["api_admin", "mobile_admin", "mobile_device", "mobile_devicev2", "portal_anonymous_register", "portal_loggedin_register", "portal_anonymous", "portal_loggedin", "portal_anonymous_fallback_token", "portal_loggedin_fallback_token", "adminutil_learner_api_token"]
+
+def generate_jwt_token(key, secret, random_string):
+    # Concatenate the random string to the secret
+    secret_with_random = secret + random_string
+
+    # Create the token payload
+    payload = {
+        "iss": key
+    }
+
+    # Generate the JWT token
+    jwt_token = jwt.encode(payload, secret_with_random, algorithm="HS256")
+
+    return jwt_token
+
+def replace_placeholders(template_content, token_dict):
+    for key, token in token_dict.items():
+        placeholder = f"{{{{{key}}}}}"
+        template_content = template_content.replace(placeholder, token)
+
+    return template_content
+
+if __name__ == "__main__":
+    # Check if the random string is provided as a command-line argument
+    if len(sys.argv) != 2:
+        print("Usage: python script.py <random_string>")
+        sys.exit(1)
+
+    random_string = sys.argv[1]
+
+    # Validate the length of the random string
+    if not (12 <= len(random_string) <= 24):
+        print("Error: The random string must be between 12 and 24 characters in length.")
+        sys.exit(1)
+
+    # Get the script directory
+    script_directory = os.path.dirname(os.path.realpath(__file__))
+
+    # Construct the template file path relative to the script location
+    template_file_name = os.path.join(script_directory, "global-values-jwt-tokens.yaml.tpl")
+
+    # Generate JWT tokens for each key in the map
+    token_dict = {}
+    for consumer in consumer_list:
+        token = generate_jwt_token(consumer, consumer, random_string)
+        token_dict[f"{consumer}_jwt"] = token
+
+    # Read the template file
+    with open(template_file_name, "r") as template_file:
+        template_content = template_file.read()
+
+    # Replace placeholders with JWT tokens
+    modified_content = replace_placeholders(template_content, token_dict)
+
+    # Write the modified content to a new file
+    output_file_name = os.path.join(script_directory,"global-values-jwt-tokens.yaml")
+    with open(output_file_name, "w") as output_file:
+        output_file.write(modified_content)
+
+    print(f"Modified content written to {output_file_name}")

scripts/jwt-keys.py

@@ -0,0 +1,37 @@
+ 
+FROM quay.io/keycloak/keycloak:21.1.2 AS builder
+
+ENV KC_FEATURES=token-exchange
+ENV KC_HEALTH_ENABLED=true
+ENV KC_METRICS_ENABLED=true
+
+ 
+FROM quay.io/keycloak/keycloak:21.1.2
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
+
+
+COPY ./conf/ /opt/keycloak/conf/
+COPY ./providers/ /opt/keycloak/providers/
+COPY ./themes/ /opt/keycloak/themes/
+COPY ./imports/ /opt/keycloak/imports/
+
+ 
+USER root
+RUN chown -R keycloak:keycloak /opt/keycloak
+USER keycloak
+
+ 
+ENV KC_PROXY=edge
+ENV KC_HOSTNAME_STRICT=false
+ENV KC_HOSTNAME_STRICT_HTTPS=false
+ENV KC_HTTP_RELATIVE_PATH=/auth
+ENV KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
+
+RUN /opt/keycloak/bin/kc.sh build
+
+EXPOSE 8080
+
+WORKDIR /opt/keycloak
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
+CMD ["start", "--optimized", "--import-realm", "--spi-connections-jpa-legacy-migration-strategy=update", "--spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true"]

scripts/keycloak-21.1.2/Dockerfile

@@ -0,0 +1,19 @@
+# Sunbird Keycloak Setup
+
+
+## Configuration Values
+Here are the configuration values pulled from `keycloak.conf`:
+- **Database Type**: `db=postgres`
+- **Database Username**: `db-username=postgres`
+- **Database Password**: `db-password=postgres`
+- **Database URL**: `db-url=jdbc:postgresql://localhost:5432/keycloak?sslmode=require`
+- **HTTP Relative Path**: `http-relative-path=/auth`
+
+## Configuration Values with Placeholders
+
+Any placeholders in the pattern `{{ .Values.<key> }}` in `imports/sunbird-realm.json` need to be filled with appropriate values during local setup.
+
+## Docker Build Command
+To build the Docker image, use the following command:
+```bash
+docker build -t my-keycloak-image .

scripts/keycloak-21.1.2/README.md

@@ -0,0 +1,4 @@
+Configure the server
+====================
+
+Files in this directory are used to configure the server. Please consult the [configuration guides](https://www.keycloak.org/guides#server) for more information.

scripts/keycloak-21.1.2/conf/README.md

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2019 Red Hat, Inc. and/or its affiliates
+  ~ and other contributors as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<infinispan
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd"
+        xmlns="urn:infinispan:config:14.0">
+
+    <cache-container name="keycloak">
+        <transport lock-timeout="60000"/>
+        <local-cache name="realms">
+            <encoding>
+                <key media-type="application/x-java-object"/>
+                <value media-type="application/x-java-object"/>
+            </encoding>
+            <memory max-count="10000"/>
+        </local-cache>
+        <local-cache name="users">
+            <encoding>
+                <key media-type="application/x-java-object"/>
+                <value media-type="application/x-java-object"/>
+            </encoding>
+            <memory max-count="10000"/>
+        </local-cache>
+        <distributed-cache name="sessions" owners="2">
+            <expiration lifespan="-1"/>
+        </distributed-cache>
+        <distributed-cache name="authenticationSessions" owners="2">
+            <expiration lifespan="-1"/>
+        </distributed-cache>
+        <distributed-cache name="offlineSessions" owners="2">
+            <expiration lifespan="-1"/>
+        </distributed-cache>
+        <distributed-cache name="clientSessions" owners="2">
+            <expiration lifespan="-1"/>
+        </distributed-cache>
+        <distributed-cache name="offlineClientSessions" owners="2">
+            <expiration lifespan="-1"/>
+        </distributed-cache>
+        <distributed-cache name="loginFailures" owners="2">
+            <expiration lifespan="-1"/>
+        </distributed-cache>
+        <local-cache name="authorization">
+            <encoding>
+                <key media-type="application/x-java-object"/>
+                <value media-type="application/x-java-object"/>
+            </encoding>
+            <memory max-count="10000"/>
+        </local-cache>
+        <replicated-cache name="work">
+            <expiration lifespan="-1"/>
+        </replicated-cache>
+        <local-cache name="keys">
+            <encoding>
+                <key media-type="application/x-java-object"/>
+                <value media-type="application/x-java-object"/>
+            </encoding>
+            <expiration max-idle="3600000"/>
+            <memory max-count="1000"/>
+        </local-cache>
+        <distributed-cache name="actionTokens" owners="2">
+            <encoding>
+                <key media-type="application/x-java-object"/>
+                <value media-type="application/x-java-object"/>
+            </encoding>
+            <expiration max-idle="-1" lifespan="-1" interval="300000"/>
+            <memory max-count="-1"/>
+        </distributed-cache>
+    </cache-container>
+</infinispan>

scripts/keycloak-21.1.2/conf/cache-ispn.xml

@@ -0,0 +1,16 @@
+db=postgres
+db-username=postgres
+db-password=postgres
+db-url=jdbc:postgresql://localhost:5432/keycloak?sslmode=require
+http-relative-path=/auth
+log=console,file
+log-level=INFO,com.arjuna:WARN,io.jaegertracing.Configuration:WARN,org.jboss.as.config:DEBUG,sun.rmi:WARN,org.keycloak:INFO
+log-console-color=true
+log-console-output=default
+log-file-output=default
+log-console-format='%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
+log-file-format='%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n'
+
+DEBUG='true'
+DEBUG_PORT='*:8787'
+spi-login-logout-skip-confirmation=true