Fix CI failures with OpenID jobs (#659)

* Fix waiting for upterm session to close

* Upgrade k9s version used for ci debugging

* Migrate to use https://artifacthub.io/packages/helm/codecentric/keycloakx for Keycloak in ci

Author: lhotari

.ci/auth/keycloak/values.yaml

@@ -17,30 +17,34 @@
 # under the License.
 #
 
-tls:
-  enabled: false
+# Uses quay.io/keycloak/keycloak (official image, default for codecentric/keycloakx chart)
+# Run Keycloak in development mode with realm import for CI testing
+# https://www.keycloak.org/server/containers
+command:
+  - "/opt/keycloak/bin/kc.sh"
+  - "start-dev"
+  - "--import-realm"
+
+# Bootstrap admin credentials
+# https://www.keycloak.org/server/containers#_bootstrap_admin_and_creating_initial_admin_user
+extraEnv: |
+  - name: KC_BOOTSTRAP_ADMIN_USERNAME
+    value: admin
+  - name: KC_BOOTSTRAP_ADMIN_PASSWORD
+    value: admin
+
 # This block sets up an example Pulsar Realm
 # https://www.keycloak.org/server/importExport#_importing_a_realm_from_a_directory
-extraEnvVars:
-  - name: KEYCLOAK_EXTRA_ARGS
-    value: "--import-realm"
-extraVolumes:
+extraVolumes: |
   - name: realm-config
     secret:
       secretName: keycloak-ci-realm-config
-extraVolumeMounts:
+
+extraVolumeMounts: |
   - name: realm-config
-    mountPath: "/opt/bitnami/keycloak/data/import"
+    mountPath: "/opt/keycloak/data/import"
     readOnly: true
 
-# Fix for https://github.com/bitnami/charts/issues/35164
-global:
-  security:
-    allowInsecureImages: true
-image:
-  repository: bitnamilegacy/keycloak
-  tag: 26.2.3-debian-12-r0
-postgresql:
-  image:
-    repository: bitnamilegacy/postgresql
-    tag: 17.4.0-debian-12-r17
+resources:
+  limits:
+    memory: 768Mi

.ci/clusters/values-openid.yaml

@@ -22,7 +22,7 @@ proxy:
   configData:
     # Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
     brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
-    brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/proxy/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+    brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/proxy/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-keycloakx-http/auth/realms/pulsar"}'
   extraVolumes:
     - name: pulsar-proxy-credentials
       secret:
@@ -36,7 +36,7 @@ broker:
   configData:
     # Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
     brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
-    brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/broker/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+    brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/broker/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-keycloakx-http/auth/realms/pulsar"}'
   extraVolumes:
     - name: pulsar-broker-credentials
       secret:
@@ -49,7 +49,7 @@ broker:
 toolset:
   configData:
     authPlugin: "org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
-    authParams: '{"privateKey":"file:///pulsar/auth/admin/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+    authParams: '{"privateKey":"file:///pulsar/auth/admin/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-keycloakx-http/auth/realms/pulsar"}'
   extraVolumes:
     - name: pulsar-admin-credentials
       secret:
@@ -67,7 +67,7 @@ auth:
       enabled: true
       # https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
       openIDAllowedTokenIssuers:
-        - http://keycloak-ci-headless:8080/realms/pulsar
+        - http://keycloak-ci-keycloakx-http/auth/realms/pulsar
       openIDAllowedAudiences:
         - account
       #openIDTokenIssuerTrustCertsFilePath:

.ci/configure_ci_runner_for_debugging.sh

@@ -27,7 +27,7 @@ function k9s() {
     # install k9s on the fly
     if [ ! -x /usr/local/bin/k9s ]; then
         echo "Installing k9s..."
-        curl -L -s https://github.com/derailed/k9s/releases/download/v0.40.5/k9s_Linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin k9s
+        curl -L -s https://github.com/derailed/k9s/releases/download/v0.50.18/k9s_Linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin k9s
     fi
     command k9s "$@"
 }

.ci/helm.sh

@@ -85,6 +85,7 @@ function ci::helm_repo_add() {
     echo "Adding the helm repo ..."
     ${HELM} repo add prometheus-community https://prometheus-community.github.io/helm-charts
     ${HELM} repo add vm https://victoriametrics.github.io/helm-charts/
+    ${HELM} repo add codecentric https://codecentric.github.io/helm-charts
     ${HELM} repo update
     echo "Successfully added the helm repo."
 }
@@ -535,10 +536,10 @@ function ci::create_openid_resources() {
   ${KUBECTL} create secret generic keycloak-ci-realm-config --from-file=realm-pulsar.json=/tmp/realm-pulsar.json -n ${NAMESPACE}
 
   echo "Installing keycloak helm chart"
-  ${HELM} install keycloak-ci oci://registry-1.docker.io/bitnamicharts/keycloak --version 24.6.4 --values ${PULSAR_HOME}/.ci/auth/keycloak/values.yaml -n ${NAMESPACE}
+  ${HELM} install keycloak-ci codecentric/keycloakx --version 7.1.8 --values ${PULSAR_HOME}/.ci/auth/keycloak/values.yaml -n ${NAMESPACE}
 
   echo "Wait until keycloak is running"
-  WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep keycloak-ci-0 | wc -l)
+  WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep keycloak-ci-keycloakx-0 | wc -l)
   counter=1
   while [[ ${WC} -lt 1 ]]; do
     ((counter++))
@@ -553,15 +554,11 @@ function ci::create_openid_resources() {
         exit 1
       fi
     fi
-    WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep keycloak-ci-0 | wc -l)
+    WC=$(${KUBECTL} get pods -n ${NAMESPACE} --field-selector=status.phase=Running | grep keycloak-ci-keycloakx-0 | wc -l)
   done
 
   echo "Wait until keycloak is ready"
-  ${KUBECTL} wait --for=condition=Ready pod/keycloak-ci-0 -n ${NAMESPACE} --timeout 180s
-
-  echo "Check keycloack realm pulsar issuer url"
-  ${KUBECTL} exec -n ${NAMESPACE} keycloak-ci-0 -c keycloak -- bash -c 'curl -sSL http://keycloak-ci-headless:8080/realms/pulsar'
-
+  ${KUBECTL} wait --for=condition=Ready pod/keycloak-ci-keycloakx-0 -n ${NAMESPACE} --timeout 180s
 }
 
 # lists all available functions in this tool

.github/actions/ssh-access/action.yml

@@ -138,15 +138,16 @@ runs:
             if command -v upterm &>/dev/null; then
                 shopt -s nullglob
                 echo "SSH connection information"
-                upterm session current --admin-socket ~/.upterm/*.sock || {
+                export UPTERM_ADMIN_SOCKET=$(find $HOME/.upterm $XDG_RUNTIME_DIR/upterm /run/user/$(id -u)/upterm -name "*.sock" | head -n 1)
+                upterm session current || {
                     echo "upterm isn't running. Not waiting any longer."
                     exit 0
                 }
                 timeout=${{ inputs.timeout }}
                 echo "Waiting $timeout seconds..."
                 sleep $timeout
                 echo "Keep waiting as long as there's a connected session"
-                while upterm session current --admin-socket ~/.upterm/*.sock|grep Connected &>/dev/null; do
+                while upterm session current|grep Connected &>/dev/null; do
                     sleep 30
                 done
                 echo "No session is connected. Not waiting any longer."