[CIAM-535] [KEYCLOAK-18574] Refactor the Red Hat Single Sign-On for OpenShift

images to start using Wildfly / JBoss EAP Galleon based Maven repository
instead of a formerly used server Zip archive. Update to RH-SSO 7.5.0

Signed-off-by: Jan Lieskovsky <[email protected]>

Author: Jan Lieskovsky

README.adoc

@@ -1,6 +1,4 @@
-# Red Hat Single Sign-On Continuous Delivery 7.5 OpenShift container image
-
-NOTE: Extends link:https://github.com/jboss-container-images/redhat-sso-7-image[Red Hat Single Sign-On container image]
+# Red Hat Single Sign-On 7.5 for OpenJDK / OpenJ9 on OpenShift container images
 
 # License
 

README.adoc.in

@@ -1,4 +1,4 @@
-= Application Templates for Red Hat Single Sign-On 7.5 OpenShift container image
+= Application Templates for Red Hat Single Sign-On 7.5 on OpenShift container images
 
 This project contains OpenShift v3 / v4 application templates which support applications based on JBoss Middleware products.
 Source can be found https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-cpaas-dev[here].

image.yaml

@@ -2,7 +2,7 @@ schema_version: 1
 
 ## Both name and description are overridden, see overrides/*
 name: "rh-sso-7/sso75-openshift-rhel8"
-description: "Red Hat Single Sign-On 7.5 OpenShift container image, based on the Red Hat Universal Base Image 8 Minimal container image"
+description: "Red Hat Single Sign-On 7.5 for OpenShift container image, based on the Red Hat Universal Base Image 8 Minimal container image"
 
 version: "7.5"
 from: "registry.redhat.io/ubi8/ubi-minimal"
@@ -25,6 +25,7 @@ labels:
       value: "sso,sso75,keycloak"
     - name: "io.openshift.s2i.scripts-url"
       value: "image:///usr/local/s2i"
+
 envs:
     - name: "JBOSS_PRODUCT"
       value: *product
@@ -66,45 +67,51 @@ envs:
     - name: "SCRIPT_DEBUG"
       description: "If set to true, ensurses that the bash scripts are executed with the -x option, printing the commands and their arguments as they are executed."
       example: "true"
+
 ports:
     - value: 8443
+
 modules:
       repositories:
+          - name: cct_module
+            git:
+                  url: https://github.com/jboss-openshift/cct_module.git
+                  ref: 0.45.2
+
           - name: jboss-eap-modules
             git:
                   url: https://github.com/jboss-container-images/jboss-eap-modules.git
-                  ref: EAP_740_CR1
+                  ref: EAP_740_CR3
 
           - name: jboss-eap-image
             git:
                   url: https://github.com/jboss-container-images/jboss-eap-7-image.git
-                  ref: EAP_740_CR1
+                  ref: EAP_740_CR3
 
-          - name: cct_module
+          - name: wildfly-cekit-modules
             git:
-                  url: https://github.com/jboss-openshift/cct_module.git
-                  ref: 0.41.4
+                  url: https://github.com/wildfly/wildfly-cekit-modules.git
+                  ref: 0.24.0
 
           - name: sso-modules
             path: modules
 
       install:
-          - name: bz-1769831
-            version: '1.0'
+          # Install JDK runtime
           - name: sso-jdk
             version: &jdk_version '11'
+           # Perform all actions required by Wildfly / JBoss EAP Galleon Maven build
+           # See 'used-eap-modules-list.txt' for overview of used JBoss EAP modules,
+           # and the order they need to be called in
           - name: eap
             version: '1.0'
 
-          # RH-SSO product specific modules from modules/ path in this repository
-          - name: sso
+          ## RH-SSO product specific modules from modules/ path in this repository
           - name: keycloak.openshift.clients
             version: '1.0'
           - name: sso.config.launch.setup.75
           - name: sso.db.drivers
             version: '1.0'
-          - name: sso.python
-            version: '3'
 
           # Other common modules from the main CE cct_module repository
           - name: openshift-layer
@@ -114,19 +121,17 @@ modules:
           - name: sso-pre-launch-checks
 
           # This needs to be the very last, after all updates to standalone-openshift.xml have been done. See eg. https://access.redhat.com/solutions/3402171 for use
-          - name: os-eap-extensions
           - name: sso-cli-extensions
 
+          # Actions performed by the 'sso-rm-openjdk' module shouldn't be needed for RHEL-8 UBI Minimal
+          # derived images already. But it's kept & called here for any case, so RPMs belonging to
+          # counterpart JVM aren't left in the image by an accident
           - name: sso-rm-openjdk
             version: *jdk_version
+
 packages:
       manager: microdnf
       content_sets_file: content_sets.yaml
-      install:
-      # "find" executable is required by various CCT & SSO modules
-      - findutils
-      # "which" tool is handy for debugging issues / troubleshooting
-      - which
 
 run:
       cmd:

modules/eap/module.yaml

@@ -5,46 +5,26 @@ version: '1.0'
 
 modules:
       install:
-          ### Image :: Standalone ####
-          - name: eap-73-latest
-
-          ### Image :: OpenShift ####
-          # Order of the modules installation below matters!!! DO NOT CHANGE it unless
-          # you first verified the image with changed order still works correctly
-          # Common modules from the main CE cct_module repository
-          - name: dynamic-resources
-          - name: jboss.container.eap.s2i.bash
-          - name: jboss.container.java.jvm.bash
-          - name: jboss.container.jolokia.bash
-          - name: jboss.container.wildfly.standalone-conf.java
-          - name: jboss.container.wildfly.standalone-conf.jolokia
-          - name: os-eap7-ping
-          - name: jboss.container.java.jvm.bash
-          - name: os-eap-launch
-          - name: os-eap7-launch
-          - name: os-eap-datasource
-            version: '1.0'
-          - name: jboss.eap.cd.logging
-          - name: jboss.eap.config.jgroups
-          - name: jboss.eap.config.elytron
-          - name: os-eap-probes
-            version: '3.0'
-          - name: jboss.container.maven.35.bash
-            version: '3.5'
-          - name: os-eap-hawkular
-          - name: os-eap-deployment-scanner
+          - name: setup.eap.modules
+            version: "1.0"
 
 execute:
     - script: install-eap-one-offs.sh
 
+# Important:
+# ----------
+#
 # All EAP one-offs artifacts must be prefixed with "eap-one-off-" prefix and suffixed with in ".zip".
 # Ensure that only one-offs for the INSTALLED version of EAP are present, and comment all of them
 # that are obsoleted.
+#
+# For an example of proper / intended usage, see the "jbeap-18807.zip" example below.
+#
 # artifacts:
 #
 #      KEYCLOAK-13487 "jbeap-18807.zip" is obsolete in EAP-7.3.1 / RH-SSO 7.5.1, deprecate it
 #
 #      - md5: 1b6036cfcde2cf1dc05c2eb6eca228ff
 #        name: jbeap-18807.zip
 #        target: eap-one-off-jbeap-18807.zip
-#        url: http://$DOWNLOAD_SERVER/devel/candidates/JBSSO/JBSSO-7.5.0.CR2/jbeap-18807.zip
+#        url: http://$DOWNLOAD_SERVER/devel/candidates/JBSSO/JBSSO-7.5.0.CR2/jbeap-18807.zip

modules/eap/setup/eap/modules/added/configure_extensions.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+function preConfigure() {
+  preconfigure_extensions
+}
+
+# if a delayedpostconfigure.sh file exists call postconfigure.sh
+# The delayedpostconfigure.sh will be called after CLI execution.
+function postConfigure() {
+   if [ -f "${JBOSS_HOME}/extensions/delayedpostconfigure.sh" ]; then
+     postconfigure_extensions
+   fi
+}
+
+# if a delayedpostconfigure.sh file exists call it, otherwise fallback on postconfigure.sh
+function delayedPostConfigure() {
+  if [ -f "${JBOSS_HOME}/extensions/delayedpostconfigure.sh" ]; then
+    ${JBOSS_HOME}/extensions/delayedpostconfigure.sh
+  else
+    postconfigure_extensions
+  fi
+}
+
+function preconfigure_extensions(){
+  if [ -f "${JBOSS_HOME}/extensions/preconfigure.sh" ]; then
+    ${JBOSS_HOME}/extensions/preconfigure.sh
+  fi
+}
+
+function postconfigure_extensions(){
+  if [ -f "${JBOSS_HOME}/extensions/postconfigure.sh" ]; then
+    ${JBOSS_HOME}/extensions/postconfigure.sh
+  fi
+}

modules/eap/setup/eap/modules/added/https.sh

@@ -0,0 +1,137 @@
+#!/bin/sh
+# only processes a single environment as the placeholder is not preserved
+
+source $JBOSS_HOME/bin/launch/logging.sh
+
+function prepareEnv() {
+  unset HTTPS_NAME
+  unset HTTPS_PASSWORD
+  unset HTTPS_KEYSTORE_DIR
+  unset HTTPS_KEYSTORE
+  unset HTTPS_KEYSTORE_TYPE
+}
+
+function configure() {
+  configure_https
+}
+
+function configureEnv() {
+  configure
+}
+
+function configure_https() {
+  if [ "${CONFIGURE_ELYTRON_SSL}" = "true" ]; then
+    log_info "Using Elytron for SSL configuration."
+    return
+  fi
+
+  local sslConfMode
+  getConfigurationMode "<!-- ##SSL## -->" "sslConfMode"
+
+  local httpsConfMode
+  getConfigurationMode "<!-- ##HTTPS_CONNECTOR## -->" "httpsConfMode"
+
+
+  if [ -n "${HTTPS_PASSWORD}" -a -n "${HTTPS_KEYSTORE_DIR}" -a -n "${HTTPS_KEYSTORE}" ]; then
+
+    if [ "${sslConfMode}" = "xml" ]; then
+      configureSslXml
+    elif [ "${sslConfMode}" = "cli" ]; then
+      configureSslCli
+    fi
+
+    if [ "${httpsConfMode}" = "xml" ]; then
+      configureHttpsXml
+    elif [ "${httpsConfMode}" = "cli" ]; then
+      configureHttpsCli
+    fi
+
+  elif [ -n "${HTTPS_PASSWORD}" -o -n "${HTTPS_KEYSTORE_DIR}" -o -n "${HTTPS_KEYSTORE}" ]; then
+    log_warning "Partial HTTPS configuration, the https connector WILL NOT be configured."
+
+    if [ "${sslConfMode}" = xml ]; then
+      sed -i "s|<!-- ##SSL## -->|<!-- No SSL configuration discovered -->|" $CONFIG_FILE
+    fi
+
+    if [ "${httpsConfMode}" = xml ]; then
+      sed -i "s|<!-- ##HTTPS_CONNECTOR## -->|<!-- No HTTPS configuration discovered -->|" $CONFIG_FILE
+    fi
+  fi
+}
+
+function configureSslXml() {
+  if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then
+    keystore_provider="provider=\"${HTTPS_KEYSTORE_TYPE}\""
+  fi
+  ssl="<server-identities>\n\
+            <ssl>\n\
+                <keystore ${keystore_provider} path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\" keystore-password=\"${HTTPS_PASSWORD}\"/>\n\
+            </ssl>\n\
+        </server-identities>"
+
+  sed -i "s|<!-- ##SSL## -->|${ssl}|" $CONFIG_FILE
+}
+
+function configureSslCli() {
+  local app_realm_resource="/core-service=management/security-realm=ApplicationRealm"
+  local ssl_resource="${app_realm_resource}/server-identity=ssl"
+  local ssl_add="$ssl_resource:add(keystore-path=\"${HTTPS_KEYSTORE_DIR}/${HTTPS_KEYSTORE}\", keystore-password=\"${HTTPS_PASSWORD}\""
+  if [ -n "$HTTPS_KEYSTORE_TYPE" ]; then
+    ssl_add="${ssl_add}, keystore-provider=\"${HTTPS_KEYSTORE_TYPE}\""
+  fi
+  ssl_add="${ssl_add})"
+
+  cat << EOF >> ${CLI_SCRIPT_FILE}
+  if (outcome != success) of ${app_realm_resource}:read-resource
+    echo You have set the HTTPS_PASSWORD, HTTPS_KEYSTORE_DIR and HTTPS_KEYSTORE to add the ssl server-identity. Fix your configuration to contain the ${app_realm_resource} resource for this to happen. >> \${error_file}
+    exit
+  end-if
+  if (outcome == success) of ${ssl_resource}:read-resource
+    echo You have set the HTTPS_PASSWORD, HTTPS_KEYSTORE_DIR and HTTPS_KEYSTORE to add the ssl server-identity. But this already exists in the base configuration. Fix your configuration. >> \${error_file}
+    exit
+  end-if
+  ${ssl_add}
+EOF
+}
+
+function configureHttpsXml() {
+  https_connector="<https-listener name=\"https\" socket-binding=\"https\" security-realm=\"ApplicationRealm\" proxy-address-forwarding=\"true\"/>"
+  sed -i "s|<!-- ##HTTPS_CONNECTOR## -->|${https_connector}|" $CONFIG_FILE
+}
+
+function configureHttpsCli() {
+    # No subsystem is an error
+    local xpath="\"//*[local-name()='subsystem' and starts-with(namespace-uri(), 'urn:jboss:domain:undertow:')]\""
+    local ssRet
+    testXpathExpression "${xpath}" "ssRet"
+    if [ "${ssRet}" -ne 0 ]; then
+      echo "You have set HTTPS_PASSWORD, HTTPS_KEYSTORE_DIR and HTTPS_KEYSTORE to add an undertow https-listener. Fix your configuration to contain the undertow subsystem for this to happen." >> "${CONFIG_ERROR_FILE}"
+      return
+    fi
+
+    # Not having any servers is an error
+    local serverNamesRet
+    # We grab the <server name="..."> attributes, and will use them later
+    local xpath="\"//*[local-name()='subsystem' and starts-with(namespace-uri(), 'urn:jboss:domain:undertow:')]/*[local-name()='server']/@name\""
+    testXpathExpression "${xpath}" "serverNamesRet"
+    if [ "${serverNamesRet}" -ne 0 ]; then
+      echo "You have set HTTPS_PASSWORD, HTTPS_KEYSTORE_DIR and HTTPS_KEYSTORE to add an undertow https-listener. Fix your configuration to contain at least one server in the undertow subsystem for this to happen." >> ${CONFIG_ERROR_FILE}
+      return
+    fi
+
+    # Existing https-listener(s) is an error
+    local httpsListenersRet
+    local xpath="\"//*[local-name()='subsystem' and starts-with(namespace-uri(), 'urn:jboss:domain:undertow:')]/*[local-name()='server']/*[local-name()='https-listener']/@name\""
+    testXpathExpression "${xpath}" "httpsListenersRet"
+    if [ "${httpsListenersRet}" -eq 0 ]; then
+      echo "You have set HTTPS_PASSWORD, HTTPS_KEYSTORE_DIR and HTTPS_KEYSTORE to add https-listeners to your undertow servers, however at least one of these already contains an https-listener. Fix your configuration." >> "${CONFIG_ERROR_FILE}"
+      return
+    fi
+
+    cat << EOF >> ${CLI_SCRIPT_FILE}
+    for serverName in /subsystem=undertow:read-children-names(child-type=server)
+      /subsystem=undertow/server=\$serverName/https-listener=https:add(security-realm=ApplicationRealm, socket-binding=https, proxy-address-forwarding=true)
+    done
+EOF
+
+}

modules/eap/setup/eap/modules/added/keycloak-deployment-subsystem

@@ -0,0 +1 @@
+<secure-deployment name="##KEYCLOAK_DEPLOYMENT##"><realm>##KEYCLOAK_REALM##</realm><resource>##KEYCLOAK_CLIENT##</resource><auth-server-url>##KEYCLOAK_URL##</auth-server-url><enable-basic-auth>true</enable-basic-auth><credential name="secret">##KEYCLOAK_SECRET##</credential><enable-cors>##KEYCLOAK_ENABLE_CORS##</enable-cors><bearer-only>##KEYCLOAK_BEARER_ONLY##</bearer-only>##KEYCLOAK_PRINCIPAL_ATTRIBUTE##</secure-deployment>

modules/eap/setup/eap/modules/added/keycloak-realm-subsystem

@@ -0,0 +1 @@
+<subsystem xmlns="urn:jboss:domain:keycloak:1.1"><realm name="##KEYCLOAK_REALM##"><!-- ##KEYCLOAK_PUBLIC_KEY## --><auth-server-url>##KEYCLOAK_URL##</auth-server-url><register-node-at-startup>true</register-node-at-startup><register-node-period>600</register-node-period><ssl-required>external</ssl-required><disable-trust-manager>##KEYCLOAK_DISABLE_TRUST_MANAGER##</disable-trust-manager><!-- ##KEYCLOAK_TRUSTSTORE## --><allow-any-hostname>false</allow-any-hostname></realm>##KEYCLOAK_DEPLOYMENT_SUBSYSTEM##</subsystem>

modules/eap/setup/eap/modules/added/keycloak-saml-deployment-subsystem

@@ -0,0 +1 @@
+<secure-deployment name="##KEYCLOAK_DEPLOYMENT##">##KEYCLOAK_SAML_SP##</secure-deployment>

modules/eap/setup/eap/modules/added/keycloak-saml-realm-subsystem

@@ -0,0 +1 @@
+<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">##KEYCLOAK_DEPLOYMENT_SUBSYSTEM##</subsystem>