Add option to customize keycloak themes (#2469)

Co-authored-by: Marcelo Villa <mvilla@quansight.com>

Author: viniciusdc

src/_nebari/stages/kubernetes_keycloak/__init__.py

@@ -8,7 +8,7 @@
 import time
 from typing import Any, Dict, List, Optional, Type, Union
 
-from pydantic import Field, ValidationInfo, field_validator
+from pydantic import Field, ValidationInfo, field_validator, model_validator
 
 from _nebari.stages.base import NebariTerraformStage
 from _nebari.stages.tf_objects import (
@@ -31,6 +31,7 @@ class InputVars(schema.Base):
     initial_root_password: str
     overrides: List[str]
     node_group: Dict[str, str]
+    themes: Dict[str, Union[bool, str]]
 
 
 @contextlib.contextmanager
@@ -141,10 +142,28 @@ def random_secure_string(
     return "".join(secrets.choice(chars) for i in range(length))
 
 
+class KeycloakThemes(schema.Base):
+    enabled: bool = False
+    repository: Optional[str] = ""
+    branch: Optional[str] = "main"
+
+    @model_validator(mode="before")
+    @classmethod
+    def validate_fields_dependencies(cls, data: Any) -> Any:
+        # Raise and error if themes are enabled but repository or branch are not set
+        if isinstance(data, dict) and data.get("enabled"):
+            if not data.get("repository") or not data.get("branch"):
+                raise ValueError(
+                    "Repository and branch are both required when themes is enabled."
+                )
+        return data
+
+
 class Keycloak(schema.Base):
     initial_root_password: str = Field(default_factory=random_secure_string)
     overrides: Dict = {}
     realm_display_name: str = "Nebari"
+    themes: KeycloakThemes = Field(default_factory=lambda: KeycloakThemes())
 
 
 auth_enum_to_model = {
@@ -233,6 +252,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
             node_group=stage_outputs["stages/02-infrastructure"]["node_selectors"][
                 "general"
             ],
+            themes=self.config.security.keycloak.themes.model_dump(),
         ).model_dump()
 
     def check(

src/_nebari/stages/kubernetes_keycloak/template/main.tf

@@ -17,4 +17,6 @@ module "kubernetes-keycloak-helm" {
   overrides = var.overrides
 
   node_group = var.node_group
+
+  themes = var.themes
 }

src/_nebari/stages/kubernetes_keycloak/template/modules/kubernetes/keycloak-helm/main.tf

@@ -20,6 +20,7 @@ resource "helm_release" "keycloak" {
           }
         }
       }
+      customThemes = var.themes
     })
   ], var.overrides)
 
@@ -32,6 +33,7 @@ resource "helm_release" "keycloak" {
     name  = "initial_root_password"
     value = var.initial_root_password
   }
+
 }
 
 

src/_nebari/stages/kubernetes_keycloak/template/modules/kubernetes/keycloak-helm/values.yaml

@@ -22,6 +22,21 @@ startupScripts:
     /opt/jboss/keycloak/bin/add-user-keycloak.sh -r master -u root -p "{{ .Values.initial_root_password }}"
     /opt/jboss/keycloak/bin/add-user-keycloak.sh -r master -u nebari-bot -p "{{ .Values.nebari_bot_password }}"
 
+  mv-custom-themes.sh: |
+    #!/bin/sh
+    printf '=%.0s' {1..73}
+    echo "Start moving custom themes to /opt/jboss/keycloak/themes"
+
+    if [ -d /opt/data/custom-themes/themes ]; then
+      echo 'Copying custom themes from /opt/data/custom-themes/themes to /opt/jboss/keycloak/themes'
+      cp -r /opt/data/custom-themes/themes/* /opt/jboss/keycloak/themes/
+    else
+      echo 'No custom themes found in /opt/data/custom-themes'
+    fi
+
+    echo "Finished moving custom themes"
+    printf '=%.0s' {1..73}
+
 extraInitContainers: |
   - command:
     - sh
@@ -47,11 +62,44 @@ extraInitContainers: |
     volumeMounts:
       - name: metrics-plugin
         mountPath: /data
+  {{- if .Values.customThemes.enabled }}
+  - env:
+    - name: GIT_SYNC_REPO
+      value: {{ .Values.customThemes.repository }}
+    - name: GIT_SYNC_BRANCH
+      value: {{ .Values.customThemes.branch }}
+    - name: GIT_SYNC_ONE_TIME
+      value: "true"
+    - name: GIT_SYNC_GROUP_WRITE
+      value: "true"
+    - name: GIT_SYNC_ROOT
+      value: /opt/data/custom-themes
+    - name: GIT_SYNC_DEST
+      value: themes
+    - name: GIT_SYNC_SSH
+      value: "false"
+    image: k8s.gcr.io/git-sync:v3.1.5
+    imagePullPolicy: IfNotPresent
+    name: keycloak-git-sync
+    resources: {}
+    securityContext:
+      runAsGroup: 1000
+      runAsUser: 0
+    terminationMessagePath: /dev/termination-log
+    terminationMessagePolicy: File
+    volumeMounts:
+    - mountPath: /opt/data/custom-themes
+      name: custom-themes
+  {{- end }}
 
 extraVolumeMounts: |
   - name: metrics-plugin
     mountPath: /opt/jboss/keycloak/providers/
+  - mountPath: /opt/data/custom-themes
+    name: custom-themes
 
 extraVolumes: |
   - name: metrics-plugin
     emptyDir: {}
+  - name: custom-themes
+    emptyDir: {}

src/_nebari/stages/kubernetes_keycloak/template/modules/kubernetes/keycloak-helm/variables.tf

@@ -31,3 +31,17 @@ variable "node_group" {
     value = string
   })
 }
+
+variable "themes" {
+  description = "Custom themes configuration for keycloak"
+  type = object({
+    enabled    = bool
+    repository = string
+    branch     = string
+  })
+  default = {
+    enabled    = false
+    repository = ""
+    branch     = ""
+  }
+}

src/_nebari/stages/kubernetes_keycloak/template/variables.tf

@@ -31,3 +31,12 @@ variable "node_group" {
     value = string
   })
 }
+
+variable "themes" {
+  description = "Custom themes configuration for keycloak"
+  type = object({
+    enabled    = bool
+    repository = string
+    branch     = string
+  })
+}