Merge pull request #79 from noi-techpark/development

Upgrade v20

.github/workflows/main.yml

@@ -9,7 +9,7 @@ env:
   DOCKER_IMAGE: ghcr.io/${{ github.repository }}/${{ github.event.repository.name }}-app
   DOCKER_TAG: ${{ github.sha }}
   JAVA_VERSION: '11'
-  NODE_VERSION: '16.x'
+  NODE_VERSION: '16'
 
 jobs:
   # Test
@@ -23,6 +23,12 @@ jobs:
         with:
           working-directory: themes/noiV2/common/resources
           node-version: ${{ env.NODE_VERSION }}
+      - name: Build native S3 ping plugin
+        uses: noi-techpark/github-actions/maven-build@v2
+        with:
+          working-directory: native-s3-ping
+          java-version: ${{ env.JAVA_VERSION }}
+          build-command: mvn -B -U clean install
       - name: Build Keycloak registration event listener
         uses: noi-techpark/github-actions/maven-build@v2
         with:
@@ -32,6 +38,66 @@ jobs:
       - name: Build images
         uses: noi-techpark/github-actions/docker-build@v2
 
+  # Deploy upgrade
+  deploy-upgrade:
+    runs-on: ubuntu-20.04
+    if: github.ref == 'refs/heads/upgrade-v20'
+    needs: test
+    concurrency: deploy-upgrade
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v2
+      - name: Create .env file
+        uses: noi-techpark/github-actions/env-file@v2
+        env:
+          X_COMPOSE_PROJECT_NAME: ${{ env.PROJECT_NAME }}
+          X_DOCKER_IMAGE: ${{ env.DOCKER_IMAGE }}
+          X_DOCKER_TAG: ${{ env.DOCKER_TAG }}
+          X_DB_ADDR: "test-pg-bdp.co90ybcr8iim.eu-west-1.rds.amazonaws.com"
+          X_DB_PORT: "5432"
+          X_DB_DATABASE: "authentication_server_upgrade"
+          X_DB_USER: "authentication_server"
+          X_DB_PASSWORD: ${{ secrets.TEST_DB_PASSWORD }}
+          X_FRONTEND_URL: "https://authupgrade.opendatahub.testingmachine.eu/auth/"
+          X_ADMIN_NAME: "admin"
+          X_ADMIN_PASSWORD: ${{ secrets.TEST_ADMIN_PASSWORD }}
+          X_CLUSTER_S3_REGION_NAME: "eu-west-1"
+          X_CLUSTER_S3_BUCKET_NAME: "authentication-server-cluster-upgrade"
+      - name: Build frontend assets
+        uses: noi-techpark/github-actions/npm-build@v2
+        with:
+          working-directory: themes/noiV2/common/resources
+          node-version: ${{ env.NODE_VERSION }}
+      - name: Build native S3 ping plugin
+        uses: noi-techpark/github-actions/maven-build@v2
+        with:
+          working-directory: native-s3-ping
+          java-version: ${{ env.JAVA_VERSION }}
+          build-command: mvn -B -U clean install
+      - name: Build Keycloak registration event listener
+        uses: noi-techpark/github-actions/maven-build@v2
+        with:
+          working-directory: registration-event-listener
+          java-version: ${{ env.JAVA_VERSION }}
+          build-command: mvn -B -U clean install
+      - name: Build and push images
+        uses: noi-techpark/github-actions/docker-build-and-push@v2
+        with:
+          docker-username: ${{ github.actor }}
+          docker-password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Deploy high availability application
+        uses: noi-techpark/github-actions/docker-ha-deploy@v2
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_TERRAFORM_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_TERRAFORM_SECRET_ACCESS_KEY }}
+        with:
+          terraform-working-directory: 'infrastructure/terraform/upgrade'
+          ansible-hosts: 'upgrade'
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+          docker-username: 'noi-techpark-bot'
+          docker-password: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          project-name: ${{ env.PROJECT_NAME }}
+
   # Deploy test
   deploy-test:
     runs-on: ubuntu-20.04
@@ -55,11 +121,19 @@ jobs:
           X_FRONTEND_URL: "https://auth.opendatahub.testingmachine.eu/auth/"
           X_ADMIN_NAME: "admin"
           X_ADMIN_PASSWORD: ${{ secrets.TEST_ADMIN_PASSWORD }}
+          X_CLUSTER_S3_REGION_NAME: "eu-west-1"
+          X_CLUSTER_S3_BUCKET_NAME: "authentication-server-cluster-test"
       - name: Build frontend assets
         uses: noi-techpark/github-actions/npm-build@v2
         with:
           working-directory: themes/noiV2/common/resources
           node-version: ${{ env.NODE_VERSION }}
+      - name: Build native S3 ping plugin
+        uses: noi-techpark/github-actions/maven-build@v2
+        with:
+          working-directory: native-s3-ping
+          java-version: ${{ env.JAVA_VERSION }}
+          build-command: mvn -B -U clean install
       - name: Build Keycloak registration event listener
         uses: noi-techpark/github-actions/maven-build@v2
         with:
@@ -107,6 +181,8 @@ jobs:
           X_FRONTEND_URL: "https://auth.opendatahub.bz.it/auth/"
           X_ADMIN_NAME: "admin"
           X_ADMIN_PASSWORD: ${{ secrets.PROD_ADMIN_PASSWORD }}
+          X_CLUSTER_S3_REGION_NAME: "eu-west-1"
+          X_CLUSTER_S3_BUCKET_NAME: "authentication-server-cluster-prod"
       - name: Build frontend assets
         uses: noi-techpark/github-actions/npm-build@v2
         with:

docker-compose.aboutbits.yml

@@ -1,43 +1,85 @@
 version: "3.4"
 
 services:
-  keycloak:
+  keycloak01:
+    image: authentication-server-keycloak
     build:
       context: ./
       dockerfile: infrastructure/docker/keycloak/Dockerfile
-      target: dev
-    volumes:
-      - ./themes/noi:/opt/jboss/keycloak/themes/noi
-    ports:
-      - 8080:8080
+      target: prod
+    environment:
+      KC_LOG_LEVEL: info
+      KC_CACHE_STACK: udp
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: password
+      KC_HOSTNAME_STRICT: 'false'
+      KC_HTTP_ENABLED: 'true'
+      KC_PROXY: 'passthrough'
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: password
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/auth/health"]
+      interval: 20s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
+    depends_on:
+      - postgres
+    networks:
+      - internal
+      - proxy
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.auth1.entrypoints=http,https
+      - traefik.http.routers.auth1.rule=Host(`auth.proxy.test`)
+      - traefik.http.routers.auth1.tls=true
+      - traefik.http.routers.auth1.service=auth
+      - traefik.http.services.auth.loadbalancer.server.port=8080
+      # - traefik.http.services.auth.loadbalancer.sticky.cookie=true
+
+  keycloak02:
+    image: authentication-server-keycloak
     environment:
-      DB_VENDOR: POSTGRES
-      DB_ADDR: postgres
-      DB_DATABASE: keycloak
-      DB_SCHEMA: public
-      DB_USER: keycloak
-      DB_PASSWORD: password
-      PROXY_ADDRESS_FORWARDING: 'true'
-      KEYCLOAK_FRONTEND_URL: https://auth.aboutbits.local/auth
-      KEYCLOAK_USER: admin
-      KEYCLOAK_PASSWORD: password
+      KC_LOG_LEVEL: info
+      KC_CACHE_STACK: udp
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: password
+      KC_HOSTNAME_STRICT: 'false'
+      KC_HTTP_ENABLED: 'true'
+      KC_PROXY: 'passthrough'
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/auth/health"]
+      interval: 20s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
     depends_on:
       - postgres
+      - keycloak01
     networks:
       - internal
       - proxy
     labels:
-      - traefik.api.frontend.rule=Host:auth.aboutbits.local
-      - traefik.docker.network=proxy
-      - traefik.port=8080
-      - traefik.backend=auth
+      - traefik.enable=true
+      - traefik.http.routers.auth2.entrypoints=http,https
+      - traefik.http.routers.auth2.rule=Host(`auth.proxy.test`)
+      - traefik.http.routers.auth2.tls=true
+      - traefik.http.routers.auth2.service=auth
+      - traefik.http.services.auth.loadbalancer.server.port=8080
+      # - traefik.http.services.auth.loadbalancer.sticky.cookie=true
 
   postgres:
     image: postgres:12
     environment:
       POSTGRES_DB: keycloak
       POSTGRES_USER: keycloak
       POSTGRES_PASSWORD: password
+    ports:
+      - 5432:5432
     networks:
       - internal
     labels:

docker-compose.yml

@@ -6,20 +6,29 @@ services:
       context: ./
       dockerfile: infrastructure/docker/keycloak/Dockerfile
       target: dev
-    volumes:
-      - ./themes/noi:/opt/jboss/keycloak/themes/noi
-      - ./themes/sankt-virtual:/opt/jboss/keycloak/themes/sankt-virtual
-      - ./themes/noiV2:/opt/jboss/keycloak/themes/noiV2
-      - ./registration-event-listener/target/registration-event-listener-0.0.1-SNAPSHOT.jar://opt/jboss/keycloak/standalone/deployments/registration-event-listener-0.0.1-SNAPSHOT.jar
     environment:
-      DB_VENDOR: POSTGRES
-      DB_ADDR: postgres
-      DB_DATABASE: keycloak
-      DB_SCHEMA: public
-      DB_USER: keycloak
-      DB_PASSWORD: password
-      KEYCLOAK_USER: admin
-      KEYCLOAK_PASSWORD: password
+      KC_LOG_LEVEL: info
+      KC_CACHE_STACK: udp
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: password
+      KC_HOSTNAME_STRICT: 'false'
+      KC_HTTP_ENABLED: 'true'
+      KC_PROXY: 'passthrough'
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: password
+    volumes:
+      - ./themes/sankt-virtual:/opt/keycloak/themes/sankt-virtual
+      - ./themes/noiV2:/opt/keycloak/themes/noiV2
+      - ./native-s3-ping/target/native-s3-ping-jar-with-dependencies.jar:/opt/keycloak/providers/native-s3-ping-jar-with-dependencies.jar
+      - ./registration-event-listener/target/registration-event-listener.jar:/opt/keycloak/providers/registration-event-listener.jar
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/auth/health"]
+      interval: 20s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
     depends_on:
       - postgres
     ports:

infrastructure/ansible/hosts

@@ -1,3 +1,7 @@
+[upgrade]
+authupgrade01.testingmachine.eu ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+authupgrade02.testingmachine.eu ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
 [test]
 auth01.testingmachine.eu ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 auth02.testingmachine.eu ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
@@ -7,9 +11,11 @@ auth01.opendatahub.bz.it ansible_user='noi-techpark-bot' ansible_ssh_common_args
 auth02.opendatahub.bz.it ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 
 [groupone]
+authupgrade01.testingmachine.eu ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 auth01.testingmachine.eu ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 auth01.opendatahub.bz.it ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 
 [grouptwo]
+authupgrade02.testingmachine.eu ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 auth02.testingmachine.eu ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 auth02.opendatahub.bz.it ansible_user='noi-techpark-bot' ansible_ssh_common_args='-o StrictHostKeyChecking=no'

infrastructure/docker-compose.build.yml

@@ -6,6 +6,6 @@ services:
     build:
       context: ../
       dockerfile: infrastructure/docker/keycloak/Dockerfile
-      target: build
-    volumes:
-      - ./registration-event-listener/target/registration-event-listener-0.0.1-SNAPSHOT.jar://opt/jboss/keycloak/standalone/deployments/registration-event-listener-0.0.1-SNAPSHOT.jar
+      target: prod
+    environment:
+      KC_CACHE_STACK: ec2

infrastructure/docker-compose.run.yml

@@ -5,27 +5,24 @@ services:
     image: ${DOCKER_IMAGE}:${DOCKER_TAG}
     restart: unless-stopped
     environment:
-      DB_VENDOR: POSTGRES
-      DB_ADDR: ${DB_ADDR}
-      DB_PORT: ${DB_PORT}
-      DB_DATABASE: ${DB_DATABASE}
-      DB_SCHEMA: public
-      DB_USER: ${DB_USER}
-      DB_PASSWORD: ${DB_PASSWORD}
-      JGROUPS_DISCOVERY_PROTOCOL: JDBC_PING
-      JGROUPS_DISCOVERY_PROPERTIES: datasource_jndi_name=java:jboss/datasources/KeycloakDS,info_writer_sleep_time=500,initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"
-      PROXY_ADDRESS_FORWARDING: 'true'
-      HOSTNAME: ${HOSTNAME}
-      KEYCLOAK_FRONTEND_URL: ${FRONTEND_URL}
-      #KEYCLOAK_USER: ${ADMIN_NAME}
-      #KEYCLOAK_PASSWORD: ${ADMIN_PASSWORD}
+      KC_LOG_LEVEL: info
+      KC_CACHE_STACK: ec2
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://${DB_ADDR}:${DB_PORT}/${DB_DATABASE}
+      KC_DB_USERNAME: ${DB_USER}
+      KC_DB_PASSWORD: ${DB_PASSWORD}
+      KC_HOSTNAME_STRICT: 'false'
+      KC_HTTP_ENABLED: 'true'
+      KC_PROXY: 'passthrough'
+      KEYCLOAK_ADMIN: ${ADMIN_NAME}
+      KEYCLOAK_ADMIN_PASSWORD: ${ADMIN_PASSWORD}
+      JAVA_OPTS_APPEND: "-Djgroups.external_addr=${HOSTNAME} -Djgroups.s3.region_name=${CLUSTER_S3_REGION_NAME} -Djgroups.s3.bucket_name=${CLUSTER_S3_BUCKET_NAME}"
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/auth"]
+      test: ["CMD", "curl", "-f", "http://localhost:8080/auth/health"]
       interval: 20s
       timeout: 10s
       retries: 5
       start_period: 30s
     ports:
       - 8080:8080
-      - 7600:7600
-      - 57600:57600
+      - 7800:7800

infrastructure/docker/keycloak/Dockerfile

@@ -1,16 +1,28 @@
-FROM jboss/keycloak:15.0.2 as base
+FROM quay.io/keycloak/keycloak:20.0.1 as base
+
+ENV KC_HEALTH_ENABLED=true
+ENV KC_METRICS_ENABLED=true
+ENV KC_DB=postgres
+ENV KC_HTTP_RELATIVE_PATH=/auth
 
 # Dev
 FROM base as dev
-
-RUN sed -i -e "s%<staticMaxAge>2592000</staticMaxAge>%<staticMaxAge>-1</staticMaxAge>%" /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml && \
-    sed -i -e "s%<cacheThemes>true</cacheThemes>%<cacheThemes>false</cacheThemes>%" /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml && \
-    sed -i -e "s%<cacheTemplates>true</cacheTemplates>%<cacheTemplates>false</cacheTemplates>%" /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
+CMD ["start-dev"]
 
 # Build
 FROM base as build
 
-COPY infrastructure/docker/keycloak/JDBC_PING.cli /opt/jboss/tools/cli/jgroups/discovery/JDBC_PING.cli
-COPY themes/sankt-virtual /opt/jboss/keycloak/themes/sankt-virtual
-COPY themes/noiV2 /opt/jboss/keycloak/themes/noiV2
-COPY registration-event-listener/target/registration-event-listener-0.0.1-SNAPSHOT.jar /opt/jboss/keycloak/standalone/deployments/registration-event-listener-0.0.1-SNAPSHOT.jar
+COPY themes/sankt-virtual /opt/keycloak/themes/sankt-virtual
+COPY themes/noiV2 /opt/keycloak/themes/noiV2
+COPY native-s3-ping/target/native-s3-ping-jar-with-dependencies.jar /opt/keycloak/providers/native-s3-ping-jar-with-dependencies.jar
+COPY registration-event-listener/target/registration-event-listener.jar /opt/keycloak/providers/registration-event-listener.jar
+
+RUN /opt/keycloak/bin/kc.sh build
+
+# Prod
+FROM base as prod
+COPY --from=build /opt/keycloak/ /opt/keycloak/
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
+CMD ["start", "--optimized"]

infrastructure/terraform/upgrade/all.tfvars

@@ -0,0 +1,7 @@
+target_group_one_ids = {
+  "authupgrade01.testingmachine.eu": "i-0cfe916ad83269e65"
+}
+
+target_group_two_ids = {
+  "authupgrade02.testingmachine.eu": "i-0659d3747c525b8f7"
+}