Merge branch 'development' into 'master'

Merge Development into Master See merge request !40

Merge branch 'development' into 'master'
Merge Development into Master See merge request !40
1161e963 · thomas.shepherd · 5a110d39 · 960c053b · 1161e963 · 1161e963
Commit 1161e963 authored Jun 01, 2021 by thomas.shepherd
8 changed files
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dsop.io
 ARG BASE_IMAGE=ironbank/redhat/openjdk/openjdk11
 ARG BASE_TAG=1.11

-FROM jboss/keycloak:13.0.0 AS builder
+FROM jboss/keycloak:13.0.1 AS builder

 COPY --chown=jboss:root scripts/ /opt/jboss/tools

@@ -14,7 +14,7 @@ RUN ${JBOSS_HOME}/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/remove-datasource
 # This is the base image
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}

-ENV KEYCLOAK_VERSION="13.0.0" \
+ENV KEYCLOAK_VERSION="13.0.1" \
    JDBC_POSTGRES_VERSION="42.2.5" \
    JDBC_MARIADB_VERSION="2.5.4" \
    JDBC_MSSQL_VERSION="8.2.2.jre11" \

--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -8,7 +8,7 @@ name: "opensource/keycloak/keycloak"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
- "13.0.0"
+- "13.0.1"
 - "latest"

 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
  org.opencontainers.image.url: "https://www.keycloak.org"
  ## Name of the distributing entity, organization or individual
  org.opencontainers.image.vendor: "Red Hat"
-  org.opencontainers.image.version: "13.0.0"
+  org.opencontainers.image.version: "13.0.1"
  ## Keywords to help with search (ex. "cicd,gitops,golang")
  mil.dso.ironbank.image.keywords: "auth,idam,sso"
  ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:

 # List of resources to make available to the offline build context
 resources:
- tag: jboss/keycloak:13.0.0
-  url: docker://docker.io/jboss/keycloak@sha256:73080b0af9a91f3ca3a397ee31dc958b7cbd92173c589efa834f5f33e30e4f71
+- tag: jboss/keycloak:13.0.1
+  url: docker://docker.io/jboss/keycloak@sha256:e2a216ff6dc3f9ba88d77132c930f8e15dd50ebca1ead6e21696f61b22f0ee10

 # List of project maintainers
 maintainers:

--- a/renovate.json
+++ b/renovate.json
@@ -18,17 +18,9 @@
      }
    }
  ],
+  "automerge": true,
+  "gitLabAutomerge": true,
  "regexManagers": [
-    {
-      "fileMatch": [
-        "^Dockerfile$"
-      ],
-      "matchStrings": [
-        "version=\"(?<currentValue>.*?)\""
-      ],
-      "depNameTemplate": "jboss/keycloak",
-      "datasourceTemplate": "docker"
-    },
    {
      "fileMatch": [
        "^Dockerfile$"

--- a/scripts/cli/databases/mssql/change-database.cli
+++ b/scripts/cli/databases/mssql/change-database.cli
 /subsystem=datasources/data-source=KeycloakDS: remove()
-/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url="jdbc:sqlserver://${env.DB_ADDR:mssql}:${env.DB_PORT:1433};databaseName=${env.DB_DATABASE:keycloak};sendStringParametersAsUnicode=false;integratedSecurity=false;user=${env.DB_USER:keycloak};password=${env.DB_PASSWORD:password};${env.JDBC_PARAMS:}", driver-name=sqlserver)
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url="jdbc:sqlserver://${env.DB_ADDR:mssql}:${env.DB_PORT:1433};databaseName=${env.DB_DATABASE:keycloak};sendStringParametersAsUnicode=false;${env.JDBC_PARAMS:}", driver-name=sqlserver)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
@@ -7,3 +7,5 @@
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
 /subsystem=datasources/jdbc-driver=sqlserver:add(driver-name=sqlserver,driver-module-name=com.microsoft.sqlserver.jdbc,driver-xa-datasource-class-name=com.microsoft.sqlserver.jdbc.SQLServerXADataSource)
+
+/subsystem=keycloak-server/spi=connectionsJpa/provider=default:write-attribute(name=properties.schema,value=${env.DB_SCHEMA:dbo})
\ No newline at end of file
--- a/scripts/cli/files-plaintext-vault.cli
+++ b/scripts/cli/files-plaintext-vault.cli
@@ -2,5 +2,6 @@ embed-server --server-config=$configuration_file --std-out=discard
 echo ** Adding vault spi **
 /subsystem=keycloak-server/spi=vault/:add
 /subsystem=keycloak-server/spi=vault/provider=files-plaintext/:add(enabled=true,properties={dir => $plaintext_vault_provider_dir})
+/subsystem=keycloak-server/spi=vault:write-attribute(name=default-provider,value=files-plaintext)
 stop-embedded-server

--- a/scripts/cli/jgroups/discovery/JDBC_PING.cli
+++ b/scripts/cli/jgroups/discovery/JDBC_PING.cli
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=jgroups/stack=udp/protocol=PING:remove()
+/subsystem=jgroups/stack=udp/protocol=JDBC_PING:add(add-index=0, data-source=KeycloakDS, properties=$keycloak_jgroups_discovery_protocol_properties)
+
+/subsystem=jgroups/stack=tcp/protocol=MPING:remove()
+/subsystem=jgroups/stack=tcp/protocol=JDBC_PING:add(add-index=0, data-source=KeycloakDS, properties=$keycloak_jgroups_discovery_protocol_properties)
+
+/subsystem=jgroups/channel=ee:write-attribute(name="stack", value=$keycloak_jgroups_transport_stack)
+run-batch
+stop-embedded-server
--- a/scripts/docker-entrypoint.sh
+++ b/scripts/docker-entrypoint.sh
@@ -104,6 +104,9 @@ if echo "$@" | grep -E -v -- '-c |-c=|--server-config |--server-config='; then
    SYS_PROPS+=" -c=standalone-ha.xml"
 fi

+# Adding support for JAVA_OPTS_APPEND
+sed -i '$a\\n# Append to JAVA_OPTS. Necessary to prevent some values being omitted if JAVA_OPTS is defined directly\nJAVA_OPTS=\"\$JAVA_OPTS \$JAVA_OPTS_APPEND\"' /opt/jboss/keycloak/bin/standalone.conf
+
 ############
 # DB setup #
 ############
@@ -127,6 +130,9 @@ if [[ -z ${DB_VENDOR:-} ]]; then
        export DB_VENDOR="oracle"
    elif (getent hosts mssql &>/dev/null); then
        export DB_VENDOR="mssql"
+    elif (getent hosts h2 &>/dev/null); then
+        export DB_VENDOR="h2"
+        export DB_ADDR="h2"
    fi
 fi

@@ -142,10 +148,13 @@ if [[ -z ${DB_VENDOR:-} ]]; then
        export DB_VENDOR="oracle"
    elif (printenv | grep '^MSSQL_ADDR=' &>/dev/null); then
        export DB_VENDOR="mssql"
+    elif (printenv | grep '^H2_ADDR=' &>/dev/null); then
+        export DB_VENDOR="h2"
+        export DB_ADDR="h2"
    fi
 fi

-# Default to H2 if DB type not detected
+# Default to Postgres if DB type not detected
 if [[ -z ${DB_VENDOR:-} ]]; then
    export DB_VENDOR="postgres"
 fi
@@ -178,19 +187,28 @@ case "$DB_VENDOR" in
        DB_NAME="MySQL";;
    mariadb)
        DB_NAME="MariaDB";;
+    mssql)
+        DB_NAME="Microsoft SQL Server";;
    oracle)
        DB_NAME="Oracle";;
    h2)
-        DB_NAME="Embedded H2";;
-    mssql)
-        DB_NAME="Microsoft SQL Server";;
+        if [[ -z ${DB_ADDR:-} ]] ; then
+          DB_NAME="Embedded H2"
+        else
+          DB_NAME="H2"
+        fi;;
    *)
        echo "Unknown DB vendor $DB_VENDOR"
        exit 1
 esac

-# Append '?' in the beggining of the string if JDBC_PARAMS value isn't empty
-JDBC_PARAMS=$(echo "${JDBC_PARAMS:-}" | sed '/^$/! s/^/?/')
+if [ "$DB_VENDOR" != "mssql" ] && [ "$DB_VENDOR" != "h2" ]; then
+    # Append '?' in the beginning of the string if JDBC_PARAMS value isn't empty
+    JDBC_PARAMS=$(echo "${JDBC_PARAMS:-}" | sed '/^$/! s/^/?/')
+else
+    JDBC_PARAMS=${JDBC_PARAMS:-}
+fi
+
 export JDBC_PARAMS

 # Convert deprecated DB specific variables
@@ -215,16 +233,21 @@ echo ""
 echo "========================================================================="
 echo ""

-if [ "$DB_VENDOR" != "h2" ]; then
+configured_file="/opt/jboss/configured"
+if [ ! -e "$configured_file" ]; then
+    touch "$configured_file"
+
+    if [ "$DB_NAME" != "Embedded H2" ]; then
      /bin/sh /opt/jboss/tools/databases/change-database.sh $DB_VENDOR
-fi
+    fi
 	
-/opt/jboss/tools/x509.sh
-/opt/jboss/tools/jgroups.sh
-/opt/jboss/tools/infinispan.sh
-/opt/jboss/tools/statistics.sh
-/opt/jboss/tools/autorun.sh
-/opt/jboss/tools/vault.sh
+    /opt/jboss/tools/x509.sh
+    /opt/jboss/tools/jgroups.sh
+    /opt/jboss/tools/infinispan.sh
+    /opt/jboss/tools/statistics.sh
+    /opt/jboss/tools/vault.sh
+    /opt/jboss/tools/autorun.sh
+fi

 ##################
 # Start Keycloak #

--- a/scripts/x509.sh
+++ b/scripts/x509.sh
@@ -41,6 +41,8 @@ function autogenerate_keystores() {

      if [ -f "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" ]; then
        echo "${KEYSTORES[$KEYSTORE_TYPE]} keystore successfully created at: ${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}"
+      else
+        echo "${KEYSTORES[$KEYSTORE_TYPE]} keystore not created at: ${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE} (check permissions?)"
      fi

      echo "set keycloak_tls_keystore_password=${PASSWORD}" >> "$JBOSS_HOME/bin/.jbossclirc"
@@ -77,6 +79,8 @@ function autogenerate_keystores() {

    if [ -f "${JKS_TRUSTSTORE_PATH}" ]; then
      echo "Keycloak truststore successfully created at: ${JKS_TRUSTSTORE_PATH}"
+    else
+      echo "Keycloak truststore not created at: ${JKS_TRUSTSTORE_PATH}"
    fi

    # Import existing system CA certificates into the newly generated truststore