How to update the Keycloak Package chart💣
Big Bang makes modifications to the upstream Codecentric helm chart. The upstream Keycloak image from IronBank is used in conjuction with a custom Keycloak plugin. The custom P1 plugin contains custom authz and authn code, custom self-registration theme, and automatic joining of groups based on certian registration information like the use of a DoD CAC. The plugin code is hosted at https://repo1.dso.mil/platform-one/big-bang/apps/product-tools/keycloak-p1-auth-plugin. Eventually the Platform One custom plugin artifact will be hosted in Iron Bank registry1.dso.mil.
- Read release notes from upstream Keycloak documentation. Be aware of changes that are included in the upgrade. Take note of any manual upgrade steps that customers might need to perform, if any.
- Be aware that there are currently two versions of Keycloak. One is the legacy version that uses Wildfly for the application server. The other version is the new one using Quarkus. Big Bang has migrated to the new Quarkus version. The images in Iron Bank have tag without the “legacy”
X.X.X
. - Do diff of upstream chart between old and new release tags to become aware of any significant chart changes.
- Create a development branch and merge request from the Keycloak issue.
- Merge/Sync the new helm chart with the existing Keycloak package code. A graphical diff application like Meld is useful. Reference the “Modifications made to upstream chart” section below. Be careful not to overwrite Big Bang Package changes that need to be kept.
- Run a helm dependency command to update the chart/charts/*.tgz archives and create a new requirements.lock file. You will commit the tar archives along with the requirements.lock that was generated.
export HELM_EXPERIMENTAL_OCI=1 helm dependency update ./chart
- Update /CHANGELOG.md with an entry for “upgrade Keycloak to app version X.X.X-legacy chart version X.X.X-bb.X”. Or, whatever description is appropriate.
- Update /chart/Chart.yaml to the appropriate versions.
version: XX.X.X-bb.X appVersion: XX.X.X-legacy dependencies: - name: gluon version: "X.X.X" annotations: bigbang.dev/applicationVersions: | - Keycloak: XX.X.X-legacy - PlatformOne Plugin: X.X.X
- Update the /README.md following the gluon library script. You should update the README again at the end to pick up any additional chart changes you make during development testing.
- A custom Keycloak image is no longer used. Instead a plugin image is created and volume mounted into k8s. This Keycloak package chart uses the IronBank image.
- If you are upgrading the Keycloak version follow instructions in the P1 plugin repo to upgrade the custom plugin.
- Test the plugin changes locally using the docker-compose local dev environment.
- Test the admin console
- Test the custom user forms
- https://keycloak.bigbang.dev:8443/auth/realms/baby-yoda/account/
- https://keycloak.bigbang.dev:8443/auth/realms/baby-yoda/account/password
- https://keycloak.bigbang.dev:8443/auth/realms/baby-yoda/account/totp
- https://keycloak.bigbang.dev:8443/register
- Test registring a user with CAC. Verify that the user is automatically added to IL2 group. Test login from the account page.
- Test registring a regular user with username and password. Test login at the account page with OTP.
- Build and publish a plugin image to the Big Bang Keycloak container registry using the instructions in the P1 plugin repo. The image label should have “test” in the name like this
test-X.X.X
. - Use a full k8s deployment to test Keycloak, the custom plugin, and end-to-end SSO. See next section.
- After all testing search all the documentation and update any old Keycloak and plugin version numbers.
- Make an official semver release tag in the p1 plugin repo and monitor the mirrored Party Bus IL2 pipeline to make sure it passes.
- After all testing locally and k8s testing with a BigBang deployment has been completed publish an official plugin image in IronBank. The order that things should happen with BigBang MRs, BigBang release, and publishing plugin image in IronBank is still unclear. Brief instructions for IronBank pipeline maintenance:
- The PartyBus IL2 MDO pipeline publishes the p1-keycloak-plugin-X.X.X.jar artifact back to the P1 Keycloak Package Registry. If PartyBus IL2 MDO pipeline is failing for reasons outside of our control, worst case, we can manualy publish to the plugin package registry. The BigBang MR will need the
tests/test-values.yaml
updated to use the new plugin init-container tag. The test values can use the image that was created in Big Bang Keycloak container registry](https://repo1.dso.mil/platform-one/big-bang/apps/product-tools/keycloak-p1-auth-plugin/container_registry/). There is no need to use the IronBank plugin image for the test values. - At the IronBank repo create a new issue with template “application update”
- Create a branch and MR from the issue.
- update hardening_manifest.yaml
- the tag version
- the label org.opencontainers.image.version
- resources.url
- resources.validation.value (use sha256sum to get the hash value)
- commit and push code changes
- Verify that pipline passes
- Complete checkbox items in the issue. You will need to request VAT “Vendor Contributor” access if there are any new findings that need justification.
- Monitor the issue to make sure it keeps moving.
Testing new Keycloak version with custom P1 plugin.💣
- Create a k8s dev environment. One option is to use the Big Bang k3d-dev.sh with the
-m
for metalLB so that k3d can support multiple ingress gateways. The following steps assume you are using the script. - Follow all of the instructions at the end of the script to connect to and use the remote k3d cluster.
- Deploy Big Bang with only istio-operator, istio, gitlab, sonarqube, and Mattermost enabled. Need to test both OIDC and SAML end-to-end SSO. Gitlab uses OIDC and Sonarqube uses SAML. Mattermost is included in the end-to-end testing because it has some unique SSO configuration that should be tested. Deploy BigBang using the following example helm command and the provided example big bang values override. Change the plugin image label to use your test plugin image. Hint: search for “X.X.X” in the example values file.
helm upgrade -i bigbang ./chart -n bigbang --create-namespace -f ../overrides/keycloak-bigbang-values.yaml -f ../overrides/registry-values.yaml -f ./chart/ingress-certs.yaml
- For end-to-end SSO testing there needs to be DNS for Keycloak. In a k3d dev environment there is no DNS so you must do a dev hack and edit the configmap “coredns-xxxxxxxx”. Under NodeHosts add a host for keycloak.bigbang.dev.
kubectl get cm -n kube-system
kubectl edit cm coredns -n kube-system
The IP for the passthrough ingress gateway in a k3d environment created by the dev script will be 172.20.1.240. Like this
yaml
NodeHosts:|
<nil> host.k3d.internal
172.20.0.2 k3d-k3s-default-agent-0
172.20.0.5 k3d-k3s-default-agent-1
172.20.0.4 k3d-k3s-default-agent-2
172.20.0.3 k3d-k3s-default-server-0
172.20.0.6 k3d-k3s-default-serverlb
172.20.1.240 keycloak.bigbang.dev
- Restart the coredns pod so that it picks up the new configmap.
kubectl get pods -A
kubectl delete pod <coredns pod> -n kube-system
- Sonarqube needs an extra configuration step for SSO to work because it uses SAML. The values override
addons.sonarqube.sso.certificate
needs to be updated with the Keycloak realm certificate. When Keycloak finishes installing login to the admin console Keycloak with default credentialsadmin/password
. Navigate to Realm Settings >> Keys. On the RS256 row click on theCertificate
button and copy the certificate text as a single line string and paste it into youraddons.sonarqube.sso.certificate
value. Run anotherhelm upgrade
command and watch for Sonarqube to update. - In a browser load
https://keycloak.bigbang.dev
and register a test user. You should register yourself with CAC and also a non-CAC test.user with just user and password with OTP. Both flows need to be tested. - Then go back to
https://keycloak.bigbang.dev/auth/admin
and login to the admin console with the default credentialsadmin/password
- Navigate to users, click “View all users” button and edit the test users that you created. Set “Email Verified” ON. Remove the verify email “Required User Actions”. Click “Save” button.
- Test end-to-end SSO with Gitlab and Sonarqube with your CAC user and the other test user.
- Test the custom user forms to make sure all the fields are working
- https://keycloak.bigbang.dev/auth/realms/baby-yoda/account/
- https://keycloak.bigbang.dev/auth/realms/baby-yoda/account/password
- https://keycloak.bigbang.dev/auth/realms/baby-yoda/account/totp
- https://keycloak.bigbang.dev/register
- Occasionally the DoD certificate authorities will need to be updated. Follow the instructions at
/scripts/certs/README.md
and copy the newtruststore.jks
to ./chart/resources/dev and to https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/tree/18.3.0-bb.1/development/certs](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/tree/18.3.0-bb.1/development/certs) . You might have to edit the/scripts/certs/dod_cas_to_pem.sh
to update to the most recent published certs but it usually points to the latest archive.
Modifications made to upstream chart💣
This is a high-level list of modifications that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.
chart/values.yaml💣
- disable all internal services other than postgres
- add BigBang additional values at bottom of values.yaml
- add IronBank hardened image
- add default argument of “-b 0.0.0.0” to bind to localhost
- Add IronBank postgresql12 image for dev/CI development/testing
- and other miscellaneous change. Diff with previous version to find all changes
- modify pgchecker image to ironbank postgres image
chart/charts/*.tgz💣
- run
helm dependency update
and commit the downloaded archives - also commit the requirements.lock file so that air-gap deployments don’t try to check for updates
chart/Chart.lock💣
- Chart.lock is updated during
helm dependency update
with the gluon library & postgresql dependency
chart/templates/secrets.yaml💣
- Modified to support templating of the data key so that the keycloak chart can be used to create secret for the truststore.jks binary.
chart/templates/service-http.yaml💣
- Quarkus migration: remove http-management port 9990 yaml block. Removed 7 lines near line 50
chart/templates/servicemonitor.yaml💣
- added support for Istio mTLS in the endpoints lines 37-43
chart/templates/StatefulSet.yaml💣
- add extraVolumesBigBang (lines 196-189)
- add extraVolumeMountsBigBang (lines 146-148)
- modify pgchecker initContainer (lines 54-64)
- Quarkus migration: change database environment variable names (lines 89-99)
- Quarkus migration: remove http-management port 9990 yaml block. Removed 3 lines near line 118
chart/templates/bigbang/*💣
- add istio virtual service
- add NetworkPolicies to restrict traffic
chart/resources/💣
- add /dev directory to hold the the baby-yoda configuration files
- add the DoD certificate bundle pem file
chart/tests💣
- add directory with cypress test files
chart/templates/tests (this is separate from the upstream templates/test directory)💣
- add helm template to add support for the helm test library
chart/Chart.yaml💣
- update the chart version with the bigbang
-bb.#
- update app version when not the same as the original chart
- add gluon library dependency
- Update postgresql dependency for local source
- add annotations for release automation
chart/Kptfile💣
- file created when kpt was used to download the upstream chart
chart/scripts/keycloak.cli💣
- Quarkus migration: Delete this Wildfly startup config.
chart/deps/postgresql💣
- Upstream bitnami postgresql chart - modified for Iron Bank Postgresql 12.9 runtime.
- Update security context for user:group 26:26
chart/deps/postgresql/templates/statefulset.yaml💣
- commented out existing
-if -else
securityContext and replaced with {{- toYaml $.Values.postgesql.containerSecurityContext | nindent 12 }}