integrate direct download of the aws jdbc wrapper

.github/scripts/utils/get_aws_jdbc_wrapper_version.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Script: get_aws_jdbc_wrapper_version.sh
+# Description: Finds the aws jdbc wrapper version of the Keycloak version from the pom.xml
+# Usage: get_aws_jdbc_wrapper_version.sh <keycloak-version>
+
+# Function to extract the first number from a version string
+get_first_number() {
+    echo "$1" | cut -d '.' -f1
+}
+
+# Function to compare version numbers considering only the first number
+version_lt() {
+    [ "$(get_first_number "$1")" -lt "$(get_first_number "$2")" ]
+}
+
+# Keycloak only started to reference the aws_jdbc_wrapper version starting with v24, defaulting to 24 if version is before that
+if version_lt "$1" "24"; then
+    VERSION="24.0.1"
+else
+    VERSION="$1"
+fi
+
+# Fetch the AWS JDBC wrapper version from the pom.xml file
+AWS_JDBC_VERSION="$(curl -s "https://raw.githubusercontent.com/keycloak/keycloak/$VERSION/pom.xml" | awk -F'[><]' '/<aws-jdbc-wrapper.version>/{print $3}')"
+
+echo "$AWS_JDBC_VERSION"

.github/workflows/build-images.yml

@@ -82,6 +82,16 @@ jobs:
           username: "${{ steps.secrets.outputs.DOCKERHUB_USER }}"
           password: "${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}"
 
+      - name: Compute build image variables
+        id: compute-build-image-name-step
+        run: |
+          keycloak_full_version=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}' || echo "Error: Image tag $1 not found in Dockerfile" && exit 1)
+          echo "keycloak_full_version=${keycloak_full_version}"
+
+          aws_jdbc_wrapper="$(.github/scripts/utils/get_aws_jdbc_wrapper_version.sh "$keycloak_full_version" || echo "Error: Cannot get aws jdbc wrapper version for keycloak $keycloak_full_version" && exit 1)"
+          echo "aws_jdbc_wrapper=${aws_jdbc_wrapper}" >> "$GITHUB_ENV"
+          echo "aws_jdbc_wrapper=${aws_jdbc_wrapper}"
+
       - name: Build image using Camunda docker build
         id: build-image-step
         uses: camunda/infra-global-github-actions/build-docker-image@2e3f3018839b8eb99b0dca9a65a9df32dbad2a08 # main
@@ -93,6 +103,7 @@ jobs:
           image_name: ${{ vars.CONTAINER_IMAGE_NAME_CI }}
           build_context: "./keycloak-${{ matrix.keycloak_version }}/"
           build_platforms: linux/amd64,linux/arm64
+          build_args: "AWS_JDBC_WRAPPER_VERSION=${{ env.aws_jdbc_wrapper }}"
           extra_tags: | # the ci- prefix ensures a build context, this image is treated as "temporary"
             type=sha,enable=true,priority=1000,prefix=ci-${{ matrix.keycloak_version }}-sha-,suffix=,format=short
 
@@ -496,7 +507,7 @@ jobs:
         shell: bash
         run: |
           : # extract the base image tag to use it as base tag
-          base_image_tag=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' || echo "Error: Image tag $1 not found in Dockerfile" && exit 1) && echo "$base_image_tag"
+          base_image_tag=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' || echo "Error: Image tag $1 not found in Dockerfile" && exit 1)
           echo "base_image_tag=${base_image_tag}"
 
           : # remove keycloak- prefix

DEVELOPER.md

@@ -7,10 +7,17 @@ Welcome to the development reference for Keycloak by Camunda! This document prov
 Building a local image is for development purposes only.
 In production, the pipeline will handle this and build a multi-architecture image using Docker Buildx.
 
-Navigate to the `keycloak-<version>` (e.g. `keycloak-24`) directory and execute the following command:
+Navigate to the `keycloak-<version>` (e.g. `keycloak-24`) directory and execute the following commands:
 
 ```bash
-docker build . -t docker.io/camunda/keycloak:24
+# retrieve the aws jdbc wrapper version from the referenced keycloak version
+keycloak_full_version="$(grep "ARG BASE_IMAGE_NAME=.*$1" ./Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}')"
+echo "keycloak_full_version=$keycloak_full_version"
+
+aws_jdbc_wrapper="$(../.github/scripts/utils/get_aws_jdbc_wrapper_version.sh $keycloak_full_version)"
+echo "aws_jdbc_wrapper=$aws_jdbc_wrapper"
+
+docker build . -t "docker.io/camunda/keycloak:$keycloak_full_version" --build-arg "AWS_JDBC_WRAPPER_VERSION=$aws_jdbc_wrapper"
 ```
 
 This Dockerfile includes the necessary dependencies and configurations for AWS Advanced JDBC Wrapper.

keycloak-23/Dockerfile

@@ -3,31 +3,31 @@ ARG BASE_IMAGE_NAME="docker.io/bitnami/keycloak:23.0.7-debian-12-r3"
 # Note: use the global image digest to make this image platform agnostic (see: https://github.com/camunda/zeebe/pull/14186)
 ARG BASE_IMAGE_DIGEST="sha256:eabfbdd679042f40612388aed560e3e7f809c3d4a04e5755a7cac22c9270e5a5"
 
-FROM docker.io/gradle:jdk17-focal@sha256:17e0c6bec6cb2c7f4240315d7a957c6b9058a5c137c2f8b37760ac327111ce87 as lib
-
-WORKDIR /home/gradle
-
-COPY build.gradle /home/gradle
-
-RUN gradle copyDependencies
+##### FINAL Keycloak IMAGE #####
 
-# Building builder image
 # hadolint ignore=DL3006
-FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} as builder
+FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
+# leave the values below unset to use the default value at the top of the file
+ARG BASE_IMAGE_NAME
+ARG BASE_IMAGE_DIGEST
 
-COPY --from=lib /home/gradle/lib /opt/bitnami/keycloak/providers
+# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
+ARG AWS_JDBC_WRAPPER_VERSION
 
-WORKDIR /opt/bitnami/keycloak
+# switch back to root to modify scripts
+USER 0
 
-RUN /opt/bitnami/keycloak/bin/kc.sh build
+# download aws-jdbc-wrapper from the official keycloak release
+RUN curl -L "https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" -o "/opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" && \
+    chown 0666 "/opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar"
 
+# Patch the image scripts to support custom JDBC driver until https://github.com/bitnami/charts/issues/18808#issuecomment-1866638783 is resolved
+# hadolint ignore=SC2016
+RUN sed -i '/KEYCLOAK_JDBC_PARAMS$/a\    KEYCLOAK_JDBC_DRIVER' /opt/bitnami/scripts/keycloak-env.sh && \
+    sed -i '/^export KEYCLOAK_JDBC_PARAMS="${KEYCLOAK_JDBC_PARAMS:-}"/a \
+KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-postgresql}"\nexport KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-}"' /opt/bitnami/scripts/keycloak-env.sh && \
+    sed -i 's/"jdbc:postgresql:/\"jdbc:${KEYCLOAK_JDBC_DRIVER}:/g' /opt/bitnami/scripts/libkeycloak.sh
 
-##### FINAL Keycloak IMAGE #####
-# hadolint ignore=DL3006
-FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
-# leave the values below unset to use the default value at the top of the file
-ARG BASE_IMAGE_NAME
-ARG BASE_IMAGE_DIGEST
 
 # common, k8s, openshift and OCI labels:
 # OCI: https://github.com/opencontainers/image-spec/blob/main/annotations.md
@@ -37,7 +37,8 @@ LABEL maintainer="Camunda" \
       summary="Keycloak bitnami with AWS wrapper" \
       io.k8s.description="Keycloak bitnami with AWS wrapper." \
       io.k8s.display-name="keycloak" \
-      description="Keycloak bitnami with AWS wrapper." \
+      description="Keycloak bitnami with AWS JDBC wrapper." \
+      jdbc.aws-jdbc-wrapper.version="${AWS_JDBC_WRAPPER_VERSION}" \
       org.opencontainers.image.authors="Camunda" \
       org.opencontainers.image.vendor="Camunda" \
       org.opencontainers.image.documentation="https://hub.docker.com/camunda/keycloak/" \
@@ -59,18 +60,5 @@ LABEL maintainer="Camunda" \
       # org.opencontainers.image.source
       # org.opencontainers.image.version
 
-# Copy the previously built aws jdbc drivers
-COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/
-
-# switch back to root to modify scripts
-USER 0
-
-# Patch the image scripts to support custom JDBC driver until https://github.com/bitnami/charts/issues/18808#issuecomment-1866638783 is resolved
-# hadolint ignore=SC2016
-RUN sed -i '/KEYCLOAK_JDBC_PARAMS$/a\    KEYCLOAK_JDBC_DRIVER' /opt/bitnami/scripts/keycloak-env.sh && \
-    sed -i '/^export KEYCLOAK_JDBC_PARAMS="${KEYCLOAK_JDBC_PARAMS:-}"/a \
-KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-postgresql}"\nexport KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-}"' /opt/bitnami/scripts/keycloak-env.sh && \
-    sed -i 's/"jdbc:postgresql:/\"jdbc:${KEYCLOAK_JDBC_DRIVER}:/g' /opt/bitnami/scripts/libkeycloak.sh
-
 # Switch back to unprivileged user
 USER 1001