From 0c5c7ae445374d7f9e16bef9651dd39f9a4f5cdb Mon Sep 17 00:00:00 2001 From: leiicamundi <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 21 Mar 2024 16:55:36 +0100 Subject: [PATCH] integrate direct download of the aws jdbc wrapper --- .../utils/get_aws_jdbc_wrapper_version.sh | 27 ++++++++++ .github/workflows/build-images.yml | 13 ++++- DEVELOPER.md | 11 +++- keycloak-23/Dockerfile | 52 +++++++------------ keycloak-23/build.gradle | 36 ------------- 5 files changed, 68 insertions(+), 71 deletions(-) create mode 100755 .github/scripts/utils/get_aws_jdbc_wrapper_version.sh delete mode 100644 keycloak-23/build.gradle diff --git a/.github/scripts/utils/get_aws_jdbc_wrapper_version.sh b/.github/scripts/utils/get_aws_jdbc_wrapper_version.sh new file mode 100755 index 00000000..4bbf4145 --- /dev/null +++ b/.github/scripts/utils/get_aws_jdbc_wrapper_version.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +# Script: get_aws_jdbc_wrapper_version.sh +# Description: Finds the aws jdbc wrapper version of the Keycloak version from the pom.xml +# Usage: get_aws_jdbc_wrapper_version.sh + +# Function to extract the first number from a version string +get_first_number() { + echo "$1" | cut -d '.' -f1 +} + +# Function to compare version numbers considering only the first number +version_lt() { + [ "$(get_first_number "$1")" -lt "$(get_first_number "$2")" ] +} + +# Keycloak only started to reference the aws_jdbc_wrapper version starting with v24, defaulting to 24 if version is before that +if version_lt "$1" "24"; then + VERSION="24.0.1" +else + VERSION="$1" +fi + +# Fetch the AWS JDBC wrapper version from the pom.xml file +AWS_JDBC_VERSION="$(curl -s "https://raw.githubusercontent.com/keycloak/keycloak/$VERSION/pom.xml" | awk -F'[><]' '//{print $3}')" + +echo "$AWS_JDBC_VERSION" diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index 7dd094d6..0e747dcd 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -82,6 +82,16 @@ jobs: username: "${{ steps.secrets.outputs.DOCKERHUB_USER }}" password: "${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}" + - name: Compute build image variables + id: compute-build-image-name-step + run: | + keycloak_full_version=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}' || echo "Error: Image tag $1 not found in Dockerfile" && exit 1) + echo "keycloak_full_version=${keycloak_full_version}" + + aws_jdbc_wrapper="$(.github/scripts/utils/get_aws_jdbc_wrapper_version.sh "$keycloak_full_version" || echo "Error: Cannot get aws jdbc wrapper version for keycloak $keycloak_full_version" && exit 1)" + echo "aws_jdbc_wrapper=${aws_jdbc_wrapper}" >> "$GITHUB_ENV" + echo "aws_jdbc_wrapper=${aws_jdbc_wrapper}" + - name: Build image using Camunda docker build id: build-image-step uses: camunda/infra-global-github-actions/build-docker-image@2e3f3018839b8eb99b0dca9a65a9df32dbad2a08 # main @@ -93,6 +103,7 @@ jobs: image_name: ${{ vars.CONTAINER_IMAGE_NAME_CI }} build_context: "./keycloak-${{ matrix.keycloak_version }}/" build_platforms: linux/amd64,linux/arm64 + build_args: "AWS_JDBC_WRAPPER_VERSION=${{ env.aws_jdbc_wrapper }}" extra_tags: | # the ci- prefix ensures a build context, this image is treated as "temporary" type=sha,enable=true,priority=1000,prefix=ci-${{ matrix.keycloak_version }}-sha-,suffix=,format=short @@ -496,7 +507,7 @@ jobs: shell: bash run: | : # extract the base image tag to use it as base tag - base_image_tag=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' || echo "Error: Image tag $1 not found in Dockerfile" && exit 1) && echo "$base_image_tag" + base_image_tag=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' || echo "Error: Image tag $1 not found in Dockerfile" && exit 1) echo "base_image_tag=${base_image_tag}" : # remove keycloak- prefix diff --git a/DEVELOPER.md b/DEVELOPER.md index 10711410..7956784e 100644 --- a/DEVELOPER.md +++ b/DEVELOPER.md @@ -7,10 +7,17 @@ Welcome to the development reference for Keycloak by Camunda! This document prov Building a local image is for development purposes only. In production, the pipeline will handle this and build a multi-architecture image using Docker Buildx. -Navigate to the `keycloak-` (e.g. `keycloak-24`) directory and execute the following command: +Navigate to the `keycloak-` (e.g. `keycloak-24`) directory and execute the following commands: ```bash -docker build . -t docker.io/camunda/keycloak:24 +# retrieve the aws jdbc wrapper version from the referenced keycloak version +keycloak_full_version="$(grep "ARG BASE_IMAGE_NAME=.*$1" ./Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}')" +echo "keycloak_full_version=$keycloak_full_version" + +aws_jdbc_wrapper="$(../.github/scripts/utils/get_aws_jdbc_wrapper_version.sh $keycloak_full_version)" +echo "aws_jdbc_wrapper=$aws_jdbc_wrapper" + +docker build . -t "docker.io/camunda/keycloak:$keycloak_full_version" --build-arg "AWS_JDBC_WRAPPER_VERSION=$aws_jdbc_wrapper" ``` This Dockerfile includes the necessary dependencies and configurations for AWS Advanced JDBC Wrapper. diff --git a/keycloak-23/Dockerfile b/keycloak-23/Dockerfile index 786be562..511c02bf 100644 --- a/keycloak-23/Dockerfile +++ b/keycloak-23/Dockerfile @@ -3,31 +3,31 @@ ARG BASE_IMAGE_NAME="docker.io/bitnami/keycloak:23.0.7-debian-12-r3" # Note: use the global image digest to make this image platform agnostic (see: https://github.com/camunda/zeebe/pull/14186) ARG BASE_IMAGE_DIGEST="sha256:eabfbdd679042f40612388aed560e3e7f809c3d4a04e5755a7cac22c9270e5a5" -FROM docker.io/gradle:jdk17-focal@sha256:17e0c6bec6cb2c7f4240315d7a957c6b9058a5c137c2f8b37760ac327111ce87 as lib - -WORKDIR /home/gradle - -COPY build.gradle /home/gradle - -RUN gradle copyDependencies +##### FINAL Keycloak IMAGE ##### -# Building builder image # hadolint ignore=DL3006 -FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} as builder +FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} +# leave the values below unset to use the default value at the top of the file +ARG BASE_IMAGE_NAME +ARG BASE_IMAGE_DIGEST -COPY --from=lib /home/gradle/lib /opt/bitnami/keycloak/providers +# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time +ARG AWS_JDBC_WRAPPER_VERSION -WORKDIR /opt/bitnami/keycloak +# switch back to root to modify scripts +USER 0 -RUN /opt/bitnami/keycloak/bin/kc.sh build +# download aws-jdbc-wrapper from the official keycloak release +RUN curl -L "https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" -o "/opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" && \ + chown 0666 "/opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" +# Patch the image scripts to support custom JDBC driver until https://github.com/bitnami/charts/issues/18808#issuecomment-1866638783 is resolved +# hadolint ignore=SC2016 +RUN sed -i '/KEYCLOAK_JDBC_PARAMS$/a\ KEYCLOAK_JDBC_DRIVER' /opt/bitnami/scripts/keycloak-env.sh && \ + sed -i '/^export KEYCLOAK_JDBC_PARAMS="${KEYCLOAK_JDBC_PARAMS:-}"/a \ +KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-postgresql}"\nexport KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-}"' /opt/bitnami/scripts/keycloak-env.sh && \ + sed -i 's/"jdbc:postgresql:/\"jdbc:${KEYCLOAK_JDBC_DRIVER}:/g' /opt/bitnami/scripts/libkeycloak.sh -##### FINAL Keycloak IMAGE ##### -# hadolint ignore=DL3006 -FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} -# leave the values below unset to use the default value at the top of the file -ARG BASE_IMAGE_NAME -ARG BASE_IMAGE_DIGEST # common, k8s, openshift and OCI labels: # OCI: https://github.com/opencontainers/image-spec/blob/main/annotations.md @@ -37,7 +37,8 @@ LABEL maintainer="Camunda" \ summary="Keycloak bitnami with AWS wrapper" \ io.k8s.description="Keycloak bitnami with AWS wrapper." \ io.k8s.display-name="keycloak" \ - description="Keycloak bitnami with AWS wrapper." \ + description="Keycloak bitnami with AWS JDBC wrapper." \ + jdbc.aws-jdbc-wrapper.version="${AWS_JDBC_WRAPPER_VERSION}" \ org.opencontainers.image.authors="Camunda" \ org.opencontainers.image.vendor="Camunda" \ org.opencontainers.image.documentation="https://hub.docker.com/camunda/keycloak/" \ @@ -59,18 +60,5 @@ LABEL maintainer="Camunda" \ # org.opencontainers.image.source # org.opencontainers.image.version -# Copy the previously built aws jdbc drivers -COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/ - -# switch back to root to modify scripts -USER 0 - -# Patch the image scripts to support custom JDBC driver until https://github.com/bitnami/charts/issues/18808#issuecomment-1866638783 is resolved -# hadolint ignore=SC2016 -RUN sed -i '/KEYCLOAK_JDBC_PARAMS$/a\ KEYCLOAK_JDBC_DRIVER' /opt/bitnami/scripts/keycloak-env.sh && \ - sed -i '/^export KEYCLOAK_JDBC_PARAMS="${KEYCLOAK_JDBC_PARAMS:-}"/a \ -KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-postgresql}"\nexport KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-}"' /opt/bitnami/scripts/keycloak-env.sh && \ - sed -i 's/"jdbc:postgresql:/\"jdbc:${KEYCLOAK_JDBC_DRIVER}:/g' /opt/bitnami/scripts/libkeycloak.sh - # Switch back to unprivileged user USER 1001 diff --git a/keycloak-23/build.gradle b/keycloak-23/build.gradle deleted file mode 100644 index 385b2aed..00000000 --- a/keycloak-23/build.gradle +++ /dev/null @@ -1,36 +0,0 @@ -apply plugin: 'groovy' - -repositories { - mavenCentral() -} - -// renovate: datasource=github-tags depName=awslabs/aws-advanced-jdbc-wrapper -def jdbcversion = '2.3.5' // set to latest version of aws-advanced-jdbc-wrapper package -// renovate: datasource=github-tags depName=aws/aws-sdk-java-v2 -def awsSdkVersion = '2.25.14' // set to latest version of software.amazon.awssdk - -dependencies { - implementation group: 'software.amazon.jdbc', name: 'aws-advanced-jdbc-wrapper', version: jdbcversion - implementation group: 'software.amazon.awssdk', name: 'apache-client', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'auth', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'aws-core', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'aws-json-protocol', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'aws-query-protocol', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'endpoints-spi', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'http-client-spi', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'json-utils', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'metrics-spi', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'profiles', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'protocol-core', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'rds', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'regions', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'sdk-core', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'sts', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'third-party-jackson-core', version: awsSdkVersion - implementation group: 'software.amazon.awssdk', name: 'utils', version: awsSdkVersion -} - -task copyDependencies(type: Copy) { - from configurations.runtimeClasspath - into "lib" -}