Feature/no gradle (#44)

Previously, we maintained a gradle.build file with dependency versions.
These dependencies could be updated regularly.
Since version 24 of Keycloak, the Keycloak team has been testing the
integration of Aurora DB with a version of the AWS wrapper referenced
here:
keycloak/keycloak@eadd1c4

To align with what is tested by Keycloak and thus avoid compatibility
issues, this PR makes a modification to the dependency construction.

It retrieves the pom.xml of the Keycloak version, extracts the
referenced version of the AWS wrapper, and then downloads the pom.xml of
the latter and installs all transitive dependencies with Maven (this is
done in the builder step).

A utility script retrieves the version of the wrapper to download from
the version of keycloak.

This PR also includes the removal of the launcher workaround since
bitnami/containers#63945 has been merged.


fixes #43

.github/renovate.json5

@@ -23,7 +23,7 @@
       "groupSlug": "all-non-major-keycloak",
       "matchDatasources": ["docker"],
       "matchFileNames": ["keycloak-*/Dockerfile"],
-      "matchUpdateTypes": ["minor", "patch", "digest", "pin", "pinDigest"],
+      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(:?-(?<compatibility>.+)(?<build>\\d+)-r(?<revision>\\d+))?$",
       "enabled": true,
       "addLabels": ["dependencies", "docker"]
     },
@@ -34,15 +34,5 @@
       "matchUpdateTypes": ["major"],
       "enabled": false
     }
-  ],
-  "customManagers": [
-    {
-      "customType": "regex",
-      "fileMatch": ["build.gradle$"],
-      "matchStrings": [
-        "renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.* (?<currentValue>.*)\\s"
-      ],
-      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
-    }
   ]
 }

.github/scripts/utils/find_latest_keycloak.sh

@@ -5,4 +5,6 @@
 # Description: Finds the latest version of Keycloak from folders prefixed with "keycloak-" in the current directory.
 # Usage: find_latest_keycloak.sh
 
+set -Eeuo pipefail
+
 ls -1d --color=never "$(pwd)"/keycloak-* | tail -n 1 | awk -F'[-/]' '{print $(NF-0)}'

.github/scripts/utils/get_aws_jdbc_wrapper_version.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Script: get_aws_jdbc_wrapper_version.sh
+# Description: Finds the AWS JDBC wrapper version of the Keycloak version from the pom.xml, <keycloak-version> must be formatted as major.minor.patch
+# Usage: get_aws_jdbc_wrapper_version.sh <keycloak-version>
+
+set -Eeuo pipefail
+
+display_help() {
+    echo "Script: get_aws_jdbc_wrapper_version.sh"
+    echo "Description: Finds the AWS JDBC wrapper version of the Keycloak version from the pom.xml"
+    echo "Usage: get_aws_jdbc_wrapper_version.sh <keycloak-version>"
+}
+
+# Check if there is exactly one argument provided
+if [[ $# -ne 1 ]]; then
+    echo "Error: Incorrect number of arguments."
+    display_help
+    exit 1
+fi
+
+keycloak_version="$1"
+
+# Validate keycloak version format (major.minor.patch)
+if ! [[ "$keycloak_version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+    echo "Error: Invalid keycloak version format. It must be in the format of major.minor.patch."
+    display_help
+    exit 1
+fi
+
+# Function to extract the first number from a version string
+get_major_version() {
+    echo "$keycloak_version" | cut -d '.' -f1
+}
+
+# Keycloak only started to reference the aws_jdbc_wrapper version starting with v24, defaulting a fixed version of the jdbc driver,
+# this check also allow bumping minimal aws_jdbc_wrapper version for critical fixes
+if [[ "$(get_major_version "$keycloak_version")" -lt "25" ]] ; then
+    echo "2.3.5" # fix https://github.com/keycloak/keycloak/issues/27290
+    exit 0
+fi
+
+# Fetch the AWS JDBC wrapper version from the pom.xml file
+AWS_JDBC_VERSION="$(curl -s "https://raw.githubusercontent.com/keycloak/keycloak/$keycloak_version/pom.xml" | awk -F'[><]' '/<aws-jdbc-wrapper.version>/{print $3}')"
+
+if [[ -z "$AWS_JDBC_VERSION" ]]; then
+    echo "Error: Failed to retrieve AWS JDBC version." >&2
+    exit 1
+fi
+
+echo "$AWS_JDBC_VERSION"

.github/workflows/build-images.yml

@@ -82,6 +82,16 @@ jobs:
           username: "${{ steps.secrets.outputs.DOCKERHUB_USER }}"
           password: "${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}"
 
+      - name: Compute build image variables
+        id: compute-build-image-name-step
+        run: |
+          keycloak_full_version=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}' || echo "Error: Image tag $1 not found in Dockerfile" && exit 1) && echo "$keycloak_full_version"
+          echo "keycloak_full_version=${keycloak_full_version}"
+
+          aws_jdbc_wrapper_version="$(.github/scripts/utils/get_aws_jdbc_wrapper_version.sh "$keycloak_full_version" || echo "Error: Cannot get aws jdbc wrapper version for keycloak $keycloak_full_version" && exit 1)" && echo "$aws_jdbc_wrapper_version"
+          echo "aws_jdbc_wrapper_version=${aws_jdbc_wrapper_version}" >> "$GITHUB_ENV"
+          echo "aws_jdbc_wrapper_version=${aws_jdbc_wrapper_version}"
+
       - name: Build image using Camunda docker build
         id: build-image-step
         uses: camunda/infra-global-github-actions/build-docker-image@36867af1a61c2e3cc064cbb6e4615e446b815511 # main
@@ -93,6 +103,8 @@ jobs:
           image_name: ${{ vars.CONTAINER_IMAGE_NAME_CI }}
           build_context: "./keycloak-${{ matrix.keycloak_version }}/"
           build_platforms: linux/amd64,linux/arm64
+          build_args: |
+            AWS_JDBC_WRAPPER_VERSION=${{ env.aws_jdbc_wrapper_version }}
           extra_tags: | # the ci- prefix ensures a build context, this image is treated as "temporary"
             type=sha,enable=true,priority=1000,prefix=ci-${{ matrix.keycloak_version }}-sha-,suffix=,format=short
 
@@ -390,7 +402,7 @@ jobs:
           KEYCLOAK_JDBC_PARAMS: "${{ matrix.runner_desc.keycloak_db_jdbc_query }}"
           KC_DB_DRIVER: "${{ matrix.runner_desc.keycloak_db_driver }}"
 
-          KEYCLOAK_LOG_LEVEL: "DEBUG,software.amazon.jdbc:FINEST"
+          KEYCLOAK_LOG_LEVEL: "INFO,software.amazon.jdbc:FINEST"
 
           COMPOSE_POSTGRES_IMAGE: "public.ecr.aws/docker/library/postgres:${{ env.postgres_version }}"
           COMPOSE_POSTGRES_DEPLOY_REPLICAS: "${{ matrix.runner_desc.postgres_replicas }}"

DEVELOPER.md

@@ -7,10 +7,17 @@ Welcome to the development reference for Keycloak by Camunda! This document prov
 Building a local image is for development purposes only.
 In production, the pipeline will handle this and build a multi-architecture image using Docker Buildx.
 
-Navigate to the `keycloak-<version>` (e.g. `keycloak-24`) directory and execute the following command:
+Navigate to the `keycloak-<version>` (e.g. `keycloak-24`) directory and execute the following commands:
 
 ```bash
-docker build . -t docker.io/camunda/keycloak:24
+# retrieve the aws jdbc wrapper version from the referenced keycloak version
+keycloak_full_version="$(grep "ARG BASE_IMAGE_NAME=.*$1" ./Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}')"
+echo "keycloak_full_version=$keycloak_full_version"
+
+aws_jdbc_wrapper_version="$(../.github/scripts/utils/get_aws_jdbc_wrapper_version.sh $keycloak_full_version)"
+echo "aws_jdbc_wrapper_version=$aws_jdbc_wrapper_version"
+
+docker build . -t "docker.io/camunda/keycloak:$keycloak_full_version" --build-arg "AWS_JDBC_WRAPPER_VERSION=$aws_jdbc_wrapper_version"
 ```
 
 This Dockerfile includes the necessary dependencies and configurations for AWS Advanced JDBC Wrapper.
@@ -40,7 +47,7 @@ When adding a new version of Keycloak, follow these steps:
 4. **Final Image Tags:**
    - The final image will have the following tags:
      - `camunda/keycloak:24` (mutable - triggered by any change in the base image of Keycloak)
-     - `camunda/keycloak:24.0.1-1` (mutable - triggered by any change not part of the base image of Keycloak, e.g., gradle dependencies)
+     - `camunda/keycloak:24.0.1-1` (mutable - triggered by any change not part of the base image of Keycloak)
      - `camunda/keycloak:24.0.1-1-${date in yyyy-mm-dd-xxx format}` (immutable, recommended for production usage)
 
 Following these steps ensures a smooth integration of new Keycloak versions, consistent testing across the development environment, and easy access to the latest version. Happy coding!

keycloak-23/Dockerfile

@@ -1,34 +1,48 @@
-ARG BASE_IMAGE_NAME="docker.io/bitnami/keycloak:23.0.7-debian-12-r3"
+ARG BASE_IMAGE_NAME="docker.io/bitnami/keycloak:23.0.7-debian-12-r4"
 # List of all available images with associated sha: https://hub.docker.com/r/bitnami/keycloak/tags
 # Note: use the global image digest to make this image platform agnostic (see: https://github.com/camunda/zeebe/pull/14186)
-ARG BASE_IMAGE_DIGEST="sha256:eabfbdd679042f40612388aed560e3e7f809c3d4a04e5755a7cac22c9270e5a5"
+ARG BASE_IMAGE_DIGEST="sha256:c4a2bf092d1afeac972d5f66db58e431d3fb53beedde18b7f54e45c37f5d1be5"
 
-FROM docker.io/gradle:jdk17-focal@sha256:17e0c6bec6cb2c7f4240315d7a957c6b9058a5c137c2f8b37760ac327111ce87 as lib
+# Building builder image
+# hadolint ignore=DL3006
+FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} as builder
+# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
+ARG AWS_JDBC_WRAPPER_VERSION
 
-WORKDIR /home/gradle
+USER 0
 
-COPY build.gradle /home/gradle
+# install maven (silence alert about version pinning of maven)
+# hadolint ignore=DL3008
+RUN mkdir /home/keycloak && chown keycloak /home/keycloak && \
+    apt-get update && apt-get install maven -y --no-install-recommends
 
-RUN gradle copyDependencies
+USER 1001
 
-# Building builder image
-# hadolint ignore=DL3006
-FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} as builder
+WORKDIR /home/keycloak
 
-COPY --from=lib /home/gradle/lib /opt/bitnami/keycloak/providers
+# download the wrapper from github, then fetch the dependencies from maven
+ADD --chown=1001 "https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" "/opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar"
+ADD --chown=1001 "https://repo1.maven.org/maven2/software/amazon/jdbc/aws-advanced-jdbc-wrapper/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.pom" /home/keycloak/pom.xml
 
-WORKDIR /opt/bitnami/keycloak
+RUN cat /home/keycloak/pom.xml && mvn install && \
+    cp /home/keycloak/.m2/repository/software/amazon/awssdk/*/*/*.jar /opt/bitnami/keycloak/providers/
 
 RUN /opt/bitnami/keycloak/bin/kc.sh build
 
-
 ##### FINAL Keycloak IMAGE #####
+
 # hadolint ignore=DL3006
 FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
 # leave the values below unset to use the default value at the top of the file
 ARG BASE_IMAGE_NAME
 ARG BASE_IMAGE_DIGEST
 
+# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
+ARG AWS_JDBC_WRAPPER_VERSION
+
+# Copy the previously built aws jdbc drivers
+COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/
+
 # common, k8s, openshift and OCI labels:
 # OCI: https://github.com/opencontainers/image-spec/blob/main/annotations.md
 # OCP: https://docs.openshift.com/container-platform/4.10/openshift_images/create-images.html#defining-image-metadata
@@ -37,7 +51,8 @@ LABEL maintainer="Camunda" \
       summary="Keycloak bitnami with AWS wrapper" \
       io.k8s.description="Keycloak bitnami with AWS wrapper." \
       io.k8s.display-name="keycloak" \
-      description="Keycloak bitnami with AWS wrapper." \
+      description="Keycloak bitnami with AWS JDBC wrapper." \
+      jdbc.aws-jdbc-wrapper.version="${AWS_JDBC_WRAPPER_VERSION}" \
       org.opencontainers.image.authors="Camunda" \
       org.opencontainers.image.vendor="Camunda" \
       org.opencontainers.image.documentation="https://hub.docker.com/camunda/keycloak/" \
@@ -58,19 +73,3 @@ LABEL maintainer="Camunda" \
       # org.opencontainers.image.revision
       # org.opencontainers.image.source
       # org.opencontainers.image.version
-
-# Copy the previously built aws jdbc drivers
-COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/
-
-# switch back to root to modify scripts
-USER 0
-
-# Patch the image scripts to support custom JDBC driver until https://github.com/bitnami/charts/issues/18808#issuecomment-1866638783 is resolved
-# hadolint ignore=SC2016
-RUN sed -i '/KEYCLOAK_JDBC_PARAMS$/a\    KEYCLOAK_JDBC_DRIVER' /opt/bitnami/scripts/keycloak-env.sh && \
-    sed -i '/^export KEYCLOAK_JDBC_PARAMS="${KEYCLOAK_JDBC_PARAMS:-}"/a \
-KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-postgresql}"\nexport KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-}"' /opt/bitnami/scripts/keycloak-env.sh && \
-    sed -i 's/"jdbc:postgresql:/\"jdbc:${KEYCLOAK_JDBC_DRIVER}:/g' /opt/bitnami/scripts/libkeycloak.sh
-
-# Switch back to unprivileged user
-USER 1001