Feature/no gradle

.github/renovate.json5

@@ -23,7 +23,7 @@
       "groupSlug": "all-non-major-keycloak",
       "matchDatasources": ["docker"],
       "matchFileNames": ["keycloak-*/Dockerfile"],
-      "matchUpdateTypes": ["minor", "patch", "digest", "pin", "pinDigest"],
+      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(:?-(?<compatibility>.+)(?<build>\\d+)-r(?<revision>\\d+))?$",
       "enabled": true,
       "addLabels": ["dependencies", "docker"]
     },
@@ -34,15 +34,5 @@
       "matchUpdateTypes": ["major"],
       "enabled": false
     }
-  ],
-  "customManagers": [
-    {
-      "customType": "regex",
-      "fileMatch": ["build.gradle$"],
-      "matchStrings": [
-        "renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.* (?<currentValue>.*)\\s"
-      ],
-      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
-    }
   ]
 }

.github/scripts/utils/find_latest_keycloak.sh

@@ -5,4 +5,6 @@
 # Description: Finds the latest version of Keycloak from folders prefixed with "keycloak-" in the current directory.
 # Usage: find_latest_keycloak.sh
 
+set -Eeuo pipefail
+
 ls -1d --color=never "$(pwd)"/keycloak-* | tail -n 1 | awk -F'[-/]' '{print $(NF-0)}'

.github/scripts/utils/get_aws_jdbc_wrapper_version.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Script: get_aws_jdbc_wrapper_version.sh
+# Description: Finds the AWS JDBC wrapper version of the Keycloak version from the pom.xml, <keycloak-version> must be formatted as major.minor.patch
+# Usage: get_aws_jdbc_wrapper_version.sh <keycloak-version>
+
+set -Eeuo pipefail
+
+display_help() {
+    echo "Script: get_aws_jdbc_wrapper_version.sh"
+    echo "Description: Finds the AWS JDBC wrapper version of the Keycloak version from the pom.xml"
+    echo "Usage: get_aws_jdbc_wrapper_version.sh <keycloak-version>"
+}
+
+# Check if there is exactly one argument provided
+if [[ $# -ne 1 ]]; then
+    echo "Error: Incorrect number of arguments."
+    display_help
+    exit 1
+fi
+
+keycloak_version="$1"
+
+# Validate keycloak version format (major.minor.patch)
+if ! [[ "$keycloak_version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+    echo "Error: Invalid keycloak version format. It must be in the format of major.minor.patch."
+    display_help
+    exit 1
+fi
+
+# Function to extract the first number from a version string
+get_major_version() {
+    echo "$keycloak_version" | cut -d '.' -f1
+}
+
+# Keycloak only started to reference the aws_jdbc_wrapper version starting with v24, defaulting a fixed version of the jdbc driver,
+# this check also allow bumping minimal aws_jdbc_wrapper version for critical fixes
+if [[ "$(get_major_version "$keycloak_version")" -lt "25" ]] ; then
+    echo "2.3.5" # fix https://github.com/keycloak/keycloak/issues/27290
+    exit 0
+fi
+
+# Fetch the AWS JDBC wrapper version from the pom.xml file
+AWS_JDBC_VERSION="$(curl -s "https://raw.githubusercontent.com/keycloak/keycloak/$keycloak_version/pom.xml" | awk -F'[><]' '/<aws-jdbc-wrapper.version>/{print $3}')"
+
+if [[ -z "$AWS_JDBC_VERSION" ]]; then
+    echo "Error: Failed to retrieve AWS JDBC version." >&2
+    exit 1
+fi
+
+echo "$AWS_JDBC_VERSION"

.github/workflows/build-images.yml

@@ -82,6 +82,16 @@ jobs:
           username: "${{ steps.secrets.outputs.DOCKERHUB_USER }}"
           password: "${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}"
 
+      - name: Compute build image variables
+        id: compute-build-image-name-step
+        run: |
+          keycloak_full_version=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}' || echo "Error: Image tag $1 not found in Dockerfile" && exit 1) && echo "$keycloak_full_version"
+          echo "keycloak_full_version=${keycloak_full_version}"
+
+          aws_jdbc_wrapper_version="$(.github/scripts/utils/get_aws_jdbc_wrapper_version.sh "$keycloak_full_version" || echo "Error: Cannot get aws jdbc wrapper version for keycloak $keycloak_full_version" && exit 1)" && echo "$aws_jdbc_wrapper_version"
+          echo "aws_jdbc_wrapper_version=${aws_jdbc_wrapper_version}" >> "$GITHUB_ENV"
+          echo "aws_jdbc_wrapper_version=${aws_jdbc_wrapper_version}"
+
       - name: Build image using Camunda docker build
         id: build-image-step
         uses: camunda/infra-global-github-actions/build-docker-image@2e3f3018839b8eb99b0dca9a65a9df32dbad2a08 # main
@@ -93,6 +103,8 @@ jobs:
           image_name: ${{ vars.CONTAINER_IMAGE_NAME_CI }}
           build_context: "./keycloak-${{ matrix.keycloak_version }}/"
           build_platforms: linux/amd64,linux/arm64
+          build_args: |
+            AWS_JDBC_WRAPPER_VERSION=${{ env.aws_jdbc_wrapper_version }}
           extra_tags: | # the ci- prefix ensures a build context, this image is treated as "temporary"
             type=sha,enable=true,priority=1000,prefix=ci-${{ matrix.keycloak_version }}-sha-,suffix=,format=short
 
@@ -390,7 +402,7 @@ jobs:
           KEYCLOAK_JDBC_PARAMS: "${{ matrix.runner_desc.keycloak_db_jdbc_query }}"
           KC_DB_DRIVER: "${{ matrix.runner_desc.keycloak_db_driver }}"
 
-          KEYCLOAK_LOG_LEVEL: "DEBUG,software.amazon.jdbc:FINEST"
+          KEYCLOAK_LOG_LEVEL: "INFO,software.amazon.jdbc:FINEST"
 
           COMPOSE_POSTGRES_IMAGE: "public.ecr.aws/docker/library/postgres:${{ env.postgres_version }}"
           COMPOSE_POSTGRES_DEPLOY_REPLICAS: "${{ matrix.runner_desc.postgres_replicas }}"

DEVELOPER.md

@@ -7,10 +7,17 @@ Welcome to the development reference for Keycloak by Camunda! This document prov
 Building a local image is for development purposes only.
 In production, the pipeline will handle this and build a multi-architecture image using Docker Buildx.
 
-Navigate to the `keycloak-<version>` (e.g. `keycloak-24`) directory and execute the following command:
+Navigate to the `keycloak-<version>` (e.g. `keycloak-24`) directory and execute the following commands:
 
 ```bash
-docker build . -t docker.io/camunda/keycloak:24
+# retrieve the aws jdbc wrapper version from the referenced keycloak version
+keycloak_full_version="$(grep "ARG BASE_IMAGE_NAME=.*$1" ./Dockerfile | awk -F'[:=]' '{print $NF}' | tr -d '"' | awk -F'[:/-]' '{print $1}')"
+echo "keycloak_full_version=$keycloak_full_version"
+
+aws_jdbc_wrapper_version="$(../.github/scripts/utils/get_aws_jdbc_wrapper_version.sh $keycloak_full_version)"
+echo "aws_jdbc_wrapper_version=$aws_jdbc_wrapper_version"
+
+docker build . -t "docker.io/camunda/keycloak:$keycloak_full_version" --build-arg "AWS_JDBC_WRAPPER_VERSION=$aws_jdbc_wrapper_version"
 ```
 
 This Dockerfile includes the necessary dependencies and configurations for AWS Advanced JDBC Wrapper.
@@ -40,7 +47,7 @@ When adding a new version of Keycloak, follow these steps:
 4. **Final Image Tags:**
    - The final image will have the following tags:
      - `camunda/keycloak:24` (mutable - triggered by any change in the base image of Keycloak)
-     - `camunda/keycloak:24.0.1-1` (mutable - triggered by any change not part of the base image of Keycloak, e.g., gradle dependencies)
+     - `camunda/keycloak:24.0.1-1` (mutable - triggered by any change not part of the base image of Keycloak)
      - `camunda/keycloak:24.0.1-1-${date in yyyy-mm-dd-xxx format}` (immutable, recommended for production usage)
 
 Following these steps ensures a smooth integration of new Keycloak versions, consistent testing across the development environment, and easy access to the latest version. Happy coding!

keycloak-23/Dockerfile

@@ -1,34 +1,48 @@
-ARG BASE_IMAGE_NAME="docker.io/bitnami/keycloak:23.0.7-debian-12-r3"
+ARG BASE_IMAGE_NAME="docker.io/bitnami/keycloak:23.0.7-debian-12-r4"
 # List of all available images with associated sha: https://hub.docker.com/r/bitnami/keycloak/tags
 # Note: use the global image digest to make this image platform agnostic (see: https://github.com/camunda/zeebe/pull/14186)
-ARG BASE_IMAGE_DIGEST="sha256:eabfbdd679042f40612388aed560e3e7f809c3d4a04e5755a7cac22c9270e5a5"
+ARG BASE_IMAGE_DIGEST="sha256:c4a2bf092d1afeac972d5f66db58e431d3fb53beedde18b7f54e45c37f5d1be5"
 
-FROM docker.io/gradle:jdk17-focal@sha256:17e0c6bec6cb2c7f4240315d7a957c6b9058a5c137c2f8b37760ac327111ce87 as lib
+# Building builder image
+# hadolint ignore=DL3006
+FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} as builder
+# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
+ARG AWS_JDBC_WRAPPER_VERSION
 
-WORKDIR /home/gradle
+USER 0
 
-COPY build.gradle /home/gradle
+# install maven (silence alert about version pinning of maven)
+# hadolint ignore=DL3008
+RUN mkdir /home/keycloak && chown keycloak /home/keycloak && \
+    apt-get update && apt-get install maven -y --no-install-recommends
 
-RUN gradle copyDependencies
+USER 1001
 
-# Building builder image
-# hadolint ignore=DL3006
-FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST} as builder
+WORKDIR /home/keycloak
 
-COPY --from=lib /home/gradle/lib /opt/bitnami/keycloak/providers
+# download the wrapper from github, then fetch the dependencies from maven
+ADD --chown=1001 "https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar" "/opt/bitnami/keycloak/providers/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.jar"
+ADD --chown=1001 "https://repo1.maven.org/maven2/software/amazon/jdbc/aws-advanced-jdbc-wrapper/${AWS_JDBC_WRAPPER_VERSION}/aws-advanced-jdbc-wrapper-${AWS_JDBC_WRAPPER_VERSION}.pom" /home/keycloak/pom.xml
 
-WORKDIR /opt/bitnami/keycloak
+RUN cat /home/keycloak/pom.xml && mvn install && \
+    cp /home/keycloak/.m2/repository/software/amazon/awssdk/*/*/*.jar /opt/bitnami/keycloak/providers/
 
 RUN /opt/bitnami/keycloak/bin/kc.sh build
 
-
 ##### FINAL Keycloak IMAGE #####
+
 # hadolint ignore=DL3006
 FROM ${BASE_IMAGE_NAME}@${BASE_IMAGE_DIGEST}
 # leave the values below unset to use the default value at the top of the file
 ARG BASE_IMAGE_NAME
 ARG BASE_IMAGE_DIGEST
 
+# use the .github/scripts/utils/get_aws_wrapper_version.sh keycloak-version script to get the value and pass it at build time
+ARG AWS_JDBC_WRAPPER_VERSION
+
+# Copy the previously built aws jdbc drivers
+COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/
+
 # common, k8s, openshift and OCI labels:
 # OCI: https://github.com/opencontainers/image-spec/blob/main/annotations.md
 # OCP: https://docs.openshift.com/container-platform/4.10/openshift_images/create-images.html#defining-image-metadata
@@ -37,7 +51,8 @@ LABEL maintainer="Camunda" \
       summary="Keycloak bitnami with AWS wrapper" \
       io.k8s.description="Keycloak bitnami with AWS wrapper." \
       io.k8s.display-name="keycloak" \
-      description="Keycloak bitnami with AWS wrapper." \
+      description="Keycloak bitnami with AWS JDBC wrapper." \
+      jdbc.aws-jdbc-wrapper.version="${AWS_JDBC_WRAPPER_VERSION}" \
       org.opencontainers.image.authors="Camunda" \
       org.opencontainers.image.vendor="Camunda" \
       org.opencontainers.image.documentation="https://hub.docker.com/camunda/keycloak/" \
@@ -58,19 +73,3 @@ LABEL maintainer="Camunda" \
       # org.opencontainers.image.revision
       # org.opencontainers.image.source
       # org.opencontainers.image.version
-
-# Copy the previously built aws jdbc drivers
-COPY --from=builder /opt/bitnami/keycloak/ /opt/bitnami/keycloak/
-
-# switch back to root to modify scripts
-USER 0
-
-# Patch the image scripts to support custom JDBC driver until https://github.com/bitnami/charts/issues/18808#issuecomment-1866638783 is resolved
-# hadolint ignore=SC2016
-RUN sed -i '/KEYCLOAK_JDBC_PARAMS$/a\    KEYCLOAK_JDBC_DRIVER' /opt/bitnami/scripts/keycloak-env.sh && \
-    sed -i '/^export KEYCLOAK_JDBC_PARAMS="${KEYCLOAK_JDBC_PARAMS:-}"/a \
-KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-postgresql}"\nexport KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-}"' /opt/bitnami/scripts/keycloak-env.sh && \
-    sed -i 's/"jdbc:postgresql:/\"jdbc:${KEYCLOAK_JDBC_DRIVER}:/g' /opt/bitnami/scripts/libkeycloak.sh
-
-# Switch back to unprivileged user
-USER 1001