libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions
keycloak-scim/operator
History
Alex Szczuczko 610e3044ad Minimize the RPM content of the Quarkus container 
Even though we use `ubi8-minimal` as the parent of our container, it
still has many RPMs installed that aren't necessary to run the Keycloak
server. Also, since the JDK RPM (that we install on top of
`ubi8-minimal`) is designed for general use, it pulls in more dependency
RPMs than it strictly needs to, like cups and avahi. Keycloak will never
need to access a printer itself!

Trimming down these excess RPMs will improve our CVE statistics with
automated scanners, and therefore let us perform fewer CVE rebuilds.

`ubi8-null.sh` uses the low-level `rpm` command to identify and forcibly
remove dependencies and operating system files that are not required to
boot our Quarkus-based server. This includes `microdnf` and `rpm`
itself! I have preserved bash however, so it's still possible to debug
the container from a shell.

I've created an initial set of allow/disallow lists, that seems to pass
a smoke test (server boots, admin console works). This leaves 37
packages installed, with 96 removed relative to `ubi8-minimal`. We could
go more minimal than this, or less minimal if required. Trial and error
is required.

Closes #16902
2023-02-09 11:20:09 +01:00
..
olm-base Mark Operator as stable in the OLM bundle 2022-10-24 08:08:24 +02:00
overlays/default-namespace A better structure for config-api 2022-06-28 11:33:44 -03:00
scripts A better structure for config-api 2022-06-28 11:33:44 -03:00
src Minimize the RPM content of the Quarkus container 2023-02-09 11:20:09 +01:00
.gitignore A better structure for config-api 2022-06-28 11:33:44 -03:00
patch-sources.sh A better structure for config-api 2022-06-28 11:33:44 -03:00
pom.xml Update to Quarkus 2.13.7.Final 2023-02-03 15:03:11 -03:00
README.md improvement to operator readme, links to documentation (#14692) 2022-11-03 07:20:43 +01:00

README.md

Keycloak on Quarkus

The module holds the codebase to build the Keycloak Operator on top of Quarkus. Using the Quarkus Operator SDK.

Also see Operator guides

Activating the Module

When build from the project root directory, this module is only enabled if the installed JDK is 11 or newer.

Building

Ensure you have JDK 11 (or newer) installed.

Build the Docker image with:

mvn clean package -Doperator -Dquarkus.container-image.build=true

Configuration

The Keycloak image can be configured, when starting the operator, using the Java property:

operator.keycloak.image

And the imagePullPolicy with:

operator.keycloak.image-pull-policy

Contributing

Quick start on Minikube

Enable the Minikube Docker daemon:

eval $(minikube -p minikube docker-env)

Compile the project and generate the Docker image with JIB:

mvn clean package -Doperator -Dquarkus.container-image.build=true -Dquarkus.kubernetes.deployment-target=minikube

Install the CRD definition and the operator in the cluster in the keycloak namespace:

kubectl apply -k target

to install in the default namespace:

kubectl apply -k overlays/default-namespace

Remove the created resources with:

kubectl delete -k <previously-used-folder>

Testing

Testing allows 2 methods specified in the property test.operator.deployment : local & remote.

local : resources will be deployed to the local cluster and the operator will run out of the cluster

remote : same as local test but an image for the operator will be generated and deployed run inside the cluster

mvn clean verify \
  -Dquarkus.container-image.build=true \
  -Dquarkus.container-image.tag=test \
  -Dquarkus.kubernetes.image-pull-policy=IfNotPresent \
  -Dtest.operator.deployment=remote

To run tests on Mac with minikube and the docker driver you should run minikube tunnel in a separate shell and configure the Java properties as follows:

-Dtest.operator.kubernetes.ip=localhost

On Linux or on Mac using minikube on a VM, instead you should pass this additional property:

-Dtest.operator.kubernetes.ip=$(minikube ip)

To avoid skipping tests that are depending on custom Keycloak images, you need to build those first:

./build-testing-docker-images.sh [SOURCE KEYCLOAK IMAGE TAG] [SOURCE KEYCLOAK IMAGE]

And run the tests passing an extra Java property:

-Dtest.operator.custom.image=custom-keycloak:latest

Testing using a pre-built operator image from a remote registry

You can run the testsuite using an already built operator image from a remote image registry.

To do this, you need to set quarkus.container-image.build=false and specify the desired image you want to use by setting quarkus.container-image.image=<your-image>:<your-tag>

Example:

 mvn clean verify \
      -Dquarkus.container-image.build=false \
      -Dquarkus.container-image.image=quay.io/keycloak/keycloak-operator:nightly \
      -Dtest.operator.deployment=remote