From 2cd3e8cf13a4da16dd65fce057253157d288337a Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Sat, 16 Nov 2024 10:04:26 -0500 Subject: [PATCH 1/4] Reuse session when running kcadm commands Fixes #327 --- templates/kcadm-wrapper.sh.erb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/templates/kcadm-wrapper.sh.erb b/templates/kcadm-wrapper.sh.erb index d627f8ce..c0809320 100644 --- a/templates/kcadm-wrapper.sh.erb +++ b/templates/kcadm-wrapper.sh.erb @@ -1,5 +1,14 @@ #!/bin/bash KCADM="<%= scope['keycloak::install_base'] %>/bin/kcadm.sh" +CONFIG="/root/.keycloak/kcadm.config" +EXPIRES=$(/usr/bin/sed -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' ~/.keycloak/kcadm.config) +NOW=$(/usr/bin/date +%s%3N) -${KCADM} "$@" --no-config --server '<%= scope['keycloak::wrapper_server'] %>' --realm master --user '<%= scope['keycloak::admin_user'] %>' --password '<%= scope['keycloak::admin_user_password'] %>' +if [ ! -f "$CONFIG" ]; then + ${KCADM} config credentials --server '<%= scope['keycloak::wrapper_server'] %>' --realm master --user '<%= scope['keycloak::admin_user'] %>' --password '<%= scope['keycloak::admin_user_password'] %>' +elif [ "$EXPIRES" -gt "$NOW" ]; then + ${KCADM} config credentials --server '<%= scope['keycloak::wrapper_server'] %>' --realm master --user '<%= scope['keycloak::admin_user'] %>' --password '<%= scope['keycloak::admin_user_password'] %>' +fi + +${KCADM} "$@" --server '<%= scope['keycloak::wrapper_server'] %>' --realm master --user '<%= scope['keycloak::admin_user'] %>' --password '<%= scope['keycloak::admin_user_password'] %>' From e7e2a3b50bf5558f9044bc921079d236c7323465 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Sun, 17 Nov 2024 10:22:17 -0500 Subject: [PATCH 2/4] Move to using kcadm-wrapper config file so that script is just a script and not a template --- files/kcadm-wrapper.sh | 13 +++++++++++++ manifests/config.pp | 25 ++++++++++++++++++++----- manifests/init.pp | 3 ++- spec/classes/init_spec.rb | 3 ++- templates/kcadm-wrapper.sh.erb | 14 -------------- templates/shell_vars.epp | 8 ++++++++ 6 files changed, 45 insertions(+), 21 deletions(-) create mode 100644 files/kcadm-wrapper.sh delete mode 100644 templates/kcadm-wrapper.sh.erb create mode 100644 templates/shell_vars.epp diff --git a/files/kcadm-wrapper.sh b/files/kcadm-wrapper.sh new file mode 100644 index 00000000..24c219f0 --- /dev/null +++ b/files/kcadm-wrapper.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# shellcheck source=/dev/null +. /opt/keycloak/conf/kcadm-wrapper.conf + +EXPIRES=$(/usr/bin/sed -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' "$CONFIG" || echo "0") +NOW=$(/usr/bin/date +%s%3N) + +if [ ! -f "$CONFIG" ] || [ "$EXPIRES" -gt "$NOW" ]; then + ${KCADM} config credentials --config "$CONFIG" --server "$SERVER" --realm "$REALM" --user "$ADMIN_USER" --password "$PASSWORD" +fi + +${KCADM} "$@" --config "$CONFIG" diff --git a/manifests/config.pp b/manifests/config.pp index 4a3d66d1..32e697f5 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -9,18 +9,33 @@ } } - # Template uses: - # - $keycloak::install_base - # - $keycloak::admin_user - # - $keycloak::admin_user_password + $wrapper_conf = { + 'KCADM' => "${keycloak::install_base}/bin/kcadm.sh", + 'CONFIG' => "${keycloak::conf_dir}/kcadm.config", + 'SERVER' => $keycloak::wrapper_server, + 'REALM' => 'master', + 'ADMIN_USER' => $keycloak::admin_user, + 'PASSWORD' => $keycloak::admin_user_password, + } + file { 'kcadm-wrapper.conf': + ensure => 'file', + path => $keycloak::wrapper_conf, + owner => $keycloak::user, + group => $keycloak::group, + mode => '0640', + content => epp('keycloak/shell_vars.epp', { 'vars' => $wrapper_conf }), + show_diff => false, + } + file { 'kcadm-wrapper.sh': ensure => 'file', path => $keycloak::wrapper_path, owner => $keycloak::user, group => $keycloak::group, mode => '0750', - content => template('keycloak/kcadm-wrapper.sh.erb'), + source => 'puppet:///modules/keycloak/kcadm-wrapper.sh', show_diff => false, + require => File['kcadm-wrapper.conf'], } file { $keycloak::conf_dir: diff --git a/manifests/init.pp b/manifests/init.pp index 39be3920..beb3481e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -240,7 +240,7 @@ Optional[Stdlib::Absolutepath] $service_environment_file = undef, Stdlib::Filemode $conf_dir_mode = '0755', Boolean $conf_dir_purge = true, - Array $conf_dir_purge_ignore = ['cache-ispn.xml', 'README.md', 'truststore.jks'], + Array $conf_dir_purge_ignore = ['cache-ispn.xml', 'README.md', 'truststore.jks', 'kcadm.config'], Keycloak::Configs $configs = {}, Hash[String, Variant[String[1],Boolean,Array]] $extra_configs = {}, Variant[Stdlib::Host, Stdlib::HTTPUrl, Stdlib::HTTPSUrl, Enum['unset','UNSET']] $hostname = $facts['networking']['fqdn'], @@ -330,6 +330,7 @@ $tmp_dir = "${install_base}/tmp" $providers_dir = "${install_base}/providers" $wrapper_path = "${keycloak::install_base}/bin/kcadm-wrapper.sh" + $wrapper_conf = "${conf_dir}/kcadm-wrapper.conf" $default_config = { 'hostname' => $hostname, diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index ede1c65e..1f1605e9 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -121,8 +121,9 @@ owner: 'keycloak', group: 'keycloak', mode: '0750', - content: %r{.*}, + source: 'puppet:///modules/keycloak/kcadm-wrapper.sh', show_diff: 'false', + require: 'File[kcadm-wrapper.conf]', ) end diff --git a/templates/kcadm-wrapper.sh.erb b/templates/kcadm-wrapper.sh.erb deleted file mode 100644 index c0809320..00000000 --- a/templates/kcadm-wrapper.sh.erb +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -KCADM="<%= scope['keycloak::install_base'] %>/bin/kcadm.sh" -CONFIG="/root/.keycloak/kcadm.config" -EXPIRES=$(/usr/bin/sed -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' ~/.keycloak/kcadm.config) -NOW=$(/usr/bin/date +%s%3N) - -if [ ! -f "$CONFIG" ]; then - ${KCADM} config credentials --server '<%= scope['keycloak::wrapper_server'] %>' --realm master --user '<%= scope['keycloak::admin_user'] %>' --password '<%= scope['keycloak::admin_user_password'] %>' -elif [ "$EXPIRES" -gt "$NOW" ]; then - ${KCADM} config credentials --server '<%= scope['keycloak::wrapper_server'] %>' --realm master --user '<%= scope['keycloak::admin_user'] %>' --password '<%= scope['keycloak::admin_user_password'] %>' -fi - -${KCADM} "$@" --server '<%= scope['keycloak::wrapper_server'] %>' --realm master --user '<%= scope['keycloak::admin_user'] %>' --password '<%= scope['keycloak::admin_user_password'] %>' diff --git a/templates/shell_vars.epp b/templates/shell_vars.epp new file mode 100644 index 00000000..662c896a --- /dev/null +++ b/templates/shell_vars.epp @@ -0,0 +1,8 @@ +<%- | + Hash[String, String] $vars +| -%> +# This file is managed by Puppet, DO NOT EDIT + +<% $vars.each |$key, $value| { -%> +<%= $key %>='<%= $value %>' +<% } -%> From f29130054a41d6d8f87bf962c9e6a7abfde9fb6b Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Mon, 18 Nov 2024 08:19:14 -0500 Subject: [PATCH 3/4] Fix conditional --- files/kcadm-wrapper.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/kcadm-wrapper.sh b/files/kcadm-wrapper.sh index 24c219f0..055502a5 100644 --- a/files/kcadm-wrapper.sh +++ b/files/kcadm-wrapper.sh @@ -6,7 +6,7 @@ EXPIRES=$(/usr/bin/sed -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' "$CONFIG" || echo "0") NOW=$(/usr/bin/date +%s%3N) -if [ ! -f "$CONFIG" ] || [ "$EXPIRES" -gt "$NOW" ]; then +if [ ! -f "$CONFIG" ] || [ "$EXPIRES" -lt "$NOW" ]; then ${KCADM} config credentials --config "$CONFIG" --server "$SERVER" --realm "$REALM" --user "$ADMIN_USER" --password "$PASSWORD" fi From ac65098c0251040fb80574b71812e548b7d85169 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Mon, 18 Nov 2024 09:18:43 -0500 Subject: [PATCH 4/4] Remove kcmadm login session when Keycloak service restarts unless using persistent sessions --- files/kcadm-wrapper.sh | 2 +- manifests/config.pp | 2 +- manifests/init.pp | 1 + templates/keycloak.service.erb | 4 ++++ 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/files/kcadm-wrapper.sh b/files/kcadm-wrapper.sh index 055502a5..d8d8acbf 100644 --- a/files/kcadm-wrapper.sh +++ b/files/kcadm-wrapper.sh @@ -3,7 +3,7 @@ # shellcheck source=/dev/null . /opt/keycloak/conf/kcadm-wrapper.conf -EXPIRES=$(/usr/bin/sed -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' "$CONFIG" || echo "0") +EXPIRES=$(/usr/bin/sed -n -r 's|.*"refreshExpiresAt" : ([0-9]*).*|\1|p' "$CONFIG" 2>/dev/null || echo "0") NOW=$(/usr/bin/date +%s%3N) if [ ! -f "$CONFIG" ] || [ "$EXPIRES" -lt "$NOW" ]; then diff --git a/manifests/config.pp b/manifests/config.pp index 32e697f5..de09dc95 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -11,7 +11,7 @@ $wrapper_conf = { 'KCADM' => "${keycloak::install_base}/bin/kcadm.sh", - 'CONFIG' => "${keycloak::conf_dir}/kcadm.config", + 'CONFIG' => $keycloak::login_config, 'SERVER' => $keycloak::wrapper_server, 'REALM' => 'master', 'ADMIN_USER' => $keycloak::admin_user, diff --git a/manifests/init.pp b/manifests/init.pp index beb3481e..429ceb39 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -331,6 +331,7 @@ $providers_dir = "${install_base}/providers" $wrapper_path = "${keycloak::install_base}/bin/kcadm-wrapper.sh" $wrapper_conf = "${conf_dir}/kcadm-wrapper.conf" + $login_config = "${conf_dir}/kcadm.config" $default_config = { 'hostname' => $hostname, diff --git a/templates/keycloak.service.erb b/templates/keycloak.service.erb index 88d8a0c5..393a76ac 100644 --- a/templates/keycloak.service.erb +++ b/templates/keycloak.service.erb @@ -21,6 +21,10 @@ Environment='JAVA_HOME=<%= scope['keycloak::java_home'] %>' User=<%= scope['keycloak::user'] %> Group=<%= scope['keycloak::group'] %> ExecStart=<%= scope['keycloak::service_start_cmd'] %> +# TODO: remove once upgraded from Keycloak 25 to 26 +<% unless (scope['keycloak::features'] || []).include?('persistent-user-sessions') -%> +ExecStartPost=-/usr/bin/rm -f <%= scope['keycloak::login_config'] %> +<% end -%> TimeoutStartSec=600 TimeoutStopSec=600 SuccessExitStatus=0 143