Setup keycloak to run on ovirt engine's wildfly instance

.automation/build-srpm.sh

@@ -2,7 +2,20 @@
 
 # Directory, where build artifacts will be stored, should be passed as the 1st parameter
 ARTIFACTS_DIR=${1:-exported-artifacts}
+export ARTIFACTS_DIR
 
 # Prepare source archive
 [[ -d rpmbuild/SOURCES ]] || mkdir -p rpmbuild/SOURCES
 
+# Clean leftovers from previous builds
+rm -rf rpmbuild/SOURCES/*
+make clean
+
+# Get the tarball
+make dist
+
+
+# Build SRPMs
+rpmbuild \
+    -D "_topdir rpmbuild" \
+    -ts ./*.tar.gz

.copr/Makefile

@@ -0,0 +1,10 @@
+# outdir: passed by copr telling where to save the src.rpm
+# spec: passed by copr telling which spec file should be used;
+#       using for selecting the right src.rpm to be copied.
+
+installdeps:
+	dnf -y install coreutils curl dnf-utils findutils git rpmdevtools sed
+
+srpm: installdeps
+	.automation/build-srpm.sh
+	cp rpmbuild/SRPMS/$(shell sh -c "basename '$(spec)'|cut -f1 -d.")*.src.rpm $(outdir)

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# https://help.github.com/en/articles/about-code-owners
+# Default reviewers for everything
+* @arso @mwperina

.github/workflows/build.yml

@@ -50,11 +50,11 @@ jobs:
       run: |
         dnf install -y \
           createrepo_c \
-          curl \
           dnf-utils \
           findutils \
           git \
           make \
+          python3-devel \
           rpm-build \
           sed
 

.gitignore

@@ -0,0 +1,11 @@
+output
+*.zip
+*.tar.gz
+exported-artifacts
+rpmbuild
+.idea
+
+# template generated resources
+ovirt-engine-keycloak.spec
+packaging/setup/ovirt_engine_setup/keycloak/config.py
+build/python-check.sh

Makefile

@@ -0,0 +1,144 @@
+# ====================================================================
+# Copyright oVirt Authors
+# SPDX-License-Identifier: Apache-2.0
+# ====================================================================
+
+#
+# CUSTOMIZATION-BEGIN
+#
+# Keycloak version specification
+KEYCLOAK_VERSION="15.0.2"
+
+# RPM version specification
+RPM_VERSION="${KEYCLOAK_VERSION}"
+RPM_RELEASE="1"
+
+EXTRA_BUILD_FLAGS=
+BUILD_VALIDATION=1
+
+PACKAGE_NAME=ovirt-engine-keycloak
+
+PYTHON=$(shell which python3 2> /dev/null)
+PREFIX=/usr/local
+DATAROOT_DIR=$(PREFIX)/share
+PKG_DATA_DIR=$(DATAROOT_DIR)/ovirt-engine-keycloak
+KEYCLOAK_OVERLAY_ZIP="keycloak-overlay-$(KEYCLOAK_VERSION).zip"
+KEYCLOAK_OVERLAY_URL="https://github.com/keycloak/keycloak/releases/download/${KEYCLOAK_VERSION}/${KEYCLOAK_OVERLAY_ZIP}"
+#
+# CUSTOMIZATION-END
+#
+BUILD_FLAGS:=$(BUILD_FLAGS) $(EXTRA_BUILD_FLAGS)
+
+TARBALL=$(PACKAGE_NAME)-$(RPM_VERSION).tar.gz
+BUILD_FILE=tmp.built
+
+
+.SUFFIXES:
+.SUFFIXES: .in
+
+.in:
+	sed \
+	-e "s|@KEYCLOAK_VERSION@|$(KEYCLOAK_VERSION)|g" \
+	-e "s|@KEYCLOAK_OVERLAY_ZIP@|$(KEYCLOAK_OVERLAY_ZIP)|g" \
+	-e "s|@DATAROOT_DIR@|$(DATAROOT_DIR)|g" \
+	-e "s|@PKG_DATA_DIR@|$(PKG_DATA_DIR)|g" \
+	-e "s|@RPM_VERSION@|$(RPM_VERSION)|g" \
+	-e "s|@RPM_RELEASE@|$(RPM_RELEASE)|g" \
+	-e "s|@PACKAGE_NAME@|$(PACKAGE_NAME)|g" \
+	$< > $@
+
+
+GENERATED = \
+	build/python-check.sh \
+	ovirt-engine-keycloak.spec \
+	packaging/setup/ovirt_engine_setup/keycloak/config.py \
+	$(NULL)
+
+
+all:	\
+	generated-files \
+	validations \
+	$(BUILD_FILE) \
+	$(NULL)
+
+generated-files:	$(GENERATED)
+	chmod a+x build/python-check.sh
+
+$(BUILD_FILE):
+	touch $(BUILD_FILE)
+
+clean:
+	rm -rf $(BUILD_FILE)
+	rm -rf tmp.dev.flist
+	rm -rf $(GENERATED)
+	rm -f "$(PACKAGE_NAME)-*.tar.gz"
+
+install: \
+	all \
+	install-packaging-files \
+	$(NULL)
+
+.PHONY: ovirt-engine-keycloak.spec.in
+
+dist:	ovirt-engine-keycloak.spec \
+	download-keycloak \
+	$(NULL)
+
+	git ls-files | tar --files-from /proc/self/fd/0 -czf \
+		"$(TARBALL)" \
+		ovirt-engine-keycloak.spec \
+		$(KEYCLOAK_OVERLAY_ZIP)
+	@echo
+	@echo For distro specific packaging refer to https://www.ovirt.org/develop/dev-process/build-binary-package.html
+	@echo
+
+download-keycloak:
+	if [ ! -f "$(KEYCLOAK_OVERLAY_ZIP)" ]; then \
+		curl -L -o "$(KEYCLOAK_OVERLAY_ZIP)" "$(KEYCLOAK_OVERLAY_URL)"; \
+	fi
+
+# copy SOURCEDIR to TARGETDIR
+# exclude EXCLUDEGEN a list of files to exclude with .in
+# exclude EXCLUDE a list of files.
+copy-recursive:
+	( cd "$(SOURCEDIR)" && find . -type d -printf '%P\n' ) | while read d; do \
+		install -d -m 755 "$(TARGETDIR)/$${d}"; \
+	done
+	( \
+		cd "$(SOURCEDIR)" && find . -type f -printf '%P\n' | \
+		while read f; do \
+			exclude=false; \
+			for x in $(EXCLUDE_GEN); do \
+				if [ "$(SOURCEDIR)/$${f}" = "$${x}.in" ]; then \
+					exclude=true; \
+					break; \
+				fi; \
+			done; \
+			for x in $(EXCLUDE); do \
+				if [ "$(SOURCEDIR)/$${f}" = "$${x}" ]; then \
+					exclude=true; \
+					break; \
+				fi; \
+			done; \
+			$${exclude} || echo "$${f}"; \
+		done \
+	) | while read f; do \
+		src="$(SOURCEDIR)/$${f}"; \
+		dst="$(TARGETDIR)/$${f}"; \
+		[ -x "$${src}" ] && MASK=0755 || MASK=0644; \
+		[ -n "$(DEV_FLIST)" ] && echo "$${dst}" | sed 's#^$(PREFIX)/##' >> "$(DEV_FLIST)"; \
+		install -T -m "$${MASK}" "$${src}" "$${dst}"; \
+	done
+
+
+validations:	generated-files
+	if [ "$(BUILD_VALIDATION)" != 0 ]; then \
+		build/python-check.sh; \
+	fi
+
+install-packaging-files: \
+		$(GENERATED) \
+		$(NULL)
+	$(MAKE) copy-recursive SOURCEDIR=packaging/setup TARGETDIR="$(DESTDIR)$(PKG_DATA_DIR)/../ovirt-engine/setup" EXCLUDE_GEN="$(GENERATED)"
+	$(MAKE) copy-recursive SOURCEDIR=packaging/conf TARGETDIR="$(DESTDIR)$(PKG_DATA_DIR)/conf" EXCLUDE_GEN="$(GENERATED)"
+

build/python-check.sh.in

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+PEP8="@PEP8@"
+PYFLAKES="@PYFLAKES@"
+SRCDIR="$(dirname "$0")/.."
+
+cd "${SRCDIR}"
+
+ret=0
+FILES="$(
+	find build packaging -name '*.py' | while read f; do
+		[ -e "${f}.in" ] || echo "${f}"
+	done
+)"
+
+for exe in "${PYFLAKES}" "${PEP8}"; do
+	if ! which "${exe}" > /dev/null 2>&1; then
+		echo "WARNING: tool '${exe}' is missing" >&2
+	else
+		"${exe}" ${FILES} || ret=1
+	fi
+done
+exit ${ret}

ovirt-engine-keycloak.spec.in

@@ -0,0 +1,111 @@
+%global __jar_repack 0
+
+%global product_name Keycloak SSO for oVirt Engine
+
+%global ovirt_engine_wildfly_data %{_datadir}/ovirt-engine-wildfly
+%global ovirt_engine_data %{_datadir}/ovirt-engine
+
+%global make_common_opts \\\
+	-j1 \\\
+	BUILD_VALIDATION=0 \\\
+	PACKAGE_NAME=%{name} \\\
+	RPM_VERSION=%{version} \\\
+	RPM_RELEASE=%{release} \\\
+	PREFIX=%{_prefix} \\\
+	DATAROOT_DIR=%{_datadir} \\\
+	%{?EXTRA_BUILD_FLAGS:EXTRA_BUILD_FLAGS="%{EXTRA_BUILD_FLAGS}"}
+
+
+
+########################################################
+#  Keycloak overlay package
+########################################################
+Name:		ovirt-engine-keycloak
+Version:	@RPM_VERSION@
+Release:	@RPM_RELEASE@%{?dist}
+Summary:	%{product_name}
+Group:		Virtualization/Management
+License:	ASL 2.0
+URL:		http://keycloak.org
+BuildArch:	noarch
+Source:		%{name}-@[email protected]
+
+BuildRequires:	unzip
+
+Requires:	%{name}-setup >= %{version}
+
+%description
+Keycloak SSO for oVirt Engine.
+
+########################################################
+#  Keycloak overlay setup package
+########################################################
+%package setup
+Summary:	%{product_name} setup
+Group:		Virtualization/Management
+
+BuildRequires:	python3
+BuildRequires:	python3-devel
+
+Requires:	ovirt-engine-setup-plugin-ovirt-engine-common >= 4.5.0
+Requires:	python%{python3_pkgversion}-ovirt-setup-lib
+
+%description setup
+Keycloak SSO for oVirt Engine installation setup package.
+
+
+########################################################
+#  Package customizations
+########################################################
+%prep
+%setup -cq
+
+%build
+make %{make_common_opts}
+
+%install
+rm -fr "%{buildroot}"
+make %{make_common_opts} install DESTDIR=%{buildroot}
+
+# Unzip downloaded keycloak overlay package
+mkdir -p %{buildroot}%{_datadir}
+unzip -d %{buildroot}%{_datadir}/%{name} @KEYCLOAK_OVERLAY_ZIP@
+
+# install Readme
+install -d -m 0755 "%{buildroot}%{_docdir}/%{name}"
+install -m 0644 "%{_builddir}/%{name}-%{version}/README.md" "%{buildroot}%{_docdir}/%{name}/README.md"
+
+# prepare sym links from ovirt-engine-wildfly to relevant ovirt-engine-keycloak artifacts
+# that is required because keycloak overlay is supposed to be extracted inside Wildfly/EAP location
+# and for ease of future management we do not want to mix them, symlinks here is an acceptable trade off
+mkdir -p %{buildroot}%{ovirt_engine_wildfly_data }/modules/system/layers
+ln -sf %{_datadir}/%{name}/themes %{buildroot}%{ovirt_engine_wildfly_data}/themes
+ln -sf %{_datadir}/%{name}/modules/layers.conf %{buildroot}%{ovirt_engine_wildfly_data}/modules/layers.conf
+ln -sf %{_datadir}/%{name}/modules/system/layers/keycloak %{buildroot}%{ovirt_engine_wildfly_data}/modules/system/layers/keycloak
+
+mkdir -p %{buildroot}%{_datadir}/ovirt-engine-wildfly/bin/client
+ln -sf %{_datadir}/%{name}/bin/add-user-keycloak.sh %{buildroot}%{ovirt_engine_wildfly_data}/bin/add-user-keycloak.sh
+ln -sf %{_datadir}/%{name}/bin/client/keycloak-admin-cli-@[email protected] %{buildroot}%{ovirt_engine_wildfly_data}/bin/client/keycloak-admin-cli-@[email protected]
+ln -sf %{_datadir}/%{name}/bin/client/keycloak-client-registration-cli-@[email protected] %{buildroot}%{ovirt_engine_wildfly_data}/bin/client/keycloak-client-registration-cli-@[email protected]
+
+
+%files
+%{_datadir}/%{name}/
+%{ovirt_engine_wildfly_data}/modules/layers.conf
+%{ovirt_engine_wildfly_data}/modules/system/layers/keycloak
+%{ovirt_engine_wildfly_data}/themes
+%{ovirt_engine_wildfly_data}/bin/client/keycloak-admin-cli-@[email protected]
+%{ovirt_engine_wildfly_data}/bin/client/keycloak-client-registration-cli-@[email protected]
+%{ovirt_engine_wildfly_data}/bin/add-user-keycloak.sh
+%{_docdir}/%{name}/
+
+%files setup
+%{ovirt_engine_data}/setup/ovirt_engine_setup/keycloak/
+%{ovirt_engine_data}/setup/plugins/*/ovirt-engine-keycloak/apache
+%{ovirt_engine_data}/setup/plugins/*/ovirt-engine-keycloak/ovirt-engine
+
+
+%changelog
+* Wed Nov 10 2021 Artur Socha <[email protected]> 15.0.2-1
+- Initial release
+

packaging/conf/z-ovirt-engine-keycloak-proxy.conf.in

@@ -0,0 +1,44 @@
+#
+# The name of this file name is very important, the "z-" prefix is used
+# to force the web server to load this file after all the other
+# configurations, in particular after the configuration of the required
+# proxy modules, otherwise the "IfModule" directives fail.
+#
+
+<IfModule !proxy_ajp_module>
+    # If you get an error in this block, it means that proxy_ajp_module is not:
+    # 1. loaded by other configuration of httpd
+    # 2. found in the path below (which is relative to ServerRoot)
+    LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
+</IfModule>
+
+<IfModule proxy_ajp_module>
+
+    #
+    # Remove the Expect headers from API requests (this is needed to fix a
+    # problem with some API clients):
+    #
+    # This is required because otherwise Expect header, which is hop-by-hop
+    # will be caught by the Apache and will NOT be forwared to the proxy.
+    #
+    # It currenly is used here, which means GLOBALLY for the server. It is done
+    # this way because RequestHeader 'early' doesn't allow using in either
+    # 'Directory' or 'Location' nested clauses.
+    #
+    # TODO: find a way to filter Expect headers for /api name space only.
+    <IfModule headers_module>
+        RequestHeader unset Expect early
+    </IfModule>
+
+
+    # pass calls to keycloak endpoint
+    <LocationMatch ^/ovirt-engine-auth($|/)>
+        ProxyPassMatch ajp://127.0.0.1:@JBOSS_AJP_PORT@ timeout=3600 retry=5
+
+        <IfModule deflate_module>
+            AddOutputFilterByType DEFLATE text/javascript text/css text/html text/xml text/json application/xml application/json application/x-yaml
+        </IfModule>
+    </LocationMatch>
+
+</IfModule>
+