Support Keycloak 22, Drop EL7 and Debian 10

EL7 and Debian 10 don't have new enough OpenJDK The use_truststore_spi propery for keycloak_ldap_user_provider has default switched to 'always' and 'ldapsOnly' option removed Force IPv4 during tests
treydock · Jul 16, 2023 · b6ed04b · b6ed04b
1 parent b99c30d
commit b6ed04b
Show file tree

Hide file tree

Showing 20 changed files with 35 additions and 120 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -24,7 +24,7 @@ jobs:
  puppet: 8
  fixtures: .fixtures.yml
  allow_failure: false
- - ruby: 2.7.6
+ - ruby: 2.7.7
  puppet: 7
  fixtures: .fixtures-latest.yml
  allow_failure: true
@@ -56,28 +56,26 @@ jobs:
  fail-fast: false
  matrix:
  set:
- - "el7"
  - "el8"
  - "el9"
- - "debian-10"
  - "debian-11"
  - "ubuntu-2004"
  - "ubuntu-2204"
  puppet:
  - "puppet7"
  - "puppet8"
  keycloak_version:
- - "21.0.1"
+ - "22.0.0"
  keycloak_full:
  - "no"
  include:
  - set: "el8"
  puppet: "puppet7"
- keycloak_version: "21.0.1"
+ keycloak_version: "22.0.0"
  keycloak_full: "yes"
  - set: "el8"
  puppet: "puppet8"
- keycloak_version: "21.0.1"
+ keycloak_version: "22.0.0"
  keycloak_full: "yes"
  env:
  BUNDLE_WITHOUT: development:release

diff --git a/.sync.yml b/.sync.yml
@@ -15,27 +15,26 @@ Rakefile:
  acceptance_name: '${{ matrix.puppet }} ${{ matrix.set }} (keycloak=${{ matrix.keycloak_version }} full=${{ matrix.keycloak_full }})'
  acceptance_matrix:
  set:
- - el7
+ - ---el7
  - el8
  - el9
- - debian-10
  - debian-11
  - ubuntu-2004
  - ubuntu-2204
  puppet:
  - puppet7
  - puppet8
  keycloak_version:
- - '21.0.1'
+ - '22.0.0'
  keycloak_full: ['no']
  acceptance_includes:
  - set: el8
  puppet: puppet7
- keycloak_version: 21.0.1
+ keycloak_version: 22.0.0
  keycloak_full: 'yes'
  - set: el8
  puppet: puppet8
- keycloak_version: 21.0.1
+ keycloak_version: 22.0.0
  keycloak_full: 'yes'
 .gitignore:
  paths:
@@ -51,11 +50,10 @@ Rakefile:
  Enabled: false
 appveyor.yml:
  delete: true
-spec/acceptance/nodesets/debian-9.yml:
+spec/acceptance/nodesets/el7.yml:
  delete: true
 spec/acceptance/nodesets/debian-10.yml:
- packages:
- - iproute2
+ delete: true
 spec/acceptance/nodesets/debian-11.yml:
  packages:
  - iproute2

diff --git a/README.md b/README.md
@@ -175,6 +175,7 @@ This module may work on earlier versions but this is the only version tested.
 | 18.x | 8.x |
 | 19.x - 21.x | 9.x |
 | 21.x | 10.x |
+| 22.x | 11.x |
 
 ## Usage
 
@@ -190,18 +191,18 @@ Install a specific version of Keycloak.
 
 ```puppet
 class { 'keycloak':
- version => '18.0.0',
+ version => '22.0.0',
  db => 'mariadb',
 }
 ```
 
 Upgrading Keycloak version works by changing `version` parameter as long as the `db` parameter is not the default of `dev-file`. An upgrade involves installing the new version without touching the old version, updating the symlink which defaults to `/opt/keycloak`, applying all changes to new version and then restarting the `keycloak` service.
 
-If the previous `version` was `18.0.0` using the following will upgrade to `19.0.0`:
+If the previous `version` was `22.0.0` using the following will upgrade to `23.0.0`:
 
 ```puppet
 class { 'keycloak':
- version => '19.0.0',
+ version => '23.0.0',
  db => 'mariadb',
 }
 ```
@@ -283,7 +284,7 @@ A simple example of deploying a custom SPI from a URL:
 keycloak::spi_deployment { 'duo-spi':
  ensure => 'present',
  deployed_name => 'DuoUniversalKeycloakAuthenticator-jar-with-dependencies.jar',
- source => 'https://github.com/instipod/DuoUniversalKeycloakAuthenticator/releases/download/1.0.4/DuoUniversalKeycloakAuthenticator-jar-with-dependencies-1.0.4.jar',
+ source => 'https://github.com/instipod/DuoUniversalKeycloakAuthenticator/releases/download/1.0.5/DuoUniversalKeycloakAuthenticator-jar-with-dependencies-1.0.5.jar',
 }
 ```
 
@@ -615,12 +616,9 @@ keycloak_required_action { 'webauthn-register on master':
 
 This module has been tested on:
 
-* RedHat/CentOS 7 x86_64
 * RedHat/Rocky/AlmaLinux 8 x86_64
 * RedHat/Rocky/AlmaLinux 9 x86_64
-* Debian 10 x86_64
 * Debian 11 x86_64
-* Ubuntu 18.04 x86_64
 * Ubuntu 20.04 x86_64
 * Ubuntu 22.04 x86_64
 

diff --git a/data/os/Debian/10.yaml b/data/os/Debian/10.yaml
diff --git a/data/os/RedHat/7.yaml b/data/os/RedHat/7.yaml
diff --git a/lib/puppet/type/keycloak_ldap_user_provider.rb b/lib/puppet/type/keycloak_ldap_user_provider.rb
@@ -73,8 +73,8 @@
 
  newproperty(:use_truststore_spi) do
  desc 'useTruststoreSpi'
- defaultto 'ldapsOnly'
- newvalues('always', 'ldapsOnly', 'never')
+ defaultto 'always'
+ newvalues('always', 'never')
  munge { |v| v }
  end
 

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -27,11 +27,11 @@
  ensure => 'directory',
  owner => $keycloak::user,
  group => $keycloak::group,
- mode => '0755',
+ mode => $keycloak::conf_dir_mode,
  purge => $keycloak::conf_dir_purge,
  force => $keycloak::conf_dir_purge,
  recurse => $keycloak::conf_dir_purge,
- ignore => ['cache-ispn.xml', 'README.md'],
+ ignore => $keycloak::conf_dir_purge_ignore,
  notify => Class['keycloak::service'],
  }
 

diff --git a/manifests/freeipa_user_provider.pp b/manifests/freeipa_user_provider.pp
@@ -67,7 +67,7 @@
  rdn_ldap_attribute => 'uid',
  search_scope => '1',
  use_kerberos_for_password_authentication => 'false',
- use_truststore_spi => 'ldapsOnly',
+ use_truststore_spi => 'always',
  user_object_classes => ['inetOrgPerson', ' organizationalPerson'],
  username_ldap_attribute => 'uid',
  users_dn => $users_dn,

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -222,15 +222,15 @@
 # Only necessary to set if the URL path to Keycloak is modified
 class keycloak (
  Boolean $manage_install = true,
- String $version = '21.0.1',
+ String $version = '22.0.0',
  Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]] $package_url= undef,
  Optional[Stdlib::Absolutepath] $install_dir = undef,
  Array[String[1]] $java_package_dependencies = [],
  Enum['include','class'] $java_declare_method = 'class',
- String[1] $java_package = 'java-11-openjdk-devel',
- Stdlib::Absolutepath $java_home = '/usr/lib/jvm/java-11-openjdk',
- Stdlib::Absolutepath $java_alternative_path = '/usr/lib/jvm/java-11-openjdk/bin/java',
- String[1] $java_alternative = '/usr/lib/jvm/java-11-openjdk/bin/java',
+ String[1] $java_package = 'java-17-openjdk-devel',
+ Stdlib::Absolutepath $java_home = '/usr/lib/jvm/java-17-openjdk',
+ Stdlib::Absolutepath $java_alternative_path = '/usr/lib/jvm/java-17-openjdk/bin/java',
+ String[1] $java_alternative = '/usr/lib/jvm/java-17-openjdk/bin/java',
  String $service_name = 'keycloak',
  String $service_ensure = 'running',
  Boolean $service_enable = true,

diff --git a/metadata.json b/metadata.json
@@ -41,17 +41,10 @@
  {
  "operatingsystem": "RedHat",
  "operatingsystemrelease": [
- "7",
  "8",
  "9"
  ]
  },
- {
- "operatingsystem": "CentOS",
- "operatingsystemrelease": [
- "7"
- ]
- },
  {
  "operatingsystem": "Rocky",
  "operatingsystemrelease": [
@@ -69,7 +62,6 @@
  {
  "operatingsystem": "Debian",
  "operatingsystemrelease": [
- "10",
  "11"
  ]
  },

diff --git a/spec/acceptance/1_class_spec.rb b/spec/acceptance/1_class_spec.rb
@@ -70,7 +70,7 @@ class { 'keycloak':
  pp = <<-PUPPET_PP
  class { 'keycloak':
  http_relative_path => '/auth',
- java_opts => '-Xmx512m -Xms64m',
+ java_opts => '-Xmx512m -Xms64m -Djava.net.preferIPv4Stack=true',
  configs => {
  'metrics-enabled' => true,
  },

diff --git a/spec/acceptance/nodesets/debian-10.yml b/spec/acceptance/nodesets/debian-10.yml
diff --git a/spec/acceptance/nodesets/el7.yml b/spec/acceptance/nodesets/el7.yml
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -8,7 +8,7 @@
  let(:facts) do
  facts.merge(concat_basedir: '/dne')
  end
- let(:version) { '21.0.1' }
+ let(:version) { '22.0.0' }
 
  case facts[:osfamily]
  when %r{RedHat}

diff --git a/spec/defines/freeipa_user_provider_spec.rb b/spec/defines/freeipa_user_provider_spec.rb
@@ -31,7 +31,7 @@
  rdn_ldap_attribute: 'uid',
  search_scope: '1',
  use_kerberos_for_password_authentication: 'false',
- use_truststore_spi: 'ldapsOnly',
+ use_truststore_spi: 'always',
  user_object_classes: ['inetOrgPerson', ' organizationalPerson'],
  username_ldap_attribute: 'uid',
  users_dn: 'cn=users,cn=accounts,dc=example,dc=org',

diff --git a/spec/defines/partial_import_spec.rb b/spec/defines/partial_import_spec.rb
@@ -8,7 +8,7 @@
  let(:facts) do
  facts.merge(concat_basedir: '/dne')
  end
- let(:version) { '21.0.1' }
+ let(:version) { '22.0.0' }
  let(:title) { 'test' }
  let(:params) do
  {

diff --git a/spec/defines/spi_deployment_spec.rb b/spec/defines/spi_deployment_spec.rb
@@ -8,7 +8,7 @@
  let(:facts) do
  facts.merge(concat_basedir: '/dne')
  end
- let(:version) { '21.0.1' }
+ let(:version) { '22.0.0' }
  let(:title) { 'duo-spi' }
  let(:params) { { deployed_name: 'keycloak-duo-spi-jar-with-dependencies.jar', source: 'https://example.com/files/keycloak-duo-spi-jar-with-dependencies.jar' } }
 

diff --git a/spec/fixtures/DuoUniversalKeycloakAuthenticator-jar-with-dependencies.jar b/spec/fixtures/DuoUniversalKeycloakAuthenticator-jar-with-dependencies.jar
diff --git a/spec/spec_helper_acceptance_setup.rb b/spec/spec_helper_acceptance_setup.rb
@@ -3,7 +3,7 @@
 RSpec.configure do |c|
  c.add_setting :keycloak_version
  keycloak_version = if ENV['BEAKER_keycloak_version'].nil? || ENV['BEAKER_keycloak_version'].empty?
- '21.0.1'
+ '22.0.0'
  else
  ENV['BEAKER_keycloak_version']
  end
@@ -28,26 +28,17 @@
  - name: "Common"
  path: "common.yaml"
 HIERA_YAML
-centos7_yaml = <<-EL7_YAML
-postgresql::server::service_reload: 'systemctl reload postgresql 2>/dev/null 1>/dev/null'
-EL7_YAML
-ubuntu1804_yaml = <<-UBUNTU18_YAML
-keycloak::db: mysql
-UBUNTU18_YAML
 common_yaml = <<-COMMON_YAML
 ---
 keycloak::version: '#{RSpec.configuration.keycloak_version}'
 keycloak::http_host: '127.0.0.1'
 keycloak::db: mariadb
 keycloak::proxy: edge
+# Force only listen on IPv4 for testing
+keycloak::java_opts: '-Djava.net.preferIPv4Stack=true'
 postgresql::server::service_status: 'service postgresql status 2>/dev/null 1>/dev/null'
 COMMON_YAML
 
 create_remote_file(hosts, '/etc/puppetlabs/puppet/hiera.yaml', hiera_yaml)
 on hosts, 'mkdir -p /etc/puppetlabs/puppet/data'
 create_remote_file(hosts, '/etc/puppetlabs/puppet/data/common.yaml', common_yaml)
-on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/CentOS'
-create_remote_file(hosts, '/etc/puppetlabs/puppet/data/os/CentOS/7.yaml', centos7_yaml)
-on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/Ubuntu'
-create_remote_file(hosts, '/etc/puppetlabs/puppet/data/os/Ubuntu/18.04.yaml', ubuntu1804_yaml)
-on hosts, 'mkdir -p /etc/puppetlabs/puppet/data/os/Debian'
diff --git a/spec/unit/puppet/type/keycloak_ldap_user_provider_spec.rb b/spec/unit/puppet/type/keycloak_ldap_user_provider_spec.rb
@@ -79,8 +79,8 @@
  }.to raise_error(%r{foo})
  end
 
- it 'defaults to use_truststore_spi=ldapsOnly' do
- expect(resource[:use_truststore_spi]).to eq('ldapsOnly')
+ it 'defaults to use_truststore_spi=always' do
+ expect(resource[:use_truststore_spi]).to eq('always')
  end
 
  it 'does not allow invalid use_truststore_spi' do