keycloak.yaml

package:
  name: keycloak
  version: "26.1.4"
  epoch: 0
  description: Open Source Identity and Access Management For Modern Applications and Services
  copyright:
    - license: Apache-2.0
  dependencies:
    runtime:
      - bash # Keycloak helper scripts require bash, aren't compatible with busybox.
      - openjdk-21-default-jdk # TODO: Change to JRE

# Create a new major-version variable that contains only the major version
# to use in the bitnami/compat pipeline to find out the correct folder for the image.
# e.g. 25.0.2 will create a new var major-version=25
var-transforms:
  - from: ${{package.version}}
    match: ^(\d+).*
    replace: $1
    to: major-version

environment:
  contents:
    packages:
      - bash
      - build-base
      - busybox
      - ca-certificates-bundle
      - gcc-13-default
      - openjdk-21-default-jdk
      - wolfi-base
      - wolfi-baselayout
  environment:
    LANG: en_US.UTF-8
    JAVA_HOME: /usr/lib/jvm/java-21-openjdk

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/keycloak/keycloak
      tag: ${{package.version}}
      expected-commit: b281b5f09d06a55c661d8df529f0020dd44942d1

  - uses: maven/pombump

  - runs: |
      gcc napi-static-assert.c -o /tmp/preload.so -fPIC -shared -ldl

  - runs: |
      # Keycloak installation. Note we use the maven wrapper as configured in
      # the source repo to build - ensures the correct maven version for
      # building the project, preventing issues such as CI hangs.

      # Build keycloak-server. Depends on `keycloak-js-adapter-jar`.
      # Gross hack to work around broken NAPI ast-grep module that has
      # undefined symbol: static_assert
      export LD_PRELOAD=/tmp/preload.so
      ./mvnw clean install -DskipTests -Dmaven.test.skip=true -DskipITs -DskipProtoLock=true -Pdistribution
      unset LD_PRELOAD

      mkdir -p ${{targets.destdir}}/usr/share/java
      unzip -d ${{targets.destdir}}/usr/share/java quarkus/dist/target/keycloak-*.zip
      cp -avR ${{targets.destdir}}/usr/share/java/keycloak-* ${{targets.destdir}}/usr/share/java/keycloak

      # Create an empty data directory for keycloak. Required by the UI to store some data.
      mkdir -p ${{targets.destdir}}/usr/share/java/keycloak/data

      mkdir -p ${{targets.destdir}}/usr/bin
      for i in kc.sh kcadm.sh kcreg.sh; do
        ln -sf /usr/share/java/keycloak/bin/$i ${{targets.destdir}}/usr/bin/$i
      done

# images like keycloak-operator may need it as they expect it to find keycloak in /opt/keycloak
# For ref: https://github.com/keycloak/keycloak/blob/4b194d00bed51458acb3d125eba9a0ba654c930a/operator/Dockerfile#L11
subpackages:
  - name: keycloak-compat
    pipeline:
      - runs: |
          mkdir -p "${{targets.subpkgdir}}"/opt
          ln -s /usr/share/java/keycloak "${{targets.subpkgdir}}"/opt/
  # https://github.com/bitnami/containers/tree/main/bitnami/keycloak/24/debian-12
  - name: ${{package.name}}-bitnami-compat
    description: "compat package with bitnami/keycloak image"
    dependencies:
      runtime:
        - coreutils # Keycloak Helm Chart scripts require coreutils, aren't compatible with busybox. (i.e., `cp` with `--preserve` option)
        - krb5
        - libaio
        - procps
        - zlib
        - wait-for-port
        - net-tools
        - posix-libc-utils
        - su-exec
    pipeline:
      - uses: bitnami/compat
        with:
          image: keycloak
          version-path: ${{vars.major-version}}/debian-12
      - runs: |
          mkdir -p ${{targets.contextdir}}/bitnami/keycloak
          mkdir -p ${{targets.contextdir}}/opt/bitnami/keycloak
          mkdir -p ${{targets.contextdir}}/docker-entrypoint-initdb.d

          for dir in bin conf conf.default lib providers themes; do
            mkdir -p ${{targets.contextdir}}/opt/bitnami/keycloak/$dir
          done

          chmod g+rwX ${{targets.contextdir}}/opt/bitnami

          # Copy keycloak files to /opt/bitnami/keycloak for compatibility with
          # their Helm Chart, which copies the directories into an emptyDir in
          # an initContainer
          cp -r ${{targets.destdir}}/usr/share/java/keycloak/* ${{targets.contextdir}}/opt/bitnami/keycloak

          # Replace the incorrect Java paths in the Bitnami scripts
          sed -i 's/JAVA_HOME="\/opt\/bitnami\/java"/JAVA_HOME="\/usr\/lib\/jvm\/java-21-openjdk"/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak-env.sh
          sed -i 's/\/opt\/bitnami\/java\/lib\/security/\/usr\/lib\/jvm\/java-21-openjdk\/conf\/security/g' ${{targets.contextdir}}/opt/bitnami/scripts/java/postunpack.sh

          # Disable some commands used in Bitnami scripts. These commands more likely fail in this since this image take non root approach
          sed -i 's/chown -R "$KEYCLOAK_DAEMON_USER" "$dir"/# chown -R "$KEYCLOAK_DAEMON_USER" "$dir"/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak/postunpack.sh
          sed -i 's/ensure_user_exists/# ensure_user_exists/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak/postunpack.sh
          sed -i 's/am_i_root/# am_i_root/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak/setup.sh
          sed -i 's/hostname --fqdn/hostname -f/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak-env.sh

          # The `--userspec`` flag belongs to GNU's chroot, whereas we are use BusyBox's. As a workaround, use `su-exec` instead.
          sed -i 's|exec chroot --userspec="$userspec" /|exec chroot / su-exec "$userspec"|' ${{targets.contextdir}}/opt/bitnami/scripts/libos.sh
          sed -i 's|chroot --userspec="$userspec" /|chroot / su-exec "$userspec"|' ${{targets.contextdir}}/opt/bitnami/scripts/libos.sh

          # Use package path while unpacking
          find . -iname "*.sh" -exec sed 's#/opt/bitnami#${{targets.contextdir}}/opt/bitnami#g' -i {} \;
            ${{targets.contextdir}}/opt/bitnami/scripts/keycloak/postunpack.sh || true
          # Restore path
          find ${{targets.contextdir}}/opt/bitnami -type f -exec sed 's#${{targets.contextdir}}##g' -i {} \;

          # Link binaries used by Bitnami config
          ln -sf /opt/bitnami/scripts/keycloak/entrypoint.sh ${{targets.contextdir}}/entrypoint.sh
          ln -sf /opt/bitnami/scripts/keycloak/run.sh ${{targets.contextdir}}/run.sh
    scriptlets:
      post-install: |
        #!/bin/sh
        # Copy required provider files.
        cp -avR /usr/share/java/keycloak/providers/* ${{targets.contextdir}}/opt/bitnami/keycloak/providers/
    test:
      environment:
        contents:
          packages:
            - curl
            - postgresql
            - postgresql-client
            - shadow
            - sudo-rs
            - jq
            - keycloak
            - keycloak-compat
            - keycloak-bitnami-compat
        accounts:
          groups:
            - groupname: nonroot
              gid: 65532
          users:
            - username: nonroot
              gid: 65532
              uid: 65532
          run-as: 0
        environment:
          PGDATA: /tmp/test_db
          PGUSER: bn_keycloak
          PGDB: bitnami_keycloak
          ALLOW_EMPTY_PASSWORD: yes
          JAVA_HOME: /usr/lib/jvm/default-jvm
      pipeline:
        - name: "version and help tests"
          runs: |
            /opt/bitnami/keycloak/bin/kc.sh --version
            /opt/bitnami/keycloak/bin/kc.sh --help
            /opt/bitnami/keycloak/bin/kcadm.sh --help
            /opt/bitnami/keycloak/bin/kcreg.sh --help
        - working-directory: /tmp
          pipeline:
            - name: "Test database creation"
              with:
                setup: echo "127.0.0.1 postgresql" >> /etc/hosts
              runs: |
                useradd $PGUSER
                sudo -u $PGUSER initdb -D ${PGDATA}
                sudo -u $PGUSER pg_ctl -D ${PGDATA} -l /tmp/logfile start
                sudo -u $PGUSER createdb ${PGDB}
                sudo -u $PGUSER psql -lqt | cut -d \| -f 1 | grep -qw ${PGDB}
            - name: "start daemon on localhost"
              uses: test/daemon-check-output
              with:
                setup: |
                  #!/bin/sh -e
                  echo "127.0.0.1 postgresql" >> /etc/hosts
                  echo "$(hostname) postgresql" >> /etc/hosts
                start: |
                  env "BITNAMI_APP_NAME=keycloak" \
                    "APP_VERSION=${{package.version}}" \
                    "PATH=/opt/bitnami/keycloak/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
                    "KEYCLOAK_ENABLE_HEALTH_ENDPOINTS=true" \
                    /opt/bitnami/scripts/keycloak/entrypoint.sh \
                    /opt/bitnami/scripts/keycloak/run.sh
                timeout: 60
                expected_output: |
                  Welcome to the Bitnami keycloak container
                  keycloak setup finished!
                  server listening on
                  Keycloak ${{package.version}}
                  Profile dev activated.
                post: |
                  #!/bin/sh -e
                  url=http://localhost:9000/health/ready
                  response=$(curl -fsS --connect-timeout 5 --max-time 10 --retry 5 --retry-delay 0 --retry-max-time 40 "$url") || {
                    echo "curl ${url} failed $?"
                    exit 1
                  }
                  echo "$response" | jq .status | grep -q UP || {
                    echo "response from $url did not contain \"UP\""
                    echo "response: $response"
                    exit 1
                  }
                  echo "$url had expected output: $response"

test:
  pipeline:
    - name: "start daemon on localhost"
      uses: test/daemon-check-output
      with:
        start: "kc.sh start --hostname=localhost --https-key-store-password=MYPASSWORD"
        timeout: 60
        expected_output: |
          Listening on
          Keycloak ${{package.version}}
          Profile prod activated
        setup: |
          #!/bin/sh -ex
          echo "127.0.0.1 $(hostname)" >> /etc/hosts
          kspath=/usr/share/java/keycloak/conf/server.keystore
          keytool -v \
              -keystore $kspath \
              -alias localhost \
              -genkeypair -sigalg SHA512withRSA -keyalg RSA -dname CN=localhost \
              -storepass MYPASSWORD || {
                echo "failed [$?] to create keystore with keytool at $kspath"
                exit 1
          }
    - name: "version and help tests"
      runs: |
        kc.sh --version
        kc.sh --help
        kcadm.sh --help
        kcreg.sh --help

update:
  # The upstream repos releases contains a 'nightly' release. Which we want to
  # exclude from discovery.
  ignore-regex-patterns:
    - ".*nightly.*"
  enabled: true
  github:
    identifier: keycloak/keycloak