This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new e6861c8 Fix CI failures with OpenID jobs (#659)
e6861c8 is described below
commit e6861c85af059ae8741b121954b9bd14d4591b89
Author: Lari Hotari <[email protected]>
AuthorDate: Mon Mar 2 14:42:51 2026 +0200
Fix CI failures with OpenID jobs (#659)
* Fix waiting for upterm session to close
* Upgrade k9s version used for ci debugging
* Migrate to use https://artifacthub.io/packages/helm/codecentric/keycloakx
for Keycloak in ci
---
.ci/auth/keycloak/values.yaml | 42 +++++++++++++++++---------------
.ci/clusters/values-openid.yaml | 8 +++---
.ci/configure_ci_runner_for_debugging.sh | 2 +-
.ci/helm.sh | 13 ++++------
.github/actions/ssh-access/action.yml | 5 ++--
5 files changed, 36 insertions(+), 34 deletions(-)
diff --git a/.ci/auth/keycloak/values.yaml b/.ci/auth/keycloak/values.yaml
index a9aaa03..7822e87 100644
--- a/.ci/auth/keycloak/values.yaml
+++ b/.ci/auth/keycloak/values.yaml
@@ -17,30 +17,34 @@
# under the License.
#
-tls:
- enabled: false
+# Uses quay.io/keycloak/keycloak (official image, default for
codecentric/keycloakx chart)
+# Run Keycloak in development mode with realm import for CI testing
+# https://www.keycloak.org/server/containers
+command:
+ - "/opt/keycloak/bin/kc.sh"
+ - "start-dev"
+ - "--import-realm"
+
+# Bootstrap admin credentials
+#
https://www.keycloak.org/server/containers#_bootstrap_admin_and_creating_initial_admin_user
+extraEnv: |
+ - name: KC_BOOTSTRAP_ADMIN_USERNAME
+ value: admin
+ - name: KC_BOOTSTRAP_ADMIN_PASSWORD
+ value: admin
+
# This block sets up an example Pulsar Realm
#
https://www.keycloak.org/server/importExport#_importing_a_realm_from_a_directory
-extraEnvVars:
- - name: KEYCLOAK_EXTRA_ARGS
- value: "--import-realm"
-extraVolumes:
+extraVolumes: |
- name: realm-config
secret:
secretName: keycloak-ci-realm-config
-extraVolumeMounts:
+
+extraVolumeMounts: |
- name: realm-config
- mountPath: "/opt/bitnami/keycloak/data/import"
+ mountPath: "/opt/keycloak/data/import"
readOnly: true
-# Fix for https://github.com/bitnami/charts/issues/35164
-global:
- security:
- allowInsecureImages: true
-image:
- repository: bitnamilegacy/keycloak
- tag: 26.2.3-debian-12-r0
-postgresql:
- image:
- repository: bitnamilegacy/postgresql
- tag: 17.4.0-debian-12-r17
+resources:
+ limits:
+ memory: 768Mi
diff --git a/.ci/clusters/values-openid.yaml b/.ci/clusters/values-openid.yaml
index 8305f89..5ba62c5 100644
--- a/.ci/clusters/values-openid.yaml
+++ b/.ci/clusters/values-openid.yaml
@@ -22,7 +22,7 @@ proxy:
configData:
# Authentication settings of the broker itself. Used when the broker
connects to other brokers, or when the proxy connects to brokers, either in
same or other clusters
brokerClientAuthenticationPlugin:
"org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
- brokerClientAuthenticationParameters:
'{"privateKey":"file:///pulsar/auth/proxy/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+ brokerClientAuthenticationParameters:
'{"privateKey":"file:///pulsar/auth/proxy/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-keycloakx-http/auth/realms/pulsar"}'
extraVolumes:
- name: pulsar-proxy-credentials
secret:
@@ -36,7 +36,7 @@ broker:
configData:
# Authentication settings of the broker itself. Used when the broker
connects to other brokers, or when the proxy connects to brokers, either in
same or other clusters
brokerClientAuthenticationPlugin:
"org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
- brokerClientAuthenticationParameters:
'{"privateKey":"file:///pulsar/auth/broker/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+ brokerClientAuthenticationParameters:
'{"privateKey":"file:///pulsar/auth/broker/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-keycloakx-http/auth/realms/pulsar"}'
extraVolumes:
- name: pulsar-broker-credentials
secret:
@@ -49,7 +49,7 @@ broker:
toolset:
configData:
authPlugin:
"org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2"
- authParams:
'{"privateKey":"file:///pulsar/auth/admin/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-headless:8080/realms/pulsar"}'
+ authParams:
'{"privateKey":"file:///pulsar/auth/admin/credentials_file.json","audience":"account","issuerUrl":"http://keycloak-ci-keycloakx-http/auth/realms/pulsar"}'
extraVolumes:
- name: pulsar-admin-credentials
secret:
@@ -67,7 +67,7 @@ auth:
enabled: true
#
https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
openIDAllowedTokenIssuers:
- - http://keycloak-ci-headless:8080/realms/pulsar
+ - http://keycloak-ci-keycloakx-http/auth/realms/pulsar
openIDAllowedAudiences:
- account
#openIDTokenIssuerTrustCertsFilePath:
diff --git a/.ci/configure_ci_runner_for_debugging.sh
b/.ci/configure_ci_runner_for_debugging.sh
index 7a6bcb7..9c61bca 100755
--- a/.ci/configure_ci_runner_for_debugging.sh
+++ b/.ci/configure_ci_runner_for_debugging.sh
@@ -27,7 +27,7 @@ function k9s() {
# install k9s on the fly
if [ ! -x /usr/local/bin/k9s ]; then
echo "Installing k9s..."
- curl -L -s
https://github.com/derailed/k9s/releases/download/v0.40.5/k9s_Linux_amd64.tar.gz
| sudo tar xz -C /usr/local/bin k9s
+ curl -L -s
https://github.com/derailed/k9s/releases/download/v0.50.18/k9s_Linux_amd64.tar.gz
| sudo tar xz -C /usr/local/bin k9s
fi
command k9s "$@"
}
diff --git a/.ci/helm.sh b/.ci/helm.sh
index 5e39fb7..833d823 100755
--- a/.ci/helm.sh
+++ b/.ci/helm.sh
@@ -85,6 +85,7 @@ function ci::helm_repo_add() {
echo "Adding the helm repo ..."
${HELM} repo add prometheus-community
https://prometheus-community.github.io/helm-charts
${HELM} repo add vm https://victoriametrics.github.io/helm-charts/
+ ${HELM} repo add codecentric https://codecentric.github.io/helm-charts
${HELM} repo update
echo "Successfully added the helm repo."
}
@@ -535,10 +536,10 @@ function ci::create_openid_resources() {
${KUBECTL} create secret generic keycloak-ci-realm-config
--from-file=realm-pulsar.json=/tmp/realm-pulsar.json -n ${NAMESPACE}
echo "Installing keycloak helm chart"
- ${HELM} install keycloak-ci
oci://registry-1.docker.io/bitnamicharts/keycloak --version 24.6.4 --values
${PULSAR_HOME}/.ci/auth/keycloak/values.yaml -n ${NAMESPACE}
+ ${HELM} install keycloak-ci codecentric/keycloakx --version 7.1.8 --values
${PULSAR_HOME}/.ci/auth/keycloak/values.yaml -n ${NAMESPACE}
echo "Wait until keycloak is running"
- WC=$(${KUBECTL} get pods -n ${NAMESPACE}
--field-selector=status.phase=Running | grep keycloak-ci-0 | wc -l)
+ WC=$(${KUBECTL} get pods -n ${NAMESPACE}
--field-selector=status.phase=Running | grep keycloak-ci-keycloakx-0 | wc -l)
counter=1
while [[ ${WC} -lt 1 ]]; do
((counter++))
@@ -553,15 +554,11 @@ function ci::create_openid_resources() {
exit 1
fi
fi
- WC=$(${KUBECTL} get pods -n ${NAMESPACE}
--field-selector=status.phase=Running | grep keycloak-ci-0 | wc -l)
+ WC=$(${KUBECTL} get pods -n ${NAMESPACE}
--field-selector=status.phase=Running | grep keycloak-ci-keycloakx-0 | wc -l)
done
echo "Wait until keycloak is ready"
- ${KUBECTL} wait --for=condition=Ready pod/keycloak-ci-0 -n ${NAMESPACE}
--timeout 180s
-
- echo "Check keycloack realm pulsar issuer url"
- ${KUBECTL} exec -n ${NAMESPACE} keycloak-ci-0 -c keycloak -- bash -c 'curl
-sSL http://keycloak-ci-headless:8080/realms/pulsar'
-
+ ${KUBECTL} wait --for=condition=Ready pod/keycloak-ci-keycloakx-0 -n
${NAMESPACE} --timeout 180s
}
# lists all available functions in this tool
diff --git a/.github/actions/ssh-access/action.yml
b/.github/actions/ssh-access/action.yml
index 2c8f0a0..89f9b74 100644
--- a/.github/actions/ssh-access/action.yml
+++ b/.github/actions/ssh-access/action.yml
@@ -138,7 +138,8 @@ runs:
if command -v upterm &>/dev/null; then
shopt -s nullglob
echo "SSH connection information"
- upterm session current --admin-socket ~/.upterm/*.sock || {
+ export UPTERM_ADMIN_SOCKET=$(find $HOME/.upterm
$XDG_RUNTIME_DIR/upterm /run/user/$(id -u)/upterm -name "*.sock" | head -n 1)
+ upterm session current || {
echo "upterm isn't running. Not waiting any longer."
exit 0
}
@@ -146,7 +147,7 @@ runs:
echo "Waiting $timeout seconds..."
sleep $timeout
echo "Keep waiting as long as there's a connected session"
- while upterm session current --admin-socket
~/.upterm/*.sock|grep Connected &>/dev/null; do
+ while upterm session current|grep Connected &>/dev/null; do
sleep 30
done
echo "No session is connected. Not waiting any longer."
