Skip to content

Commit 6b6e228

Browse files
fabianvfclaude
andauthored
✨ Update koncur-tackle-hub action for hub built-in OIDC auth (#234)
The operator no longer deploys Keycloak (tackle2-operator#567) - auth moved to the hub's built-in OIDC provider, which seeds a default admin/admin user. The koncur-tackle-hub action was waiting on and patching a tackle-keycloak-sso deployment that no longer exists, timing out every run. - koncur-tackle-hub: drop the tackle.local/Keycloak reconfiguration and keycloak pod wait; reach the hub via port-forward at http://localhost:8081 with Basic auth admin/admin, and assert that unauthenticated requests get a 401 so the auth path is genuinely exercised. - nightly-koncur/e2e-hub-koncur: remove the dead tackle-keycloak-init artifact from image_pattern globs. - global-ci-bundle/setup-konveyor-minikube: keep the keycloak_sso/ keycloak_init inputs for backward compatibility with pre-hub-IdP operator branches (release-0.9), marked DEPRECATED with BACKCOMPAT comments explaining when they can be deleted. Signed-off-by: Fabian von Feilitzsch <fabian@fabianism.us> Co-authored-by: Claude Opus 8 <noreply@anthropic.com>
1 parent 36554ff commit 6b6e228

6 files changed

Lines changed: 59 additions & 63 deletions

File tree

.github/workflows/e2e-hub-koncur.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,5 +35,5 @@ jobs:
3535
uses: konveyor/ci/koncur-tackle-hub@main
3636
with:
3737
image_pattern: |
38-
*{tackle-keycloak-init,tackle2-*,provider}--${{ github.run_id }}
38+
*{tackle2-*,provider}--${{ github.run_id }}
3939
ref: ${{ github.base_ref || inputs.ref || github.ref_name}}

.github/workflows/global-ci-bundle.yml

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,13 +38,19 @@ on:
3838
type: string
3939
required: false
4040
default: ""
41+
# BACKCOMPAT: The operator no longer deploys Keycloak on main (auth moved to
42+
# the hub's built-in OIDC provider in tackle2-operator#567), so these inputs
43+
# are ignored there. They only matter when base_tag points at a pre-hub-IdP
44+
# operator branch (e.g. release-0.9). They stay declared because removing a
45+
# workflow_call input hard-errors any caller that still passes it; delete them
46+
# once release-0.9 flows are retired and callers are confirmed clean.
4147
keycloak_sso:
42-
description: image uri for keycloak_sso image (ie. quay.io/<namespace>/<image-name>:<tag>)
48+
description: "DEPRECATED - ignored on operator main; only meaningful with a pre-hub-IdP operator branch (e.g. release-0.9)"
4349
type: string
4450
required: false
4551
default: ""
4652
keycloak_init:
47-
description: image uri for keycloak_init image (ie. quay.io/<namespace>/<image-name>:<tag>)
53+
description: "DEPRECATED - ignored on operator main; only meaningful with a pre-hub-IdP operator branch (e.g. release-0.9)"
4854
type: string
4955
required: false
5056
default: ""
@@ -301,6 +307,8 @@ jobs:
301307
- name: Check tackle_postgres image exists
302308
if: ${{ inputs.tackle_postgres != '' }}
303309
run: docker manifest inspect ${{ inputs.tackle_postgres }}
310+
# BACKCOMPAT: keycloak inputs are only set when targeting a pre-hub-IdP
311+
# operator branch (e.g. release-0.9); these are no-ops when empty.
304312
- name: Check keycloak_sso image exists
305313
if: ${{ inputs.keycloak_sso != '' }}
306314
run: docker manifest inspect ${{ inputs.keycloak_sso }}
@@ -363,6 +371,7 @@ jobs:
363371
oauth_proxy: ${{ inputs.oauth_proxy }}
364372
tackle_hub: ${{ inputs.tackle_hub }}
365373
tackle_postgres: ${{ inputs.tackle_postgres }}
374+
# BACKCOMPAT: only used when a pre-hub-IdP operator (e.g. release-0.9) is targeted
366375
keycloak_sso: ${{ inputs.keycloak_sso }}
367376
keycloak_init: ${{ inputs.keycloak_init }}
368377
tackle_ui: ${{ inputs.tackle_ui }}
@@ -431,6 +440,7 @@ jobs:
431440
oauth_proxy: ${{ inputs.oauth_proxy }}
432441
tackle_hub: ${{ inputs.tackle_hub }}
433442
tackle_postgres: ${{ inputs.tackle_postgres }}
443+
# BACKCOMPAT: only used when a pre-hub-IdP operator (e.g. release-0.9) is targeted
434444
keycloak_sso: ${{ inputs.keycloak_sso }}
435445
keycloak_init: ${{ inputs.keycloak_init }}
436446
tackle_ui: ${{ inputs.tackle_ui }}
@@ -521,6 +531,7 @@ jobs:
521531
oauth_proxy: ${{ inputs.oauth_proxy }}
522532
tackle_hub: ${{ inputs.tackle_hub }}
523533
tackle_postgres: ${{ inputs.tackle_postgres }}
534+
# BACKCOMPAT: only used when a pre-hub-IdP operator (e.g. release-0.9) is targeted
524535
keycloak_sso: ${{ inputs.keycloak_sso }}
525536
keycloak_init: ${{ inputs.keycloak_init }}
526537
tackle_ui: ${{ inputs.tackle_ui }}

.github/workflows/nightly-koncur.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -191,7 +191,7 @@ jobs:
191191
uses: konveyor/ci/koncur-tackle-hub@main
192192
with:
193193
image_pattern: |
194-
*{tackle-keycloak-init,tackle2-*,provider}--${{ needs.nightly-tag.outputs.tag }}
194+
*{tackle2-*,provider}--${{ needs.nightly-tag.outputs.tag }}
195195
ref: ${{ inputs.branch || 'main' }}
196196

197197
report_failure:

koncur-tackle-hub/README.md

Lines changed: 12 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,7 @@ Installs the Tackle Hub operator and components using `make hub-install-auth` fr
195195

196196
The environment variables from image loading are passed to the installation, allowing custom images to be used instead of the defaults.
197197

198-
After installation, the action adds `127.0.0.1 tackle.local` to `/etc/hosts` and reconfigures Keycloak to use `https://tackle.local:8443/auth` so Hub is reached at `https://tackle.local:8443/hub` instead of `http://localhost:8080`.
198+
Auth is provided by the Hub's built-in OIDC provider, which seeds a default `admin`/`admin` user — no separate identity server is deployed. The action reaches the Hub via `kubectl port-forward svc/tackle-hub 8081:8080` at `http://localhost:8081`.
199199

200200
### 5. Wait for Readiness
201201

@@ -206,7 +206,7 @@ Waits for Hub to be fully operational:
206206
-n konveyor-tackle --timeout=300s
207207
```
208208

209-
2. **Ingress readiness**: Polls `https://tackle.local:8443/hub/applications` until it responds (up to 2.5 minutes)
209+
2. **API readiness**: Polls `http://localhost:8081/applications` with Basic auth (`admin`/`admin`) until it responds (up to 2.5 minutes), and asserts that an unauthenticated request is rejected with `401` (proving auth is enforced)
210210

211211
### 6. Maven Configuration (Optional)
212212

@@ -221,10 +221,9 @@ If `skip_maven: false`:
221221
```yaml
222222
type: tackle-hub
223223
tackleHub:
224-
url: https://tackle.local:8443/hub
224+
url: http://localhost:8081
225225
username: admin
226226
password: admin
227-
insecure: true
228227
mavenSettings: '/path/to/settings.xml'
229228
```
230229

@@ -284,14 +283,14 @@ The action automatically outputs this information on failure.
284283

285284
### Port Forward Fails
286285

287-
**Issue**: Cannot connect to Hub API on `https://tackle.local:8443`
286+
**Issue**: Cannot connect to Hub API on `http://localhost:8081`
288287

289-
**Solution**: Verify `/etc/hosts` contains `127.0.0.1 tackle.local`, then check ingress and Keycloak:
288+
**Solution**: Verify the Hub pod is ready and the port-forward is running, then check auth:
290289
```bash
291-
grep tackle.local /etc/hosts
292-
kubectl get ingress -n konveyor-tackle
293-
kubectl get pods -n konveyor-tackle -l app.kubernetes.io/name=tackle-keycloak-sso
294-
curl -skf https://tackle.local:8443/hub/applications
290+
kubectl get pods -n konveyor-tackle -l app.kubernetes.io/name=tackle-hub
291+
curl -sf -u admin:admin http://localhost:8081/applications
292+
# Without credentials this should return 401 (auth enforced):
293+
curl -s -o /dev/null -w '%{http_code}' http://localhost:8081/applications
295294
```
296295

297296
### Maven Tests Fail
@@ -369,18 +368,17 @@ See [shared_tests/README.md](../shared_tests/README.md) for more information on
369368
│ │ │ Kubernetes Cluster (koncur-test) │ │ │
370369
│ │ │ │ │ │
371370
│ │ │ Namespace: konveyor-tackle │ │ │
372-
│ │ │ ├─ tackle-hub (deployment) │ │ │
371+
│ │ │ ├─ tackle-hub (deployment, built-in OIDC) │ │ │
373372
│ │ │ ├─ tackle-postgres (statefulset) │ │ │
374-
│ │ │ ├─ tackle-keycloak (deployment) │ │ │
375373
│ │ │ └─ analyzer-addon (taskgroup/pods) │ │ │
376374
│ │ │ │ │ │
377375
│ │ └──────────────────────────────────────────────┘ │ │
378376
│ │ │ │
379-
│ │ Ingress: https://tackle.local:8443 (Hub + Keycloak) │ │
377+
│ │ Port-forward: svc/tackle-hub 8081:8080 │ │
380378
│ └────────────────────────────────────────────────────┘ │
381379
│ │
382380
│ HTTP Server: :8085 (Maven local resources) │
383-
│ Koncur CLI → https://tackle.local:8443/hub
381+
│ Koncur CLI → http://localhost:8081 (Basic admin/admin)
384382
│ │
385383
└─────────────────────────────────────────────────────────┘
386384
```

koncur-tackle-hub/action.yml

Lines changed: 24 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -91,51 +91,44 @@ runs:
9191
DISCOVERY_ADDON: ${{ env.DISCOVERY_ADDON }}
9292
PLATFORM_ADDON: ${{ env.PLATFORM_ADDON }}
9393
HUB: ${{ env.HUB }}
94-
TACKLE_ADMIN_USER: admin
95-
TACKLE_ADMIN_PASS: admin
9694
run: make hub-install-auth
9795

98-
- name: Configure tackle.local in hosts
99-
shell: bash
100-
run: |
101-
if ! grep -q '[[:space:]]tackle\.local$' /etc/hosts; then
102-
echo "127.0.0.1 tackle.local" | sudo tee -a /etc/hosts
103-
fi
104-
grep tackle.local /etc/hosts
105-
106-
- name: Configure Keycloak for tackle.local
107-
shell: bash
108-
run: |
109-
kubectl set env deployment/tackle-keycloak-sso -n konveyor-tackle \
110-
KC_HOSTNAME=https://tackle.local:8443/auth \
111-
KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true
112-
kubectl patch deployment tackle-keycloak-sso -n konveyor-tackle --type='json' -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": ["-Djgroups.dns.query=mta-kc-discovery.openshift-mta", "--verbose", "start", "--hostname=https://tackle.local:8443/auth", "--hostname-backchannel-dynamic=true"]}]'
113-
kubectl rollout status deployment/tackle-keycloak-sso -n konveyor-tackle --timeout=180s
114-
kubectl rollout status deployment/tackle-hub -n konveyor-tackle --timeout=120s
115-
11696
- name: Wait for Hub readiness
11797
shell: bash
11898
run: |
11999
echo "Waiting for all Tackle Hub pods to be ready..."
120100
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=tackle-hub \
121101
-n konveyor-tackle --timeout=300s
122-
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=tackle-keycloak-sso \
123-
-n konveyor-tackle --timeout=300s
102+
103+
- name: Start port-forward
104+
shell: bash
105+
run: make hub-forward &
124106

125107
- name: Wait for Hub API (auth)
126108
shell: bash
127109
run: |
128-
echo "Checking Hub API availability via ingress..."
110+
echo "Checking Hub API availability via port-forward..."
111+
ready=false
129112
for i in $(seq 1 30); do
130-
if curl -skf https://tackle.local:8443/hub/applications > /dev/null 2>&1; then
113+
if curl -sf -u admin:admin http://localhost:8081/applications > /dev/null 2>&1; then
131114
echo "Hub API is ready"
132-
exit 0
115+
ready=true
116+
break
133117
fi
134118
echo "Waiting for Hub API... attempt $i"
135119
sleep 5
136120
done
137-
echo "Hub API never became ready"
138-
exit 1
121+
if [ "$ready" != "true" ]; then
122+
echo "Hub API never became ready"
123+
exit 1
124+
fi
125+
# Verify auth is actually enforced: unauthenticated requests must 401
126+
code=$(curl -s -o /dev/null -w '%{http_code}' http://localhost:8081/applications)
127+
if [ "$code" != "401" ]; then
128+
echo "Expected 401 without credentials, got $code - auth is not enforced"
129+
exit 1
130+
fi
131+
echo "Auth is enforced"
139132
140133
- name: Build Koncur
141134
shell: bash
@@ -170,29 +163,17 @@ runs:
170163
path: "${{ runner.temp }}/settings.xml"
171164

172165
- name: Create Hub target config
173-
if: ${{ !inputs.skip_maven }}
174166
shell: bash
175167
run: |
176168
mkdir -p .koncur/config
177169
printf 'type: tackle-hub\n' > .koncur/config/target-tackle-hub.yaml
178170
printf 'tackleHub:\n' >> .koncur/config/target-tackle-hub.yaml
179-
printf ' url: https://tackle.local:8443/hub\n' >> .koncur/config/target-tackle-hub.yaml
171+
printf ' url: http://localhost:8081\n' >> .koncur/config/target-tackle-hub.yaml
180172
printf ' username: admin\n' >> .koncur/config/target-tackle-hub.yaml
181173
printf ' password: admin\n' >> .koncur/config/target-tackle-hub.yaml
182-
printf ' insecure: true\n' >> .koncur/config/target-tackle-hub.yaml
183-
printf ' mavenSettings: "%s"\n' "${{ runner.temp }}/settings.xml" >> .koncur/config/target-tackle-hub.yaml
184-
185-
- name: Create Hub target config (no maven)
186-
if: ${{ inputs.skip_maven }}
187-
shell: bash
188-
run: |
189-
mkdir -p .koncur/config
190-
printf 'type: tackle-hub\n' > .koncur/config/target-tackle-hub.yaml
191-
printf 'tackleHub:\n' >> .koncur/config/target-tackle-hub.yaml
192-
printf ' url: https://tackle.local:8443/hub\n' >> .koncur/config/target-tackle-hub.yaml
193-
printf ' username: admin\n' >> .koncur/config/target-tackle-hub.yaml
194-
printf ' password: admin\n' >> .koncur/config/target-tackle-hub.yaml
195-
printf ' insecure: true\n' >> .koncur/config/target-tackle-hub.yaml
174+
if [ "${{ inputs.skip_maven }}" != "true" ]; then
175+
printf ' mavenSettings: "%s"\n' "${{ runner.temp }}/settings.xml" >> .koncur/config/target-tackle-hub.yaml
176+
fi
196177
197178
- name: Run test
198179
shell: bash

setup-konveyor-minikube/action.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,16 @@ inputs:
3030
description: Image URI for tackle-postgres
3131
required: false
3232
default: ""
33+
# BACKCOMPAT: The operator no longer deploys Keycloak on main (auth moved to the
34+
# hub's built-in OIDC provider in tackle2-operator#567), so these inputs are
35+
# ignored there. Kept so operator bundles from pre-hub-IdP branches (base_tag =
36+
# release-0.9 and earlier) can still be built; delete once those are retired.
3337
keycloak_sso:
34-
description: Image URI for keycloak_sso
38+
description: "DEPRECATED - ignored on operator main; only used when base_tag points at a pre-hub-IdP operator branch (e.g. release-0.9)"
3539
required: false
3640
default: ""
3741
keycloak_init:
38-
description: Image URI for keycloak_init
42+
description: "DEPRECATED - ignored on operator main; only used when base_tag points at a pre-hub-IdP operator branch (e.g. release-0.9)"
3943
required: false
4044
default: ""
4145
tackle_ui:
@@ -121,6 +125,8 @@ runs:
121125
oauth_proxy: ${{ inputs.oauth_proxy }}
122126
tackle_hub: ${{ inputs.tackle_hub }}
123127
tackle_postgres: ${{ inputs.tackle_postgres }}
128+
# BACKCOMPAT: only used when base_tag points at a pre-hub-IdP operator
129+
# branch (e.g. release-0.9); operator@main's make-bundle ignores these.
124130
keycloak_sso: ${{ inputs.keycloak_sso }}
125131
keycloak_init: ${{ inputs.keycloak_init }}
126132
tackle_ui: ${{ inputs.tackle_ui }}

0 commit comments

Comments
 (0)