From e5f0a3efe10d3ac930b0eeb3981e7f3d1bf631ba Mon Sep 17 00:00:00 2001
From: Guido Grazioli <ggraziol@redhat.com>
Date: Wed, 25 Oct 2023 16:40:25 +0200
Subject: [PATCH] molecule test for keycloakx with proxy

---
 .github/workflows/ci.yml             |  2 +-
 molecule/https_revproxy/converge.yml | 16 ++++++++
 molecule/https_revproxy/molecule.yml | 59 ++++++++++++++++++++++++++++
 molecule/https_revproxy/prepare.yml  | 49 +++++++++++++++++++++++
 molecule/https_revproxy/roles        |  1 +
 molecule/https_revproxy/verify.yml   | 39 ++++++++++++++++++
 molecule/requirements.yml            |  2 +-
 7 files changed, 166 insertions(+), 2 deletions(-)
 create mode 100644 molecule/https_revproxy/converge.yml
 create mode 100644 molecule/https_revproxy/molecule.yml
 create mode 100644 molecule/https_revproxy/prepare.yml
 create mode 120000 molecule/https_revproxy/roles
 create mode 100644 molecule/https_revproxy/verify.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 50e1fc4..6e5a542 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,4 +15,4 @@ jobs:
     with:
       fqcn: 'middleware_automation/keycloak'
       molecule_tests: >-
-          [ "default", "quarkus", "overridexml", "quarkus-devmode" ]
+          [ "default", "quarkus", "overridexml", "quarkus-devmode", "https_revproxy" ]
diff --git a/molecule/https_revproxy/converge.yml b/molecule/https_revproxy/converge.yml
new file mode 100644
index 0000000..b1eb7bc
--- /dev/null
+++ b/molecule/https_revproxy/converge.yml
@@ -0,0 +1,16 @@
+---
+- name: Converge
+  hosts: all
+  vars: 
+    keycloak_quarkus_admin_pass: "remembertochangeme"
+    keycloak_admin_password: "remembertochangeme"
+    keycloak_realm: TestRealm
+    keycloak_quarkus_host: instance
+    keycloak_quarkus_log: file
+    keycloak_quarkus_http_enabled: True
+    keycloak_quarkus_http_port: 8080
+    keycloak_quarkus_proxy_mode: edge
+    keycloak_quarkus_http_relative_path: /
+    keycloak_quarkus_frontend_url: https://proxy/
+  roles:
+    - role: keycloak_quarkus
diff --git a/molecule/https_revproxy/molecule.yml b/molecule/https_revproxy/molecule.yml
new file mode 100644
index 0000000..efdebf4
--- /dev/null
+++ b/molecule/https_revproxy/molecule.yml
@@ -0,0 +1,59 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "8080/tcp"
+    published_ports:
+      - 0.0.0.0:8080:8080/tcp
+  - name: proxy
+    image: registry.access.redhat.com/ubi8/ubi-init:latest
+    pre_build_image: true
+    privileged: true
+    command: "/usr/sbin/init"
+    networks:
+      - name: keycloak
+    port_bindings:
+      - "443/tcp"
+    published_ports:
+      - 0.0.0.0:443:443/tcp
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+    ssh_connection:
+      pipelining: false
+  playbooks:
+    prepare: prepare.yml
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    host_vars:
+      localhost:
+        ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  env:
+    ANSIBLE_FORCE_COLOR: "true"
+    REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID: "${REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID}"
+    REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET: "${REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET}"
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy
diff --git a/molecule/https_revproxy/prepare.yml b/molecule/https_revproxy/prepare.yml
new file mode 100644
index 0000000..5cdb135
--- /dev/null
+++ b/molecule/https_revproxy/prepare.yml
@@ -0,0 +1,49 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install sudo
+      ansible.builtin.yum:
+        name: sudo
+        state: present
+
+    - name: "Display hera_home if defined."
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+- name: Prepare proxy
+  hosts: proxy
+  vars:
+    jbcs_mod_cluster_enable: True
+    jbcs_configure_firewalld: False
+    jbcs_offline_install: False
+    jbcs_bind_address: '*'
+    jbcs_proxy_pass:
+      - path: /
+        url: http://instance:8080/
+        reverse_path: /
+        reverse_url: http://instance:8080/
+    external_domain_name: proxy
+    rhn_username: "{{ lookup('env', 'REDHAT_PRODUCT_DOWNLOAD_CLIENT_ID') }}"
+    rhn_password: "{{ lookup('env', 'REDHAT_PRODUCT_DOWNLOAD_CLIENT_SECRET') }}"
+  roles:
+    - middleware_automation.jbcs.jbcs
+  pre_tasks:
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=proxy'
+      delegate_to: localhost
+      changed_when: False
+
+    - name: Copy certificates
+      ansible.builtin.copy:
+        src: "{{ item.name }}"
+        dest: "{{ item.dest }}"
+        mode: 0444
+      become: True
+      loop:
+        - { name: 'cert.pem', dest: '/etc/pki/tls/certs/proxy.crt' }
+        - { name: 'key.pem', dest: '/etc/pki/tls/private/proxy.key' }
+
+    - name: update_ca_trust
+      command: update-ca-trust
+      become: True
diff --git a/molecule/https_revproxy/roles b/molecule/https_revproxy/roles
new file mode 120000
index 0000000..b741aa3
--- /dev/null
+++ b/molecule/https_revproxy/roles
@@ -0,0 +1 @@
+../../roles
\ No newline at end of file
diff --git a/molecule/https_revproxy/verify.yml b/molecule/https_revproxy/verify.yml
new file mode 100644
index 0000000..9d355a6
--- /dev/null
+++ b/molecule/https_revproxy/verify.yml
@@ -0,0 +1,39 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Check if keycloak service started
+      ansible.builtin.assert:
+        that:
+          - ansible_facts.services["keycloak.service"]["state"] == "running"
+          - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
+        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa blocked_modules command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
+            curl https://localhost:443/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
+          register: openid_config
+          changed_when: False
+          delegate_to: localhost
+        - name: Verify endpoint URLs
+          ansible.builtin.assert:
+            that:
+              - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://proxy/realms/master/protocol/openid-connect/ext/ciba/auth'
+              - (openid_config.stdout | from_json)['issuer'] == 'https://proxy/realms/master'
+              - (openid_config.stdout | from_json)['authorization_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/auth'
+              - (openid_config.stdout | from_json)['token_endpoint'] == 'https://proxy/realms/master/protocol/openid-connect/token'
+          delegate_to: localhost
+      when:
+        - hera_home is defined
+        - hera_home | length == 0
diff --git a/molecule/requirements.yml b/molecule/requirements.yml
index 2e0ae56..5e39b59 100644
--- a/molecule/requirements.yml
+++ b/molecule/requirements.yml
@@ -1,8 +1,8 @@
 ---
 collections:
   - name: middleware_automation.common
+  - name: middleware_automation.jbcs
   - name: community.general
   - name: ansible.posix
   - name: community.docker
     version: ">=1.9.1"
-