Merge branch 'opensearch-project:main' into main

opensearch-project · Sep 3, 2024 · 4069fe2 · 4069fe2
2 parents 571b70d + c527d8d
commit 4069fe2
Show file tree

Hide file tree

Showing 35 changed files with 13,821 additions and 238 deletions.
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
diff --git a/.github/workflows/keycloak-build-test.yml b/.github/workflows/keycloak-build-test.yml
@@ -0,0 +1,32 @@
+name: Keycloak Build and Test
+
+on:
+  pull_request:
+    paths:
+      - keycloak/**
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: keycloak
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 16.x
+
+      - name: Run CDK Build and Test
+        run: |
+          npm install
+          npm run build
+
+      - name: Run test coverage
+        run: |
+          npm test -- --coverage
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v3
diff --git a/.github/workflows/nightly-playground-deploy.yml b/.github/workflows/nightly-playground-deploy.yml
@@ -57,7 +57,7 @@ jobs:
           pipenv install --deploy --dev
 
       - name: Validate OS and OSD
-        run: ./validation.sh --file-path opensearch=${{needs.set-os-osd-urls.outputs.OPENSEARCH_URL}} opensearch-dashboards=${{needs.set-os-osd-urls.outputs.OPENSEARCH_DASHBOARDS_URL}}
+        run: unset JAVA_HOME && ./validation.sh --file-path opensearch=${{needs.set-os-osd-urls.outputs.OPENSEARCH_URL}} opensearch-dashboards=${{needs.set-os-osd-urls.outputs.OPENSEARCH_DASHBOARDS_URL}}
 
       - uses: actions/checkout@v3
 
@@ -77,7 +77,8 @@ jobs:
           npm install
           playground_id=`echo ${{inputs.dist_version}} | cut -d. -f1`x
           echo "PLAYGROUND_ID=$playground_id" >> "$GITHUB_OUTPUT"
-          npm run cdk deploy "infra*" -- -c playGroundId=$playground_id -c distVersion=${{inputs.dist_version}} -c distributionUrl=${{needs.set-os-osd-urls.outputs.OPENSEARCH_URL}} -c dashboardsUrl=${{needs.set-os-osd-urls.outputs.OPENSEARCH_DASHBOARDS_URL}} -c dashboardPassword=${{ SECRETS.DASHBOARDS_PASSWORD }} -c adminPassword=${{ SECRETS.OPENSEARCH_PASSWORD }} --require-approval never
+          aws s3 cp s3://nightly-playgrounds-snapshots-bucket/internal_users.yml resources/security-config/internal_users.yml
+          npm run cdk deploy "infra*" -- -c playGroundId=$playground_id -c distVersion=${{inputs.dist_version}} -c distributionUrl=${{needs.set-os-osd-urls.outputs.OPENSEARCH_URL}} -c dashboardsUrl=${{needs.set-os-osd-urls.outputs.OPENSEARCH_DASHBOARDS_URL}} -c dashboardPassword=${{ SECRETS.DASHBOARDS_PASSWORD }} -c adminPassword=${{ SECRETS.OPENSEARCH_PASSWORD }} -c dashboardOpenIDClientSecret=${{ SECRETS.DASHBOARD_OPENID_CLIENT_SECRET }} --require-approval never
 
           echo "ENDPOINT=$(aws cloudformation --region us-west-2 describe-stacks --stack-name infraStack-$playground_id --query 'Stacks[0].Outputs[0].OutputValue' --output text)" >> "$GITHUB_OUTPUT"
 

diff --git a/.github/workflows/nightly-playground-trigger.yml b/.github/workflows/nightly-playground-trigger.yml
@@ -9,7 +9,7 @@ jobs:
   deploy-nightly-playground:
     strategy:
       matrix:
-        dist_version: ['2.14.0', '3.0.0']
+        dist_version: ['2.17.0', '3.0.0']
       fail-fast: false
     uses: ./.github/workflows/nightly-playground-deploy.yml
     secrets: inherit

diff --git a/keycloak/.eslintrc.js b/keycloak/.eslintrc.js
@@ -0,0 +1,37 @@
+module.exports = {
+    env: {
+        browser: false,
+        es6: true,
+        jest: true,
+    },
+    extends: [
+        'airbnb-base',
+    ],
+    globals: {
+        Atomics: 'readonly',
+        SharedArrayBuffer: 'readonly',
+    },
+    parser: '@typescript-eslint/parser',
+    parserOptions: {
+        ecmaVersion: 2018,
+    },
+    plugins: [
+        '@typescript-eslint',
+    ],
+    rules: {
+        hasTrailingComma: 'off',
+        indent: ['error', 2],
+        'import/extensions': 'error',
+        'import/no-namespace': 'error',
+        'import/no-unresolved': 'error',
+        'import/no-extraneous-dependencies': 'error',
+        'import/prefer-default-export': 'off',
+        'max-classes-per-file': 'off',
+        'no-unused-vars': 'off',
+        'no-new': 'off',
+        'max-len': ['error', { 'code': 160, 'ignoreComments': true }],
+        "no-param-reassign": 0,
+        "no-shadow": "off",
+        "@typescript-eslint/no-shadow": ["error"]
+    },
+};
diff --git a/keycloak/.gitignore b/keycloak/.gitignore
@@ -0,0 +1,11 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+.vscode/
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+cdk.context.json
+output.json
diff --git a/keycloak/.npmignore b/keycloak/.npmignore
@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
diff --git a/keycloak/README.md b/keycloak/README.md
@@ -0,0 +1,14 @@
+# CDK to deploy Keycloak infrastructure
+
+This is a blank project for CDK development with TypeScript.
+
+The `cdk.json` file tells the CDK Toolkit how to execute your app.
+
+## Useful commands
+
+* `npm run build`   compile typescript to js
+* `npm run watch`   watch for changes and compile
+* `npm run test`    perform the jest unit tests
+* `npx cdk deploy`  deploy this stack to your default AWS account/region
+* `npx cdk diff`    compare deployed stack with current state
+* `npx cdk synth`   emits the synthesized CloudFormation template
diff --git a/keycloak/bin/keycloak.ts b/keycloak/bin/keycloak.ts
@@ -0,0 +1,81 @@
+/**
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+import { App } from 'aws-cdk-lib';
+import 'source-map-support/register';
+import { KeycloakStack } from '../lib/stacks/keycloak';
+import { RdsStack } from '../lib/stacks/rds';
+import { KeycloakUtils } from '../lib/stacks/utils';
+import { VpcStack } from '../lib/stacks/vpc';
+import { KeycloakWAF } from '../lib/waf';
+
+const app = new App();
+
+const region = app.node.tryGetContext('region') ?? process.env.CDK_DEFAULT_REGION;
+const account = app.node.tryGetContext('account') ?? process.env.CDK_DEFAULT_ACCOUNT;
+const HOSTED_ZONE = 'keycloak.opensearch.org';
+const INTERNAL_HOSTED_ZONE = 'keycloak.internal.opensearch.org';
+
+// Create VPC
+const vpcStack = new VpcStack(app, 'keycloakVPC', {});
+
+// Create utilities required by different components of KeyCloak
+const utilsStack = new KeycloakUtils(app, 'KeyCloakUtils', {
+  hostedZone: HOSTED_ZONE,
+  internalHostedZone: INTERNAL_HOSTED_ZONE,
+});
+
+// Create RDS database
+const rdsDBStack = new RdsStack(app, 'KeycloakRDS', {
+  vpc: vpcStack.vpc,
+  rdsDbSecurityGroup: vpcStack.rdsDbSecurityGroup,
+  rdsAdminPassword: utilsStack.keycloakDbPassword,
+});
+rdsDBStack.node.addDependency(vpcStack, utilsStack);
+
+// Deploy and install Public KeyCloak on EC2
+const keycloakStack = new KeycloakStack(app, 'PublicKeycloak', {
+  vpc: vpcStack.vpc,
+  keycloakSecurityGroup: vpcStack.keyCloaksecurityGroup,
+  certificateArn: utilsStack.certificateArn,
+  hostedZone: utilsStack.zone,
+  initConfig: KeycloakStack.getCfnInitConfigForPublicKeycloak(region, {
+    rdsInstanceEndpoint: rdsDBStack.rdsInstanceEndpoint,
+    keycloakDBpasswordSecretArn: utilsStack.keycloakDbPassword.secretFullArn,
+    keycloakCertPemSecretArn: utilsStack.keycloakCertPemSecretArn,
+    keycloakCertKeySecretArn: utilsStack.keycloakCertKeySecretArn,
+  }),
+});
+
+keycloakStack.node.addDependency(vpcStack, rdsDBStack, utilsStack);
+
+// Deploy and install Internal KeyCloak on EC2
+const keycloakInternalStack = new KeycloakStack(app, 'InternalKeycloak', {
+  vpc: vpcStack.vpc,
+  keycloakSecurityGroup: vpcStack.keycloakInternalSecurityGroup,
+  certificateArn: utilsStack.internalCertificateArn,
+  hostedZone: utilsStack.internalZone,
+  initConfig: KeycloakStack.getCfnInitConfigForInternalKeycloak(region, {
+    rdsInstanceEndpoint: rdsDBStack.rdsInstanceEndpoint,
+    keycloakDBpasswordSecretArn: utilsStack.keycloakDbPassword.secretFullArn,
+    keycloakAdminUserSecretArn: utilsStack.keycloakAdminUserSecretArn,
+    keycloakAdminPasswordSecretArn: utilsStack.keycloakAdminPasswordSecretArn,
+    keycloakCertPemSecretArn: utilsStack.keycloakCertPemSecretArn,
+    keycloakCertKeySecretArn: utilsStack.keycloakCertKeySecretArn,
+  }),
+});
+
+keycloakInternalStack.node.addDependency(vpcStack, rdsDBStack, utilsStack);
+
+// Create WAF stack
+const wafStack = new KeycloakWAF(app, 'KeycloakWAFstack', {
+  loadBalancerArn: keycloakStack.loadBalancerArn,
+  internalLoadBalancerArn: keycloakInternalStack.loadBalancerArn,
+});
+
+wafStack.node.addDependency(keycloakStack);
diff --git a/keycloak/cdk.json b/keycloak/cdk.json
@@ -0,0 +1,35 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/keycloak.ts",
+  "requireApproval": "any-change",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}
diff --git a/keycloak/jest.config.js b/keycloak/jest.config.js
@@ -0,0 +1,8 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};