Configurable boostrap credentials (#45012)

Signed-off-by: Simon Vacek <simonvacky@email.cz>
2026-01-09 15:02:05 -03:30 · 2025-12-19 08:18:11 +01:00 · 2025-12-19 08:18:11 +01:00 · 6c5e252fbc
commit 6c5e252fbc
parent 8eb603f064
4 changed files with 73 additions and 43 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -508,41 +508,6 @@ jobs:
          ./mvn_remote_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B -DskipTests -Pdistribution -DskipProtoLock=true"
          ./mvn_remote_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B -DskipTests -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus -Pdb-aurora-postgres -Dmaven.build.cache.enabled=true"

-      - name: Run Aurora new database tests on EC2
-        id: aurora-new-integration-tests
-        run: |
-          EC2_CLUSTER_NAME=${{ steps.ec2-create.outputs.ec2_cluster }}
-          AWS_REGION=${{ steps.aurora-init.outputs.region }}
-
-          PROPS="-Dkc.test.database=remote -Dkc.test.database.vendor=postgres"
-          PROPS+=" -Dkc.test.database.user=keycloak"
-          PROPS+=" -Dkc.test.database.password=${{ steps.aurora-init.outputs.aurora-cluster-password }}"
-          PROPS+=" -Dkc.test.database.url=\"jdbc:aws-wrapper:postgresql://${{ steps.aurora-create.outputs.endpoint }}/keycloak${{ steps.aurora-init.outputs.jdbc_params }}\""
-          PROPS+=" -Dkc.test.database.driver=software.amazon.jdbc.Driver"
-          PROPS+=" -Dkc.test.database.driver.artifact=software.amazon.jdbc:aws-advanced-jdbc-wrapper"
-
-          cd .github/scripts/ansible
-          ./mvn_remote_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "$PROPS package -f tests/pom.xml -Dtest=DatabaseTestSuite"
-
-          # Copy returned surefire-report directories to workspace root to ensure they're discovered
-          results=(files/keycloak/results/*)
-          rsync -a $results/* ../../../
-          rm -rf $results
-
-      - uses: ./.github/actions/upload-flaky-tests
-        name: Upload flaky tests
-        env:
-          GH_TOKEN: ${{ github.token }}
-        with:
-          job-name: AuroraDB IT
-
-      - name: EC2 Maven Logs
-        if: failure()
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          name: aurora-new-integration-tests-mvn-logs
-          path: .github/scripts/ansible/files
-
      - name: Run Aurora migration tests on EC2
        id: aurora-migration-tests
        env:
@ -611,6 +576,45 @@ jobs:
          name: aurora-integration-tests-mvn-logs
          path: .github/scripts/ansible/files

+      - name: Run Aurora new database tests on EC2
+        id: aurora-new-integration-tests
+        run: |
+          EC2_CLUSTER_NAME=${{ steps.ec2-create.outputs.ec2_cluster }}
+          AWS_REGION=${{ steps.aurora-init.outputs.region }}
+
+          PROPS="-Dkc.test.database=remote -Dkc.test.database.vendor=postgres"
+          PROPS+=" -Dkc.test.database.user=keycloak"
+          PROPS+=" -Dkc.test.database.password=${{ steps.aurora-init.outputs.aurora-cluster-password }}"
+          PROPS+=" -Dkc.test.database.url=\"jdbc:aws-wrapper:postgresql://${{ steps.aurora-create.outputs.endpoint }}/keycloak${{ steps.aurora-init.outputs.jdbc_params }}\""
+          PROPS+=" -Dkc.test.database.driver=software.amazon.jdbc.Driver"
+          PROPS+=" -Dkc.test.database.driver.artifact=software.amazon.jdbc:aws-advanced-jdbc-wrapper"
+
+          PROPS+=" -Dkc.test.server.bootstrap=user"
+          PROPS+=" -Dkc.test.server.bootstrap.user.create=false -Dkc.test.server.bootstrap.username=admin -Dkc.test.server.bootstrap.password=admin"
+          PROPS+=" -Dkc.test.server.bootstrap.client.create=false -Dkc.test.server.bootstrap.client.id=admin-cli"
+
+          cd .github/scripts/ansible
+          ./mvn_remote_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "$PROPS package -f tests/pom.xml -Dtest=DatabaseTestSuite"
+
+          # Copy returned surefire-report directories to workspace root to ensure they're discovered
+          results=(files/keycloak/results/*)
+          rsync -a $results/* ../../../
+          rm -rf $results
+
+      - uses: ./.github/actions/upload-flaky-tests
+        name: Upload flaky tests
+        env:
+          GH_TOKEN: ${{ github.token }}
+        with:
+          job-name: AuroraDB IT
+
+      - name: EC2 Maven Logs
+        if: failure()
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: aurora-new-integration-tests-mvn-logs
+          path: .github/scripts/ansible/files
+
      - name: Delete EC2 Instance
        if: always()
        working-directory: .github/scripts/ansible
--- a/test-framework/core/src/main/java/org/keycloak/testframework/admin/AdminClientSupplier.java
+++ b/test-framework/core/src/main/java/org/keycloak/testframework/admin/AdminClientSupplier.java
@ -27,7 +27,16 @@ public class AdminClientSupplier implements Supplier<Keycloak, InjectAdminClient
                .grantType(OAuth2Constants.CLIENT_CREDENTIALS);

        if (mode.equals(InjectAdminClient.Mode.BOOTSTRAP)) {
-            adminBuilder.realm("master").clientId(Config.getAdminClientId()).clientSecret(Config.getAdminClientSecret());
+            adminBuilder.realm("master").clientId(Config.getAdminClientId());
+
+            String bootstrapGrantType = Config.getAdminClientGrantType();
+            if ("client".equals(bootstrapGrantType)) {
+                adminBuilder.clientSecret(Config.getAdminClientSecret());
+            } else if ("user".equals(bootstrapGrantType)) {
+                adminBuilder.username(Config.getAdminUsername()).password(Config.getAdminPassword()).grantType(OAuth2Constants.PASSWORD);
+            } else {
+                throw new TestFrameworkException("Invalid bootstrap grant type");
+            }
        } else if (mode.equals(InjectAdminClient.Mode.MANAGED_REALM)) {
            ManagedRealm managedRealm = instanceContext.getDependency(ManagedRealm.class);
            adminBuilder.realm(managedRealm.getName());
--- a/test-framework/core/src/main/java/org/keycloak/testframework/config/Config.java
+++ b/test-framework/core/src/main/java/org/keycloak/testframework/config/Config.java
@ -9,6 +9,7 @@ import java.nio.file.Paths;
 import java.util.Optional;

 import org.keycloak.testframework.injection.ValueTypeAlias;
+import org.keycloak.testframework.server.KeycloakServer;

 import io.quarkus.runtime.configuration.CharsetConverter;
 import io.quarkus.runtime.configuration.InetSocketAddressConverter;
@ -67,20 +68,32 @@ public class Config {
        return config;
    }

+    public static String getAdminClientGrantType() {
+        return getValueTypeConfig(KeycloakServer.class, "bootstrap", "client", String.class);
+    }
+
+    public static boolean getCreateBootstrapClient() {
+        return Boolean.parseBoolean(getValueTypeConfig(KeycloakServer.class, "bootstrap.client.create", "true", String.class));
+    }
+
+    public static boolean getCreateBootstrapUser() {
+        return Boolean.parseBoolean(getValueTypeConfig(KeycloakServer.class, "bootstrap.user.create", "true", String.class));
+    }
+
    public static String getAdminClientId() {
-        return "temp-admin";
+        return getValueTypeConfig(KeycloakServer.class, "bootstrap.client.id", "temp-admin", String.class);
    }

    public static String getAdminClientSecret() {
-        return "mysecret";
+        return getValueTypeConfig(KeycloakServer.class, "bootstrap.client.secret", "mysecret", String.class);
    }

    public static String getAdminUsername() {
-        return "admin";
+        return getValueTypeConfig(KeycloakServer.class, "bootstrap.username", "admin", String.class);
    }

    public static String getAdminPassword() {
-        return "admin";
+        return getValueTypeConfig(KeycloakServer.class, "bootstrap.password", "admin", String.class);
    }

    public static SmallRyeConfig initConfig() {
--- a/test-framework/core/src/main/java/org/keycloak/testframework/server/AbstractKeycloakServerSupplier.java
+++ b/test-framework/core/src/main/java/org/keycloak/testframework/server/AbstractKeycloakServerSupplier.java
@ -24,9 +24,13 @@ public abstract class AbstractKeycloakServerSupplier implements Supplier<Keycloa
        KeycloakIntegrationTest annotation = instanceContext.getAnnotation();
        KeycloakServerConfig serverConfig = SupplierHelpers.getInstance(annotation.config());

-        KeycloakServerConfigBuilder command = KeycloakServerConfigBuilder.startDev()
-                .bootstrapAdminClient(Config.getAdminClientId(), Config.getAdminClientSecret())
-                .bootstrapAdminUser(Config.getAdminUsername(), Config.getAdminPassword());
+        KeycloakServerConfigBuilder command = KeycloakServerConfigBuilder.startDev();
+        if (Config.getCreateBootstrapClient()) {
+            command.bootstrapAdminClient(Config.getAdminClientId(), Config.getAdminClientSecret());
+        }
+        if (Config.getCreateBootstrapUser()) {
+            command.bootstrapAdminUser(Config.getAdminUsername(), Config.getAdminPassword());
+        }

        command.log().handlers(KeycloakServerConfigBuilder.LogHandlers.CONSOLE);