recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

M6.5: keycloak upgrade + backup stages (DB data survival via realm marker)
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 02:04:18 +01:00
parent f16708155c
commit 8a7c0d8328
3 changed files with 126 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
tests/keycloak/kc_admin.py Normal file
View File

@ -0,0 +1,57 @@
"""Recipe-specific keycloak admin-API helpers (not harness). Used by the upgrade/backup stages to
write a real data marker (a realm) into mariadb and verify it survives upgrade / backup-restore."""
import json
import ssl
import sys
import urllib.parse
import urllib.request
sys.path.insert(0, __file__.rsplit("/tests/", 1)[0] + "/runner")
from harness import lifecycle # noqa: E402
MARKER_REALM = "cimarker"
_CTX = ssl.create_default_context()
_CTX.check_hostname = False
_CTX.verify_mode = ssl.CERT_NONE
def admin_password(domain: str) -> str:
"""Read the abra-generated admin password from inside the running keycloak container."""
return lifecycle.exec_in_app(domain, ["cat", "/run/secrets/admin_password"]).strip()
def admin_token(domain: str, password: str, user: str = "admin") -> str:
data = urllib.parse.urlencode({
"grant_type": "password", "client_id": "admin-cli", "username": user, "password": password,
}).encode()
req = urllib.request.Request(
f"https://{domain}/realms/master/protocol/openid-connect/token", data=data,
headers={"Content-Type": "application/x-www-form-urlencoded"}, method="POST")
with urllib.request.urlopen(req, timeout=30, context=_CTX) as r:
return json.load(r)["access_token"]
def _admin(domain, token, path, method="GET", body=None):
data = json.dumps(body).encode() if body is not None else None
headers = {"Authorization": "Bearer " + token}
if data:
headers["Content-Type"] = "application/json"
req = urllib.request.Request(f"https://{domain}/admin{path}", data=data, headers=headers,
method=method)
try:
with urllib.request.urlopen(req, timeout=30, context=_CTX) as r:
return r.status
except urllib.error.HTTPError as e:
return e.code
def create_marker_realm(domain, token):
return _admin(domain, token, "/realms", "POST", {"realm": MARKER_REALM, "enabled": True})
def marker_realm_exists(domain, token) -> bool:
return _admin(domain, token, f"/realms/{MARKER_REALM}") == 200
def delete_marker_realm(domain, token):
return _admin(domain, token, f"/realms/{MARKER_REALM}", "DELETE")

30
tests/keycloak/test_backup.py Normal file
View File

@ -0,0 +1,30 @@
"""keycloak — backup/restore stage (D2): create a realm, backup, delete it (mutate), restore,
assert the realm is back (mariadb restored to the backed-up state)."""
import os
import sys
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
from harness import lifecycle # noqa: E402
import kc_admin # noqa: E402
def test_backup_mutate_restore(deployed):
domain = deployed
pw = kc_admin.admin_password(domain)
tok = kc_admin.admin_token(domain, pw)
# 1) create the marker realm, then back up
assert kc_admin.create_marker_realm(domain, tok) in (201, 409)
assert kc_admin.marker_realm_exists(domain, tok)
lifecycle.backup_app(domain)
# 2) mutate: delete the realm
assert kc_admin.delete_marker_realm(domain, tok) in (204, 200)
assert not kc_admin.marker_realm_exists(domain, tok), "delete did not take"
# 3) restore -> realm returns
lifecycle.restore_app(domain)
lifecycle.wait_healthy(domain, path="/realms/master", ok_codes=(200,),
deploy_timeout=600, http_timeout=600)
tok2 = kc_admin.admin_token(domain, pw)
assert kc_admin.marker_realm_exists(domain, tok2), "restore did not bring back the realm"

39
tests/keycloak/test_upgrade.py Normal file
View File

@ -0,0 +1,39 @@
"""keycloak — upgrade stage (D2): deploy previous version, create a realm (DB data), upgrade to
current/$REF, assert the app is healthy and the realm survived (mariadb data preserved)."""
import os
import sys
import pytest
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
from harness import lifecycle # noqa: E402
import kc_admin # noqa: E402
@pytest.fixture
def old_app(recipe, app_domain, meta, request):
prev = lifecycle.previous_version(recipe)
if not prev:
pytest.skip(f"{recipe}: no previous published version")
lifecycle.janitor()
request.addfinalizer(lambda: lifecycle.teardown_app(app_domain))
lifecycle.deploy_app(recipe, app_domain, version=prev)
lifecycle.wait_healthy(app_domain, ok_codes=tuple(meta["HEALTH_OK"]), path=meta["HEALTH_PATH"],
deploy_timeout=meta["DEPLOY_TIMEOUT"], http_timeout=meta["HTTP_TIMEOUT"])
return app_domain, prev
def test_upgrade_preserves_realm(old_app, meta):
domain, prev = old_app
pw = kc_admin.admin_password(domain)
tok = kc_admin.admin_token(domain, pw)
assert kc_admin.create_marker_realm(domain, tok) in (201, 409)
assert kc_admin.marker_realm_exists(domain, tok), "marker realm not created"
lifecycle.upgrade_app(domain, version=os.environ.get("VERSION") or None)
lifecycle.wait_healthy(domain, ok_codes=tuple(meta["HEALTH_OK"]), path=meta["HEALTH_PATH"],
deploy_timeout=meta["DEPLOY_TIMEOUT"], http_timeout=meta["HTTP_TIMEOUT"])
# re-auth (token from the old instance is fine, but get a fresh one post-upgrade) and verify
tok2 = kc_admin.admin_token(domain, pw)
assert kc_admin.marker_realm_exists(domain, tok2), "realm did not survive the upgrade"