defenseunicorns · chance-coleman · Mar 27, 2025 · Mar 18, 2025 · Mar 18, 2025 · Mar 19, 2025
@@ -0,0 +1,30 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+name: debug-output
+description: "Print out basic debug info for a k8s cluster"
+
+runs:
+  using: composite
+  steps:
+    - name: Print basic debug info for a k8s cluster
+      run: |
+        echo "::group::kubectl get all"
+        uds zarf tools kubectl get all -A | tee /tmp/debug-k-get-all.log || true
+        echo "::endgroup::"
+        echo "::group::kubectl get pods -A -o yaml"
+        uds zarf tools kubectl get pods -A -o yaml | tee /tmp/debug-k-get-pods.log || true
+        echo "::endgroup::"
+        echo "::group::kubectl get pv,pvc"
+        uds zarf tools kubectl get pv,pvc -A | tee /tmp/debug-k-get-pv-pvc.log || true
+        echo "::endgroup::"
+        echo "::group::kubectl get package"
+        uds zarf tools kubectl get package -A | tee /tmp/debug-k-get-package.log || true
+        echo "::endgroup::"
+        echo "::group::kubectl get events"
+        uds zarf tools kubectl get events -A --sort-by='.lastTimestamp' | tee /tmp/debug-k-get-events.log || true
+        echo "::endgroup::"
+        echo "::group::kubectl describe nodes"
+        uds zarf tools kubectl describe nodes | tee /tmp/debug-k-describe-node.log || true
+        echo "::endgroup::"
+      shell: bash
@@ -0,0 +1,85 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+name: save-logs
+description: "Save debug logs"
+
+inputs:
+  suffix:
+    description: "Suffix to append to the debug log"
+    required: false
+    default: ""
+  distro:
+    description: "Kubernetes distribution used in this CI run"
+    required: false
+    default: "k3d"
+
+runs:
+  using: composite
+  steps:
+    - name: Pull logs from containerd
+      if: ${{ inputs.distro == 'k3d' }}
+      run: |
+        CONTAINER_NAME="k3d-uds-server-0"
+        if docker ps | grep -q "$CONTAINER_NAME"; then
+          echo "Container $CONTAINER_NAME is running. Proceeding with log copy..."
+          docker cp ${CONTAINER_NAME}:/var/log/ /tmp/uds-containerd-logs
+        else
+          echo "Container $CONTAINER_NAME is not running. Skipping log copy."
+        fi
+      shell: bash
+
+    - name: Dump Node Logs
+      if: ${{ inputs.distro == 'k3d' }}
+      run: |
+        docker ps --filter "name=k3d" --format "{{.Names}}" | while read line; do
+          docker logs "$line" 2> /tmp/$line.log
+        done
+      shell: bash
+
+    - name: Fix log permissions
+      run: |
+        sudo chown $USER /tmp/zarf-*.log || echo ""
+        sudo chown $USER /tmp/uds-*.log || echo ""
+      shell: bash
+
+    - name: Move Playwright Artifacts
+      if: ${{ inputs.distro == 'k3d' }} # Currently only run on k3d
+      run: |
+        sudo mkdir -p /tmp/playwright
+        sudo mv test/playwright/.playwright/* /tmp/playwright || true
+      shell: bash
+
+    # Additional/specific debug for non-k3d clusters
+    - name: Pepr Debug
+      if: ${{ inputs.distro != 'k3d' }}
+      run: |
+        echo "::group::Pepr Pod Status and Metrics"
+        uds zarf tools kubectl top pods -n pepr-system
+        uds zarf tools kubectl get pods -n pepr-system
+        echo "::endgroup::"
+        echo "::group::Fetch pepr logs"
+        uds zarf tools kubectl logs -n pepr-system -l app=pepr-uds-core --tail -1 > /tmp/pepr-logs.log
+        uds zarf tools kubectl logs -n pepr-system -l app=pepr-uds-core --tail -1 --previous > /tmp/pepr-previous-logs.log || true
+        uds zarf tools kubectl logs -n pepr-system -l app=pepr-uds-core-watcher --tail -1 > /tmp/pepr-watcher-logs.log
+        uds zarf tools kubectl logs -n pepr-system -l app=pepr-uds-core-watcher --tail -1 --previous > /tmp/pepr-watcher-previous-logs.log || true
+        echo "::endgroup::"
+        echo "::group::Describe Failed Packages"
+        FAILED_PACKAGES=($(uds zarf tools kubectl get package -A -o jsonpath="{range .items[?(@.status.phase!='Ready')]}{.metadata.name}{','}{.metadata.namespace}{'\n'}{end}")); for PACKAGE in "${FAILED_PACKAGES[@]}"; do PACKAGE_NAME=$(echo "$PACKAGE" | awk -F "," '{print $1}'); PACKAGE_NAMESPACE=$(echo "$PACKAGE" | awk -F "," '{print $2}'); uds zarf tools kubectl describe package "$PACKAGE_NAME" -n "$PACKAGE_NAMESPACE"; echo; done
+        echo "::endgroup::"
+      shell: bash
+
+    - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+      with:
+        name: debug-log${{ inputs.suffix }}
+        retention-days: 7
+        path: |
+          /tmp/zarf-*.log
+          /tmp/uds-*.log
+          /tmp/maru-*.log
+          /tmp/debug-*.log
+          /tmp/uds-containerd-logs
+          /tmp/k3d-uds-*.log
+          /tmp/playwright/output
+          /tmp/playwright/reports
+          /tmp/pepr-*.log
@@ -113,6 +113,16 @@ jobs:
       - name: Smoke Tests
         run: uds run uds-core-smoke-test --no-progress
 
+      - name: Debug Output
+        if: ${{ always() }}
+        uses: ./.github/actions/debug-output
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          suffix: -uds_core_base_integration
+
   uds_core_cypress_integration:
     runs-on: ubuntu-latest
     name: UDS Core + Identity Config cypress integration tests
@@ -134,3 +144,45 @@ jobs:
 
       - name: Cypress Integration Tests
         run: uds run uds-core-integration-tests --no-progress
+
+      - name: Debug Output
+        if: ${{ always() }}
+        uses: ./.github/actions/debug-output
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          suffix: -uds_core_cypress_integration
+
+  uds_core_cypress_integration_dynamic_client_registration:
+    runs-on: ubuntu-latest
+    name: UDS Core + Identity Config cypress integration tests with Dynamic Client Registration
+    permissions:
+      pull-requests: read
+      contents: read
+
+    steps:
+      - name: Github Actions Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Environment setup
+        uses: ./.github/actions/setup
+        with:
+          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
+
+      - name: Cypress Integration Tests
+        run: uds run uds-core-integration-tests --set=PEPR_KEYCLOAK_CLIENT_STRATEGY=dynamic_client_registration --no-progress
+
+      - name: Debug Output
+        if: ${{ always() }}
+        uses: ./.github/actions/debug-output
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          suffix: -uds_core_cypress_integration_dynamic_client_registration
@@ -27,6 +27,13 @@ packages:
     # renovate: datasource=github-tags depName=defenseunicorns/uds-core versioning=semver
     ref: 0.38.0
     overrides:
+      uds-operator-config:
+        uds-operator-config:
+          variables:
+            - name: PEPR_KEYCLOAK_CLIENT_STRATEGY
+              description: "Keycloak client strategy for uds-operator. Possible values: \"dynamic_client_registration\", \"client_credentials\" and \"auto\""
+              default: "auto"
+              path: operator.PEPR_KEYCLOAK_CLIENT_STRATEGY
       istio-admin-gateway:
         uds-istio-config:
           variables:
@@ -79,6 +86,10 @@ packages:
                 X509_AUTH_ENABLED: true
                 SOCIAL_AUTH_ENABLED: true
                 OTP_ENABLED: true
+            - path: env[0]
+              value:
+                name: JAVA_OPTS_KC_HEAP
+                value: "-XX:MaxRAMPercentage=70 -XX:MinRAMPercentage=70 -XX:InitialRAMPercentage=50 -XX:MaxRAM=1G"
 
   - name: core-monitoring
     path: ../uds-core/build/

@@ -14,6 +14,8 @@ A Keycloak plugin provides additional custom logic to our Keycloak deployment. B
 | [JSON Log Event Listener](https://github.com/defenseunicorns/uds-identity-config/blob/v0.5.2/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/eventListeners/JSONLogEventListenerProvider.java) | [EventListener](https://www.keycloak.org/docs-api/25.0.0/javadocs/org/keycloak/events/EventListenerProvider.html) | JSON Log Event listener converts Keycloak event logs into json strings for ease of use in Logging applications like Grafana. |
 | [User Group Path Mapper](https://github.com/defenseunicorns/uds-identity-config/blob/v0.5.2/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/CustomGroupPathMapper.java) | [OpenID Mapper](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/protocol/oidc/mappers/AbstractOIDCProtocolMapper.html) | Some application break when using a forward slash in the group naming, this mapper removes the leading slash and creates a new `groups` claim called `bare-groups`. See Warnings below regarding the use of this plugin. |
 | [User AWS SAML Group Mapper](https://github.com/defenseunicorns/uds-identity-config/blob/v0.6.0/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/CustomAWSSAMLGroupMapper.java) | [SAML Mapper](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/protocol/saml/mappers/AbstractSAMLProtocolMapper.html) | Amazon AppStream applications expect a specific group claim format when using Keycloak for authentication. This mapper filters the user’s groups to include only those with the substring `-aws-`. It then concatenates these qualified group paths into a colon-separated string that is passed in the SAML attribute. For example, if a user’s group hierarchy includes `/Core-aws/Admin-aws-test` and `/Core-aws/Auditor-aws-test`, the resulting SAML attribute value will be: `/Core-aws/Admin-aws-test:/Core-aws/Auditor-aws-test`. |
+| [ClientIdAndKubernetesSecretAuthenticator](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/authentication/authenticators/client/ClientIdAndKubernetesSecretAuthenticator.java) | [ClientAuthenticator](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/authentication/ClientAuthenticator.html) | This authenticator is used to authenticate a client using a Kubernetes secret. It is used in the `ClientIdAndKubernetesSecret` authentication flow. |
+| [UDSClientPolicyPermissionsExecutor](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/clientpolicy/executor/UDSClientPolicyPermissionsExecutor.java) | [ClientPolicyExecutorProvider](https://www.keycloak.org/docs-api/latest/javadocs/org/keycloak/clientpolicy/executor/ClientPolicyExecutorProvider.html) | This executor is used to check if a client has the necessary permissions to access a resource. It is used in the `UDSClientPolicyPermissions` client policy. |
 
 ### Warnings
 
@@ -106,6 +108,7 @@ In addition, modify the realm for keycloak, otherwise the realm will require plu
   * `UDS Registration`
   * `UDS Reset Credentials`
   * `UDS registration form`
+  * `UDS Client Credentials`
 
 * Make changes to authenticationExecutions from the `browser` authenticationFlow:
   * Remove `auth-cookie`
@@ -121,6 +124,7 @@ In addition, modify the realm for keycloak, otherwise the realm will require plu
   * `"browserFlow": "browser"`
   * `"registrationFlow": "registration"`
   * `"resetCredentialsFlow": "reset credentials"`
+  * `"clientAuthenticationFlow": "clients"`
 
 ### Disabling
 

@@ -4,6 +4,68 @@ title: Upgrading Versions
 
 This doc contains important information for upgrading uds-identity-config versions. It is not meant to be an exhaustive list of changes between versions, rather information and steps required to manually upgrade versions without a full redeploy of keycloak.
 
+## v0.11.0+
+
+<details open>
+<summary>Upgrade Details</summary>
+
+In uds-identity-config versions v0.11.0+, the UDS Operator can automatically switch to Client Credentials Grant from using the Dynamic Client Registration. The new method works faster, is more reliable and doesn't require storing Registration Tokens in the Pepr Store. It is highly recommended to switch to it, which requires the following steps:
+    - Create the `uds-operator` Client:
+        - Go to `Clients` > `Client registration` > `Create`
+            - Client type: `openid-connect`
+            - Client ID: `uds-operator`
+            - Client Name: `uds-operator`
+            - Click `Next`
+            - Client authentication: on
+            - Uncheck all Authentications flows except from `Service account roles`
+            - Click `Next`
+            - Click `Save`
+        - Go to `Clients` > `uds-operator` > `Credentials` tab
+            - Set `Client Authenticator` to `Client Id and Kubernetes Secret`
+            - Click `Save`
+    - Configure the UDS Client Policy
+        - Go to `Realm Settings` > `Client Policies` > `Profiles`
+            - Click `Create Client Profile`
+                - Name: `uds-client-profile`
+                - Description: `UDS Client Profile`
+                - Click `Save`
+            - Click `Add Executor`
+                - Select `uds-operator-permissions`
+                - Click `Add`
+        - Go to `Realm Settings` > `Client Policies` > `Policies`
+            - Click `Create client policy`
+                - Name: `uds-client-policy`
+                - Description: `UDS Client Policy`
+            - Click `Add condition`
+            - Select `any-client`
+            - Click `Add`
+            - Click `Add client profile`
+            - Select `uds-client-profile`
+            - Click `Add` (there is a glitch in the UI where it seems all the profiles are selected, but only the selected one is actually chosen)
+    - Configure the Client Credentials Authentication Flow
+        - Go to `Authentication` > `Flows`
+            - Click `clients`
+                - Click `Actions` > `Duplicate`
+                    - Name: `UDS Client Credentials`
+                    - Description `UDS Client Credentials`
+                    - Click `Duplicate`
+            - Go to `Authentication` > `UDS Client Credentials`
+                - Click `Add Step`
+                    - Select `Client Id and Kubernetes Secret`
+                    - Click `Add`
+                - Select `Requirement` and set it to `Alternative`
+            - Go to `Authentication`, select three dots on the right side of the panel for `UDS Client Credentials` and select `Bind flows`
+                - Select `Client authentication flow`
+                - Click `Save`
+    - Verify that everything is configured correctly
+        - Deploy a new package or update the existing one
+        - Check UDS Operator logs and verify if there are no errors
+            - Use `uds zarf tools kubectl logs deploy/pepr-uds-core-watcher -n pepr-system | grep "Client Credentials Keycloak Client is available"` command to verify if the UDS Operator uses the Client Credentials flow.
+
+After introducing the above changes, please ensure all Packages are reconciled correctly and there are no errors. If for some reason you see the UDS Operator throwing errors with `The Client doesn't have the created-by=uds-operator attribute. Rejecting request`, you need to disable the `UDS Client Policy` and give it a bit more time to process all the Packages.
+
+</details>
+
 ## v0.10.0+
 
 <details open>