diff --git a/fighter/config/keycloak/Dockerfile b/fighter/config/keycloak/Dockerfile new file mode 100644 index 0000000..de14c00 --- /dev/null +++ b/fighter/config/keycloak/Dockerfile @@ -0,0 +1,24 @@ +FROM quay.io/keycloak/keycloak:23.0 as builder + +# Enable health and metrics support +ENV KC_HEALTH_ENABLED=true +ENV KC_METRICS_ENABLED=true + +# Configure a database vendor +ENV KC_DB=${DB:-keycloak} + +WORKDIR /opt/keycloak +# for demonstration purposes only, please make sure to use proper certificates in production instead +RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 8192 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore +RUN /opt/keycloak/bin/kc.sh build + +FROM quay.io/keycloak/keycloak:latest +COPY --from=builder /opt/keycloak/ /opt/keycloak/ + +# change these values to point to a running postgres instance +ENV KC_DB=${DB:-keycloak} +ENV KC_DB_URL=${DB_URL:-postgres} +ENV KC_DB_USERNAME=${DB_USER:-keycloak} +ENV KC_DB_PASSWORD=${DB_PASS:-changeme} +ENV KC_HOSTNAME=${HOST:-keycloak} +ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] \ No newline at end of file diff --git a/fighter/config/keycloak/README.md b/fighter/config/keycloak/README.md index fb5af02..6a07121 100644 --- a/fighter/config/keycloak/README.md +++ b/fighter/config/keycloak/README.md @@ -16,4 +16,16 @@ We'll assume the new service is hosted at `https://web.jafner.net`. 1. Open the [traefik-forward-auth client configuration page](https://keycloak.jafner.net/admin/master/console/#/Jafner.net/clients/90760ab3-f77f-48da-9dc1-df5ea6eed3a3/settings) and add the new site (appended with `/_oauth`) to the list of valid redirect URIs. E.g. `https://web.jafner.net/_oauth`. 2. Add the `traefik-forward-auth@file` Traefik middleware to the service. 3. Start up the new service. Open a new private window and navigate to the new service (`https://web.jafner.net`). It should redirect to Keycloak with a login prompt. -4. If applicable, disable any local auth. \ No newline at end of file +4. If applicable, disable any local auth. + +# Export and Import Realms +[Docs on Keycloak.org](https://www.keycloak.org/server/importExport) + +## Export Realms +With the docker container offline, run: `docker-compose run --entrypoint="/opt/keycloak/bin/kc.sh export --dir /opt/keycloak/data/export --users realm_file" keycloak` + +This will export the contents of each realm to a `json` file in the `export/` directory. `/opt/keycloak/data` should be the directory that is mounted to the host. + +## Import Realms +To import realms at startup, replace the startup command with `start --import-realm` +Additionally, you'll need to map the directory containing the files to import (e.g. `$KEYCLOAK_DATA/import`) to the `/opt/keycloak/data/import` inside the container. \ No newline at end of file diff --git a/fighter/config/keycloak/docker-compose.yml b/fighter/config/keycloak/docker-compose.yml index 1396368..7a16d1a 100644 --- a/fighter/config/keycloak/docker-compose.yml +++ b/fighter/config/keycloak/docker-compose.yml @@ -2,10 +2,12 @@ version: '3' services: keycloak: - image: quay.io/keycloak/keycloak:23.0 + #image: quay.io/keycloak/keycloak:19.0 + build: + dockerfile: Dockerfile container_name: keycloak_keycloak volumes: - - $KEYCLOAK_DATA:/opt/keycloak/data + - $KEYCLOAK_DATA/import:/opt/keycloak/data/import networks: web: aliases: @@ -57,6 +59,16 @@ services: - "traefik.enable=false" - "traefik.http.routers.forwardauth-privileged.rule=Path(`/_oauth`)" - "traefik.http.routers.forwardauth-privileged.tls.certresolver=lets-encrypt" + + postgres: + image: postgres:13 + container_name: keycloak_postgres + networks: + - keycloak + env_file: + - postgres_secrets.env + volumes: + - postgres_data:/var/lib/postgresql/data networks: web: