Some updates to shore this up with upstream

This removes the apisix specific Compose file, so needed to pull the Keycloak stuff into the main one. (This is fine - APISIX is now a hard dependency anyway.) Also, added env settings to example file and updated the docs a bit. This introduces a change: you must now supply a keystore password for Keycloak. See docs. This was specified in the Compose file before.
mitodl · Sep 23, 2024 · f17079c · f17079c
1 parent 83fd805
commit f17079c
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 4 deletions.
diff --git a/.env.example b/.env.example
@@ -38,3 +38,8 @@ MITOL_PAYMENT_GATEWAY_CYBERSOURCE_SECURE_ACCEPTANCE_URL=sample-setting
 MITOL_PAYMENT_GATEWAY_CYBERSOURCE_MERCHANT_ID=sample-setting
 MITOL_PAYMENT_GATEWAY_CYBERSOURCE_MERCHANT_SECRET=sample-setting
 MITOL_PAYMENT_GATEWAY_CYBERSOURCE_MERCHANT_SECRET_KEY_ID=sample-setting
+
+KEYCLOAK_SVC_ADMIN=
+KEYCLOAK_SVC_ADMIN_PASSWORD=
+KEYCLOAK_SVC_HOSTNAME=
+KEYCLOAK_SVC_KEYSTORE_PASSWORD=
diff --git a/README-keycloak.md b/README-keycloak.md
@@ -1,6 +1,6 @@
 # Keycloak Integration
 
-The APISIX Compose file includes a Keycloak instance that you can use for authentication instead of spinning up a separate one or using one of the deployed instances. It's not enabled by default, but you can run it if you prefer not to run your own Keycloak instance.
+The Compose file includes a Keycloak instance that you can use for authentication instead of spinning up a separate one or using one of the deployed instances. It's not enabled by default, but you can run it if you prefer not to run your own Keycloak instance.
 
 ## Default Settings
 
@@ -22,15 +22,19 @@ The client it sets up is called `apisix`. You can change the passwords and get t
 
 ## Making it Work
 
+The Keycloak instance is hidden in the `keycloak` profile in the Composer file, so if you want to interact with it, you'll need to run `docker compose --profile keycloak`. (If you start the app without the profile, you can still start Keycloak later by specifying the profile.)
+
 If you want to use the Keycloak instance, follow these steps:
 
+1. Start the stack normally. The `db` container needs to be up and running, at least.
 1. In `config/keycloak/tls`, copy `tls.crt.default` and `tls.key.default` to `tls.crt` and `tls.key`. (Or, you can regenerate them - see the README in that folder.)
-2. Create a database called `keycloak`. For example: `docker compose -f docker-compose-apisix.yml run --rm -ti db psql -h db -U postgres -c 'create database keycloak;'` (then enter the default password of `postgres` when it asks)
-3. Optionally add `KEYCLOAK_SVC_HOSTNAME`, `KEYCLOAK_SVC_ADMIN`, and `KEYCLOAK_SVC_ADMIN_PASSWORD` to your `.env` file.
+2. Create a database called `keycloak`. For example: `docker compose --profile keycloak run --rm -ti db psql -h db -U postgres -c 'create database keycloak;'` (then enter the default password of `postgres` when it asks)
+3. Add a keystore password to your `.env` file. This should be set in `KEYCLOAK_SVC_KEYSTORE_PASSWORD`. This is required, but the password need not be anything special.
+4. Optionally add `KEYCLOAK_SVC_HOSTNAME`, `KEYCLOAK_SVC_ADMIN`, and `KEYCLOAK_SVC_ADMIN_PASSWORD` to your `.env` file.
    1. `KEYCLOAK_SVC_HOSTNAME` is the hostname you want to use for the instance - the default is `kc.odl.local`.
    2. `KEYCLOAK_SVC_ADMIN` is the admin username. The default is `admin`.
    3. `KEYCLOAK_SVC_ADMIN_PASSWORD` is the admin password. The default is `admin`.
-4. Start the Keycloak service: `docker compose -f docker-compose-apisix.yml --profile keycloak up -d keycloak`
+5. Start the Keycloak service: `docker compose --profile keycloak up -d keycloak`
 
 The Keycloak container should start and stay running. Once it does, you should be able to log in at `https://kc.odl.local:7443/` with username and password `admin` (or the values you supplied).
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -116,6 +116,29 @@ services:
     depends_on:
       - etcd
 
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    profiles:
+      - keycloak
+    depends_on:
+      - db
+    ports:
+      - 7080:7080
+      - 7443:7443
+    environment:
+      - KEYCLOAK_ADMIN=${KEYCLOAK_SVC_ADMIN:-admin}
+      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_SVC_ADMIN_PASSWORD:-admin}
+    networks:
+      default:
+        aliases:
+        - ${KEYCLOAK_SVC_HOSTNAME:-kc.odl.local}
+    command: start --verbose --features scripts --import-realm --hostname=${KEYCLOAK_SVC_HOSTNAME:-kc.odl.local} --hostname-strict=false --hostname-debug=true --https-port=7443 --https-certificate-file=/etc/x509/https/tls.crt --https-certificate-key-file=/etc/x509/https/tls.key --http-enabled=true --http-port=7080 --config-keystore=/etc/keycloak-store --config-keystore-password=${KEYCLOAK_SVC_KEYSTORE_PASSWORD} --db=postgres --db-url-database=keycloak --db-url-host=db --db-schema=public --db-password=${POSTGRES_PASSWORD} --db-username=postgres
+    volumes:
+      - keycloak-store:/etc/keycloak-store
+      - ./config/keycloak/tls:/etc/x509/https
+      - ./config/keycloak/realms:/opt/keycloak/data/import
+
 volumes:
   django_media:
   yarn-cache:
+  keycloak-store: