From f17079cb5dace89212fc2c461fe13cc2e59be181 Mon Sep 17 00:00:00 2001 From: James Kachel Date: Mon, 23 Sep 2024 10:08:01 -0500 Subject: [PATCH] Some updates to shore this up with upstream This removes the apisix specific Compose file, so needed to pull the Keycloak stuff into the main one. (This is fine - APISIX is now a hard dependency anyway.) Also, added env settings to example file and updated the docs a bit. This introduces a change: you must now supply a keystore password for Keycloak. See docs. This was specified in the Compose file before. --- .env.example | 5 +++++ README-keycloak.md | 12 ++++++++---- docker-compose.yml | 23 +++++++++++++++++++++++ 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/.env.example b/.env.example index fe076a82..06676d8c 100644 --- a/.env.example +++ b/.env.example @@ -38,3 +38,8 @@ MITOL_PAYMENT_GATEWAY_CYBERSOURCE_SECURE_ACCEPTANCE_URL=sample-setting MITOL_PAYMENT_GATEWAY_CYBERSOURCE_MERCHANT_ID=sample-setting MITOL_PAYMENT_GATEWAY_CYBERSOURCE_MERCHANT_SECRET=sample-setting MITOL_PAYMENT_GATEWAY_CYBERSOURCE_MERCHANT_SECRET_KEY_ID=sample-setting + +KEYCLOAK_SVC_ADMIN= +KEYCLOAK_SVC_ADMIN_PASSWORD= +KEYCLOAK_SVC_HOSTNAME= +KEYCLOAK_SVC_KEYSTORE_PASSWORD= diff --git a/README-keycloak.md b/README-keycloak.md index 01bc51fe..642b19ca 100644 --- a/README-keycloak.md +++ b/README-keycloak.md @@ -1,6 +1,6 @@ # Keycloak Integration -The APISIX Compose file includes a Keycloak instance that you can use for authentication instead of spinning up a separate one or using one of the deployed instances. It's not enabled by default, but you can run it if you prefer not to run your own Keycloak instance. +The Compose file includes a Keycloak instance that you can use for authentication instead of spinning up a separate one or using one of the deployed instances. It's not enabled by default, but you can run it if you prefer not to run your own Keycloak instance. ## Default Settings @@ -22,15 +22,19 @@ The client it sets up is called `apisix`. You can change the passwords and get t ## Making it Work +The Keycloak instance is hidden in the `keycloak` profile in the Composer file, so if you want to interact with it, you'll need to run `docker compose --profile keycloak`. (If you start the app without the profile, you can still start Keycloak later by specifying the profile.) + If you want to use the Keycloak instance, follow these steps: +1. Start the stack normally. The `db` container needs to be up and running, at least. 1. In `config/keycloak/tls`, copy `tls.crt.default` and `tls.key.default` to `tls.crt` and `tls.key`. (Or, you can regenerate them - see the README in that folder.) -2. Create a database called `keycloak`. For example: `docker compose -f docker-compose-apisix.yml run --rm -ti db psql -h db -U postgres -c 'create database keycloak;'` (then enter the default password of `postgres` when it asks) -3. Optionally add `KEYCLOAK_SVC_HOSTNAME`, `KEYCLOAK_SVC_ADMIN`, and `KEYCLOAK_SVC_ADMIN_PASSWORD` to your `.env` file. +2. Create a database called `keycloak`. For example: `docker compose --profile keycloak run --rm -ti db psql -h db -U postgres -c 'create database keycloak;'` (then enter the default password of `postgres` when it asks) +3. Add a keystore password to your `.env` file. This should be set in `KEYCLOAK_SVC_KEYSTORE_PASSWORD`. This is required, but the password need not be anything special. +4. Optionally add `KEYCLOAK_SVC_HOSTNAME`, `KEYCLOAK_SVC_ADMIN`, and `KEYCLOAK_SVC_ADMIN_PASSWORD` to your `.env` file. 1. `KEYCLOAK_SVC_HOSTNAME` is the hostname you want to use for the instance - the default is `kc.odl.local`. 2. `KEYCLOAK_SVC_ADMIN` is the admin username. The default is `admin`. 3. `KEYCLOAK_SVC_ADMIN_PASSWORD` is the admin password. The default is `admin`. -4. Start the Keycloak service: `docker compose -f docker-compose-apisix.yml --profile keycloak up -d keycloak` +5. Start the Keycloak service: `docker compose --profile keycloak up -d keycloak` The Keycloak container should start and stay running. Once it does, you should be able to log in at `https://kc.odl.local:7443/` with username and password `admin` (or the values you supplied). diff --git a/docker-compose.yml b/docker-compose.yml index d6c0a527..dce10e1f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -116,6 +116,29 @@ services: depends_on: - etcd + keycloak: + image: quay.io/keycloak/keycloak:latest + profiles: + - keycloak + depends_on: + - db + ports: + - 7080:7080 + - 7443:7443 + environment: + - KEYCLOAK_ADMIN=${KEYCLOAK_SVC_ADMIN:-admin} + - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_SVC_ADMIN_PASSWORD:-admin} + networks: + default: + aliases: + - ${KEYCLOAK_SVC_HOSTNAME:-kc.odl.local} + command: start --verbose --features scripts --import-realm --hostname=${KEYCLOAK_SVC_HOSTNAME:-kc.odl.local} --hostname-strict=false --hostname-debug=true --https-port=7443 --https-certificate-file=/etc/x509/https/tls.crt --https-certificate-key-file=/etc/x509/https/tls.key --http-enabled=true --http-port=7080 --config-keystore=/etc/keycloak-store --config-keystore-password=${KEYCLOAK_SVC_KEYSTORE_PASSWORD} --db=postgres --db-url-database=keycloak --db-url-host=db --db-schema=public --db-password=${POSTGRES_PASSWORD} --db-username=postgres + volumes: + - keycloak-store:/etc/keycloak-store + - ./config/keycloak/tls:/etc/x509/https + - ./config/keycloak/realms:/opt/keycloak/data/import + volumes: django_media: yarn-cache: + keycloak-store: