GARAGENUM/keycloak
GARAGENUM/keycloak
34
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

v26 WIP

Browse Source
This commit is contained in:
Grégory Lebreton 2025-08-28 15:44:17 +02:00
parent ea8f64ff06
commit 554d968d27
4 changed files with 199 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
Dockerfile Normal file
View File

@ -0,0 +1,70 @@
# Multi-stage Keycloak build with custom configuration
# This Dockerfile creates an optimized Keycloak image with token exchange support
# =============================================================================
# Build Stage
# =============================================================================
FROM quay.io/keycloak/keycloak:latest AS builder
# Set build-time environment variables
ENV KC_HEALTH_ENABLED=true \
KC_METRICS_ENABLED=true \
KC_DB=postgres \
KC_TRANSACTION_XA_ENABLED=false \
KC_CACHE=ispn \
KC_CACHE_STACK=tcp
# Build optimized Keycloak
RUN /opt/keycloak/bin/kc.sh build
# =============================================================================
# Runtime Stage
# =============================================================================
FROM quay.io/keycloak/keycloak:latest
# Copy optimized build from builder stage
COPY --from=builder /opt/keycloak/ /opt/keycloak/
# Create necessary directories
USER root
RUN mkdir -p /opt/keycloak/data/import \
&& mkdir -p /opt/keycloak/conf \
&& mkdir -p /opt/keycloak/themes \
&& chown -R 1000:1000 /opt/keycloak/data \
&& chown -R 1000:1000 /opt/keycloak/conf \
&& chown -R 1000:1000 /opt/keycloak/themes
# Copy configuration files
# COPY deploy/config/realm/ /opt/keycloak/data/import/
# COPY deploy/config/user-profile.json /opt/keycloak/conf/user-profile.json
COPY deploy/config/keycloak.conf /opt/keycloak/conf/keycloak.conf
# Copy custom themes (if any)
# COPY deploy/config/themes/ /opt/keycloak/themes/
# Set proper ownership
RUN chown -R 1000:1000 /opt/keycloak/data/import \
&& chown -R 1000:1000 /opt/keycloak/conf
# Switch back to keycloak user for security
USER 1000
# Set runtime environment variables TO CHANGE FOR PROD !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ENV KC_DB=postgres \
KC_HEALTH_ENABLED=true \
KC_METRICS_ENABLED=true \
KC_HTTP_ENABLED=true \
KC_HOSTNAME_STRICT=false \
KC_HOSTNAME_STRICT_HTTPS=false \
KC_LOG_LEVEL=INFO
# Expose ports
EXPOSE 8080 9000
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
CMD curl -f http://localhost:9000/health/ready || exit 1
# Default entrypoint with import
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
CMD ["start", "--import-realm", "--optimized"]

72
README.md
View File

@ -21,44 +21,74 @@ nano .env
docker compose up -d
```
## UPGRADE PROCESS
## UPGRADE PROCESS (from v16 to v26)
Pour upgrader keycloak, il faut:
- exporter la base de données utilisateurs (LDAP)
- exporter le realm
- démarrer la nouvelle version de keycloak (créer l'admin définitif et supprimer le temporaire)
- importer le realm de l'export json
- importer la base de données ldap
- Configurer le realm garagenum pour utiliser le ldap
- recréer les secrets des clients
### EXPORT LDAP DATABASE (USERS)
Pour upgrader keycloak, il faut:
- exporter la base de données utilisateurs (LDAP)
```bash
docker exec -it ancien-ldap bash
slapcat -n 1 -l /tmp/backup.ldif
docker cp ancien-ldap:/tmp/backup.ldif .
```
- exporter les `clients` du `realm`
### EXPORTER LES CLIENTS DU REALM
:skull: Les secrets ne seront pas récupérés (*******) donc à persister avant ou idéalement recréer
- Modifier la configuration du script `keycloak-adm-clients.sh`
### EXPORTER LE REALM
![]()
### DEMARRER LA NOUVELLE VERSION
- Utiliser le script pour exporter les clients:
```bash
./keycloak-adm-clients.sh export
docker compose up -d
```
### IMPORTER DATABASE
### IMPORTER LE REALM
- Copier la database de `keycloak-openldap`:
Utiliser le fichier json de l'export pour importer les configs du realm
![]()
### IMPORTER DATABASE LDAP (USERS)
- importer la base de données de `keycloak-openldap`:
```bash
cp /chemin/vers/l'ancienne/ldap_db/*.mdb ./keycloak/ldap_db
# Copier la backup ldif
docker cp backup.ldif keycloak-openldap:/tmp/backup.ldif
# Se connecter au terminal du conteneur ldap
docker exec -it keycloak-openldap bash
# Arrêter le service slapd
service slapd stop
# Supprimer la DB actuelle
rm -rf /var/lib/ldap/*
# Ajouter le LDIF
slapadd -n 1 -F /etc/ldap/slapd.d -l /tmp/backup.ldif
# Ajuster les permissions
chown -R openldap:openldap /var/lib/ldap
# Redémarrer slapd
service slapd start
```
> c'est là que sont les users
> c'est là que sont les users !
### IMPORTER USERS DANS LA BASE DE DONNEES LDAP
### CONFIGURER LE REALM POUR UTILISER LDAP
Mettre à jour le User federation pour reconnecter Keycloak avec la BDD LDAP (mdp dans .env)
![]()
![user federation](docs/user_fede.png)
### IMPORTER LES CLIENTS DU REALM
- Utiliser le script pour exporter les clients:
```bash
./keycloak-adm-clients.sh import
```
:danger: Activer featue script pour keycloak
## BUGS
- [ ] Clients secrets don't get exported (***********) -> maj (script export à tester)
- [ ] Users need get verified -> A faire manuellement sur chq user (possibly automated)
- [ ] Users need get verified -> A faire manuellement sur chq user (possibly automated ?)

102
compose.yml
View File

@ -1,32 +1,71 @@
services:
keycloak:
image: quay.io/keycloak/keycloak:23.0.3
container_name: keycloak
restart: always
command: start --proxy=edge
# command: start-dev # pour debug
ports:
- 8080:8080
depends_on:
- keycloak_db
env_file:
- .env
volumes:
- ./keycloak/datas:/opt/keycloak/data/h2
# volumes:
# - ./keycloak/certs:/opt/jboss/keycloak/standalone/configuration/certs:ro
# - ./keycloak/conf/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone-ha.xml:ro
build:
context: .
dockerfile: Dockerfile
container_name: ${KEYCLOAK_CONTAINER_NAME:-local-keycloak}
environment:
# Admin configuration
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
keycloak_db:
image: postgres:13
container_name: keycloak-db
restart: always
volumes:
- ./postgres:/var/lib/postgresql/data
# Database configuration
KC_DB: ${KC_DB:-postgres}
KC_DB_URL: ${KC_DB_URL:-jdbc:postgresql://postgres:5432/gnsso}
KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
KC_DB_PASSWORD: ${KC_DB_PASSWORD:-password}
# Network configuration
KC_HOSTNAME_STRICT: ${KC_HOSTNAME_STRICT:-false}
KC_HOSTNAME_STRICT_HTTPS: ${KC_HOSTNAME_STRICT_HTTPS:-false}
KC_HTTP_ENABLED: ${KC_HTTP_ENABLED:-true}
# Features
environment:
# KC_FEATURES: scripts
KC_HEALTH_ENABLED: ${KC_HEALTH_ENABLED:-true}
KC_METRICS_ENABLED: ${KC_METRICS_ENABLED:-true}
# Logging
KC_LOG_LEVEL: ${LOG_LEVEL:-INFO}
ports:
- 5435:5432
env_file:
- .env
- "${KEYCLOAK_PORT:-8080}:8080"
- "9000:9000" # Health check port
depends_on:
postgres:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "timeout 5s sh -c '</dev/tcp/localhost/9000' || exit 1"]
interval: 30s
timeout: 10s
retries: 5
start_period: 60s
networks:
- keycloak-network
volumes:
- ./keycloak_data:/opt/keycloak/data
keycloak-postgres:
image: postgres:15-alpine
container_name: ${POSTGRES_CONTAINER_NAME:-keycloak-postgres}
environment:
POSTGRES_DB: ${POSTGRES_DB:-keycloak}
POSTGRES_USER: ${POSTGRES_USER:-keycloak}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password}
POSTGRES_INITDB_ARGS: "--encoding=UTF8 --lc-collate=C --lc-ctype=C"
volumes:
- ./postgres_data:/var/lib/postgresql/data
- ./init-scripts:/docker-entrypoint-initdb.d
ports:
- "${POSTGRES_PORT:-5432}:5432"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-keycloak} -d ${POSTGRES_DB:-keycloak}"]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
networks:
- keycloak-network
openldap:
image: osixia/openldap
@ -46,3 +85,16 @@ services:
ports:
- "389:389"
- "636:636"
networks:
- keycloak-network
volumes:
postgres_data:
driver: local
keycloak_data:
driver: local
networks:
keycloak-network:
driver: bridge
name: keycloak-network

BIN
docs/user_fede.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 43 KiB