From 83ffe14fcaa03e63dff6cbe82b01bf112653a827 Mon Sep 17 00:00:00 2001 From: greg Date: Fri, 29 Aug 2025 16:06:50 +0200 Subject: [PATCH] maj version prod OK, import kc bdd to test --- README.md | 30 ++++++++++++++--- compose.yml | 20 +++++------ files/keycloak.conf | 77 +++++++++++++++++++++++++++++++++++++++++++ tools/Dockerfile.dev | 70 +++++++++++++++++++++++++++++++++++++++ tools/Dockerfile.prod | 70 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 253 insertions(+), 14 deletions(-) create mode 100644 files/keycloak.conf create mode 100644 tools/Dockerfile.dev create mode 100644 tools/Dockerfile.prod diff --git a/README.md b/README.md index fd76e4a..ac6a944 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # KEYCLOAK -Ce projet est pour upgrader Keycloak (déployé via Docker) de la version 16 vers la version 23 ou ultérieur +Ce projet est pour upgrader Keycloak (déployé via Docker) de la version 16 vers la version 26 ou ultérieur ## PRE-REQUIS @@ -25,9 +25,11 @@ docker compose up -d Pour upgrader keycloak, il faut: - exporter la base de données utilisateurs (LDAP) +- exporter la bese de données de keycloak - exporter le realm - démarrer la nouvelle version de keycloak (créer l'admin définitif et supprimer le temporaire) - importer le realm de l'export json +- importer la base de données pg (here ?!) - importer la base de données ldap - Configurer le realm garagenum pour utiliser le ldap - recréer les secrets des clients @@ -48,10 +50,20 @@ docker cp ancien-ldap:/tmp/backup.ldif . :skull: Les secrets ne seront pas récupérés (*******) donc à persister avant ou idéalement recréer +### EXPORTER LA BASE DE DONNÉES KEYCLOAK + +```bash +docker exec pg_dump -U > kc_db_backup.sql +``` + +> On obtient un fichier que l'on va pouvoir importer dans la nouvelle base de donnée keycloak + ### EXPORTER LE REALM ![]() +> Cocher groups et clients + ### DEMARRER LA NOUVELLE VERSION ```bash @@ -60,10 +72,20 @@ docker compose up -d ### IMPORTER LE REALM -Utiliser le fichier json de l'export pour importer les configs du realm +- Clean `authorizationSettings` blocs in export-realm.json + +Utiliser le fichier json de l'export une fois néttoyé pour importer les configs du realm ![]() +- Redémarrer keycloak en mode production (Dockerfile.prod dans le `compose.yml`) + +### IMPORTER BASE DE DONNÉES KEYCLOAK + +Placer le fichier de backup de la BDD de keycloak dans le dossier persisté `./init-scripts` + +> Vérifier les logs au démarrage pour vérifier que l'import de la base de données à été bien faite. + ### IMPORTER DATABASE LDAP (USERS) - importer la base de données de `keycloak-openldap`: @@ -90,9 +112,9 @@ service slapd start ![]() -:warning: Activer featue script pour keycloak +## SECURISER LE LDAP -## FAIL2BAN JAIL FOR LDAP (TO DO) +### FAIL2BAN JAIL FOR LDAP (TO DO) - /etc/fail2ban/jail.local ```conf diff --git a/compose.yml b/compose.yml index ec348a4..2332e8d 100644 --- a/compose.yml +++ b/compose.yml @@ -2,24 +2,24 @@ services: keycloak: build: context: . - dockerfile: Dockerfile + dockerfile: Dockerfile.prod. +# FOR IMPORTING REALM +# dockerfile: Dockerfile.dev +# command: ["start-dev", "--features=scripts"] container_name: ${KEYCLOAK_CONTAINER_NAME:-local-keycloak} environment: # Admin configuration KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin} - KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin123} # Database configuration - KC_DB: ${KC_DB:-postgres} - KC_DB_URL: ${KC_DB_URL:-jdbc:postgresql://postgres:5432/gnsso} + KC_DB: ${KC_DB:-keycloak-postgres} + KC_DB_URL: ${KC_DB_URL:-jdbc:postgresql://keycloak-postgres:5432/keycloak} KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak} KC_DB_PASSWORD: ${KC_DB_PASSWORD:-password} # Network configuration KC_HOSTNAME_STRICT: ${KC_HOSTNAME_STRICT:-false} KC_HOSTNAME_STRICT_HTTPS: ${KC_HOSTNAME_STRICT_HTTPS:-false} KC_HTTP_ENABLED: ${KC_HTTP_ENABLED:-true} - # Features - environment: - # KC_FEATURES: scripts KC_HEALTH_ENABLED: ${KC_HEALTH_ENABLED:-true} KC_METRICS_ENABLED: ${KC_METRICS_ENABLED:-true} # Logging @@ -28,9 +28,9 @@ services: - .env ports: - "${KEYCLOAK_PORT:-8080}:8080" - - "9000:9000" # Health check port + - "9000:9000" # Health check depends_on: - postgres: + keycloak-postgres: condition: service_healthy healthcheck: test: ["CMD-SHELL", "timeout 5s sh -c ' +#hostname-strict=true +#hostname-strict-https=true +#http-enabled=false +#proxy=edge +proxy-headers=xforwarded \ No newline at end of file diff --git a/tools/Dockerfile.dev b/tools/Dockerfile.dev new file mode 100644 index 0000000..96f7621 --- /dev/null +++ b/tools/Dockerfile.dev @@ -0,0 +1,70 @@ +# Multi-stage Keycloak build with custom configuration +# This Dockerfile creates an optimized Keycloak image with token exchange support + +# ============================================================================= +# Build Stage +# ============================================================================= +FROM quay.io/keycloak/keycloak:latest AS builder + +# Set build-time environment variables +ENV KC_HEALTH_ENABLED=true \ + KC_METRICS_ENABLED=true \ + KC_DB=postgres \ + KC_TRANSACTION_XA_ENABLED=false \ + KC_CACHE=ispn \ + KC_CACHE_STACK=tcp + +# Build optimized Keycloak +RUN /opt/keycloak/bin/kc.sh build + +# ============================================================================= +# Runtime Stage +# ============================================================================= +FROM quay.io/keycloak/keycloak:latest + +# Copy optimized build from builder stage +COPY --from=builder /opt/keycloak/ /opt/keycloak/ + +# Create necessary directories +USER root +RUN mkdir -p /opt/keycloak/data/import \ + && mkdir -p /opt/keycloak/conf \ + && mkdir -p /opt/keycloak/themes \ + && chown -R 1000:1000 /opt/keycloak/data \ + && chown -R 1000:1000 /opt/keycloak/conf \ + && chown -R 1000:1000 /opt/keycloak/themes + +# Copy configuration files +# COPY files/realm.json /opt/keycloak/data/import/ +# COPY deploy/config/user-profile.json /opt/keycloak/conf/user-profile.json +COPY files/keycloak.conf /opt/keycloak/conf/keycloak.conf + +# Copy custom themes (if any) +# COPY deploy/config/themes/ /opt/keycloak/themes/ + +# Set proper ownership +RUN chown -R 1000:1000 /opt/keycloak/data/import \ + && chown -R 1000:1000 /opt/keycloak/conf + +# Switch back to keycloak user for security +USER 1000 + +# Set runtime environment variables (overriden by keycloak.conf or compose envs) +ENV KC_DB=postgres \ + KC_HEALTH_ENABLED=true \ + KC_METRICS_ENABLED=true \ + KC_HTTP_ENABLED=true \ + KC_HOSTNAME_STRICT=false \ + KC_HOSTNAME_STRICT_HTTPS=false \ + KC_LOG_LEVEL=INFO + +# Expose ports +EXPOSE 8080 9000 8443 + +# Health check +HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ + CMD curl -f http://localhost:9000/health/ready || exit 1 + +# Default entrypoint with import +ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] +CMD ["start-dev", "--import-realm", "--features=scripts"] \ No newline at end of file diff --git a/tools/Dockerfile.prod b/tools/Dockerfile.prod new file mode 100644 index 0000000..e151750 --- /dev/null +++ b/tools/Dockerfile.prod @@ -0,0 +1,70 @@ +# Multi-stage Keycloak build with custom configuration +# This Dockerfile creates an optimized Keycloak image with token exchange support + +# ============================================================================= +# Build Stage +# ============================================================================= +FROM quay.io/keycloak/keycloak:latest AS builder + +# Set build-time environment variables +ENV KC_HEALTH_ENABLED=true \ + KC_METRICS_ENABLED=true \ + KC_DB=postgres \ + KC_TRANSACTION_XA_ENABLED=false \ + KC_CACHE=ispn \ + KC_CACHE_STACK=tcp + +# Build optimized Keycloak +RUN /opt/keycloak/bin/kc.sh build + +# ============================================================================= +# Runtime Stage +# ============================================================================= +FROM quay.io/keycloak/keycloak:latest + +# Copy optimized build from builder stage +COPY --from=builder /opt/keycloak/ /opt/keycloak/ + +# Create necessary directories +USER root +RUN mkdir -p /opt/keycloak/data/import \ + && mkdir -p /opt/keycloak/conf \ + && mkdir -p /opt/keycloak/themes \ + && chown -R 1000:1000 /opt/keycloak/data \ + && chown -R 1000:1000 /opt/keycloak/conf \ + && chown -R 1000:1000 /opt/keycloak/themes + +# Copy configuration files +# COPY files/realm.json /opt/keycloak/data/import/ +# COPY deploy/config/user-profile.json /opt/keycloak/conf/user-profile.json +COPY files/keycloak.conf /opt/keycloak/conf/keycloak.conf + +# Copy custom themes (if any) +# COPY deploy/config/themes/ /opt/keycloak/themes/ + +# Set proper ownership +RUN chown -R 1000:1000 /opt/keycloak/data/import \ + && chown -R 1000:1000 /opt/keycloak/conf + +# Switch back to keycloak user for security +USER 1000 + +# Set runtime environment variables (overriden by keycloak.conf or compose envs) +ENV KC_DB=postgres \ + KC_HEALTH_ENABLED=true \ + KC_METRICS_ENABLED=true \ + KC_HTTP_ENABLED=true \ + KC_HOSTNAME_STRICT=false \ + KC_HOSTNAME_STRICT_HTTPS=false \ + KC_LOG_LEVEL=INFO + +# Expose ports +EXPOSE 8080 9000 8443 + +# Health check +HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ + CMD curl -f http://localhost:9000/health/ready || exit 1 + +# Default entrypoint with import +ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] +CMD ["start", "--optimized"] \ No newline at end of file