Compare commits
3 Commits
Author | SHA1 | Date |
---|---|---|
Christian Galo | 743eee88cd | |
Christian Galo | 8d0149f128 | |
Christian Galo | 2bdc8f8d1e |
41
.drone.yml
41
.drone.yml
|
@ -1,41 +0,0 @@
|
|||
---
|
||||
kind: pipeline
|
||||
name: deploy to swarm-test.autonomic.zone
|
||||
steps:
|
||||
- name: deployment
|
||||
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||
settings:
|
||||
host: swarm-test.autonomic.zone
|
||||
stack: keycloak
|
||||
networks:
|
||||
- proxy
|
||||
generate_secrets: true
|
||||
purge: true
|
||||
deploy_key:
|
||||
from_secret: drone_ssh_swarm_test
|
||||
environment:
|
||||
DOMAIN: keycloak.swarm-test.autonomic.zone
|
||||
STACK_NAME: keycloak
|
||||
LETS_ENCRYPT_ENV: production
|
||||
SECRET_ADMIN_PASSWORD_VERSION: v1
|
||||
SECRET_DB_PASSWORD_VERSION: v1
|
||||
SECRET_DB_ROOT_PASSWORD_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- master
|
||||
---
|
||||
kind: pipeline
|
||||
name: generate recipe catalogue
|
||||
steps:
|
||||
- name: release a new version
|
||||
image: plugins/downstream
|
||||
settings:
|
||||
server: https://build.coopcloud.tech
|
||||
token:
|
||||
from_secret: drone_abra-bot_token
|
||||
fork: true
|
||||
repositories:
|
||||
- coop-cloud/auto-recipes-catalogue-json
|
||||
|
||||
trigger:
|
||||
event: tag
|
13
.env.sample
13
.env.sample
|
@ -1,13 +0,0 @@
|
|||
TYPE=keycloak
|
||||
|
||||
DOMAIN=keycloak.example.com
|
||||
## Domain aliases
|
||||
#EXTRA_DOMAINS=', `www.keycloak.example.com`'
|
||||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
ADMIN_USERNAME=admin
|
||||
WELCOME_THEME=keycloak
|
||||
|
||||
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||
SECRET_DB_PASSWORD_VERSION=v1
|
||||
SECRET_ADMIN_PASSWORD_VERSION=v1
|
|
@ -0,0 +1 @@
|
|||
.env
|
52
README.md
52
README.md
|
@ -1,46 +1,24 @@
|
|||
# keycloak
|
||||
# Keycloak
|
||||
|
||||
[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/keycloak/status.svg)](https://drone.autonomic.zone/coop-cloud/keycloak)
|
||||
Wiki Cafe's configuration for a Keycloak deployment. Originally slimmed down from an `abra` [recipe](https://git.coopcloud.tech/coop-cloud/keycloak) by [Co-op Cloud](https://coopcloud.tech/).
|
||||
|
||||
[Keycloak](https://www.keycloak.org) + Coöp Cloud.
|
||||
|
||||
<!-- metadata -->
|
||||
* **Category**: Apps
|
||||
* **Status**: 2, beta
|
||||
* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), 4, upstream
|
||||
* **Healthcheck**: Yes
|
||||
* **Backups**: ?
|
||||
* **Email**: 1
|
||||
* **Tests**: 2
|
||||
* **SSO**: N/A
|
||||
<!-- endmetadata -->
|
||||
## Deploying the app with Docker Swarm
|
||||
|
||||
## Basic usage
|
||||
Set the environment variables from the .env file during the shell session.
|
||||
|
||||
1. Set up Docker Swarm and [`abra`][abra]
|
||||
2. Deploy [`coop-cloud/traefik`][cc-traefik]
|
||||
3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
|
||||
to save secrets in `pass`)
|
||||
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
|
||||
your Docker swarm box
|
||||
5. `abra app deploy YOURAPPDOMAIN`
|
||||
```
|
||||
set -a && source .env && set +a
|
||||
```
|
||||
|
||||
## How do I setup a custom theme?
|
||||
Set the secrets.
|
||||
|
||||
Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
|
||||
```
|
||||
printf "SECRET_HERE" | docker secret create SECRET_NAME -
|
||||
```
|
||||
|
||||
## How do I create another admin user?
|
||||
Deploy using the `-c` flag to specify one or multiple compose files.
|
||||
|
||||
- Under the `Master` realm > `Users` > `Add user`
|
||||
- Create the user and set a temporary password
|
||||
- Under the `Role Mappings` tab, move `admin` from `Available Roles` into `Assigned Roles`
|
||||
|
||||
## How do I configure Keycloak login for..
|
||||
|
||||
- [Nextcloud][nextcloud]
|
||||
- [Peertube][peertube]
|
||||
|
||||
[nextcloud]: https://git.coopcloud.tech/coop-cloud/nextcloud
|
||||
[peertube]: https://git.coopcloud.tech/coop-cloud/peertube
|
||||
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||
[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
|
||||
```
|
||||
docker stack deploy keycloak -c compose.yaml
|
||||
```
|
||||
|
|
|
@ -1,9 +1,6 @@
|
|||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
image: "keycloak/keycloak:22.0.1"
|
||||
image: "keycloak/keycloak:22.0.3"
|
||||
entrypoint: >
|
||||
bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
|
||||
networks:
|
||||
|
@ -18,17 +15,11 @@ services:
|
|||
- KC_DB_URL_HOST=db
|
||||
- KC_HOSTNAME=${DOMAIN}
|
||||
- KC_PROXY=edge
|
||||
- KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
|
||||
- KEYCLOAK_ADMIN=${ADMIN_USERNAME}
|
||||
- KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
|
||||
# NOTE(3wc): disabled due to missing curl binary, see
|
||||
# https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
|
||||
# healthcheck:
|
||||
# test: ["CMD", "curl", "-f", "http://localhost:8080"]
|
||||
# interval: 30s
|
||||
# timeout: 10s
|
||||
# retries: 10
|
||||
# start_period: 1m
|
||||
# https://www.keycloak.org/server/health
|
||||
# Use external health checks
|
||||
volumes:
|
||||
- "themes:/opt/keycloak/themes"
|
||||
depends_on:
|
||||
|
@ -39,14 +30,13 @@ services:
|
|||
order: start-first
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
- "coop-cloud.${STACK_NAME}.version=7.0.0+22.0.1"
|
||||
- "traefik.http.services.keycloak.loadbalancer.server.port=8080"
|
||||
- "traefik.http.routers.keycloak.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
|
||||
- "traefik.http.routers.keycloak.entrypoints=web-secure"
|
||||
- "traefik.http.routers.keycloak.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "traefik.http.routers.keycloak.middlewares=keycloak-redirect"
|
||||
- "traefik.http.middlewares.keycloak-redirect.headers.SSLForceHost=true"
|
||||
- "traefik.http.middlewares.keycloak-redirect.headers.SSLHost=${DOMAIN}"
|
||||
|
||||
db:
|
||||
image: "mariadb:10.11"
|
||||
|
@ -79,13 +69,13 @@ networks:
|
|||
|
||||
secrets:
|
||||
admin_password:
|
||||
name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
|
||||
name: keycloak_admin_password
|
||||
external: true
|
||||
db_password:
|
||||
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
||||
name: keycloak_db_password
|
||||
external: true
|
||||
db_root_password:
|
||||
name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
|
||||
name: keycloak_db_root_password
|
||||
external: true
|
||||
|
||||
volumes:
|
|
@ -1,12 +0,0 @@
|
|||
This major release comes with a blog post about a CVE:
|
||||
|
||||
https://www.keycloak.org/2021/12/cve.html
|
||||
|
||||
Not all versions are affected but they're suggesting that people upgrade soon.
|
||||
|
||||
As per usual, this upgrade didn't go too smoothly and I ended up having to
|
||||
undeploy and deploy the new versions. The healtcheck kept failing on the new
|
||||
instance when trying to deploy alongside the existing old version. Idk, some
|
||||
docker weirdness.
|
||||
|
||||
No app data errors discovered after upgrade.
|
|
@ -1,9 +0,0 @@
|
|||
You'll need to remove `/auth/` from your app SSO URLs, e.g.
|
||||
|
||||
https://foo.example.com/auth/realms/foo/protocol/openid-connect/auth
|
||||
|
||||
Would become:
|
||||
|
||||
https://foo.example.com/realms/foo/protocol/openid-connect/auth
|
||||
|
||||
-- decentral1se @ Autonomic
|
|
@ -1,2 +0,0 @@
|
|||
Healthchecks are disabled, see
|
||||
https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
|
|
@ -1,6 +0,0 @@
|
|||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": [
|
||||
"config:base"
|
||||
]
|
||||
}
|
Loading…
Reference in New Issue