Compare commits
1 Commits
Author | SHA1 | Date |
---|---|---|
knoflook | 2cc1b95c57 |
20
.drone.yml
20
.drone.yml
|
@ -3,12 +3,10 @@ kind: pipeline
|
||||||
name: deploy to swarm-test.autonomic.zone
|
name: deploy to swarm-test.autonomic.zone
|
||||||
steps:
|
steps:
|
||||||
- name: deployment
|
- name: deployment
|
||||||
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
image: decentral1se/stack-ssh-deploy:latest
|
||||||
settings:
|
settings:
|
||||||
host: swarm-test.autonomic.zone
|
host: swarm-test.autonomic.zone
|
||||||
stack: keycloak
|
stack: keycloak
|
||||||
networks:
|
|
||||||
- proxy
|
|
||||||
generate_secrets: true
|
generate_secrets: true
|
||||||
purge: true
|
purge: true
|
||||||
deploy_key:
|
deploy_key:
|
||||||
|
@ -25,17 +23,11 @@ trigger:
|
||||||
- master
|
- master
|
||||||
---
|
---
|
||||||
kind: pipeline
|
kind: pipeline
|
||||||
name: generate recipe catalogue
|
name: recipe release
|
||||||
steps:
|
steps:
|
||||||
- name: release a new version
|
- name: release a new version
|
||||||
image: plugins/downstream
|
image: thecoopcloud/drone-abra:latest
|
||||||
settings:
|
settings:
|
||||||
server: https://build.coopcloud.tech
|
command: recipe keycloak release
|
||||||
token:
|
deploy_key:
|
||||||
from_secret: drone_abra-bot_token
|
from_secret: abra_bot_deploy_key
|
||||||
fork: true
|
|
||||||
repositories:
|
|
||||||
- coop-cloud/auto-recipes-catalogue-json
|
|
||||||
|
|
||||||
trigger:
|
|
||||||
event: tag
|
|
||||||
|
|
|
@ -6,13 +6,7 @@ DOMAIN=keycloak.example.com
|
||||||
LETS_ENCRYPT_ENV=production
|
LETS_ENCRYPT_ENV=production
|
||||||
|
|
||||||
ADMIN_USERNAME=admin
|
ADMIN_USERNAME=admin
|
||||||
WELCOME_THEME=keycloak
|
|
||||||
|
|
||||||
COMPOSE_FILE="compose.yml"
|
|
||||||
|
|
||||||
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||||
SECRET_DB_PASSWORD_VERSION=v1
|
SECRET_DB_PASSWORD_VERSION=v1
|
||||||
SECRET_ADMIN_PASSWORD_VERSION=v1
|
SECRET_ADMIN_PASSWORD_VERSION=v1
|
||||||
|
|
||||||
# Enable persistent theme volume, if you want to apply a custom theme
|
|
||||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.theme.yml"
|
|
||||||
|
|
29
README.md
29
README.md
|
@ -6,12 +6,12 @@
|
||||||
|
|
||||||
<!-- metadata -->
|
<!-- metadata -->
|
||||||
* **Category**: Apps
|
* **Category**: Apps
|
||||||
* **Status**: 2, beta
|
* **Status**: ❷💛
|
||||||
* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), 4, upstream
|
* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), ❶💚, upstream
|
||||||
* **Healthcheck**: Yes
|
* **Healthcheck**: Yes
|
||||||
* **Backups**: ?
|
* **Backups**: ?
|
||||||
* **Email**: 1
|
* **Email**: ❸🍎
|
||||||
* **Tests**: 2
|
* **Tests**: ❷💛
|
||||||
* **SSO**: N/A
|
* **SSO**: N/A
|
||||||
<!-- endmetadata -->
|
<!-- endmetadata -->
|
||||||
|
|
||||||
|
@ -21,26 +21,9 @@
|
||||||
2. Deploy [`coop-cloud/traefik`][cc-traefik]
|
2. Deploy [`coop-cloud/traefik`][cc-traefik]
|
||||||
3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
|
3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
|
||||||
to save secrets in `pass`)
|
to save secrets in `pass`)
|
||||||
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
|
4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
|
||||||
your Docker swarm box
|
your Docker swarm box
|
||||||
5. `abra app deploy YOURAPPDOMAIN`
|
5. `abra app YOURAPPDOMAIN deploy`
|
||||||
|
|
||||||
## How do I setup a custom theme?
|
|
||||||
|
|
||||||
Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
|
|
||||||
|
|
||||||
## How do I create another admin user?
|
|
||||||
|
|
||||||
- Under the `Master` realm > `Users` > `Add user`
|
|
||||||
- Create the user and set a temporary password
|
|
||||||
- Under the `Role Mappings` tab, move `admin` from `Available Roles` into `Assigned Roles`
|
|
||||||
|
|
||||||
## How do I configure Keycloak login for..
|
|
||||||
|
|
||||||
- [Nextcloud][nextcloud]
|
|
||||||
- [Peertube][peertube]
|
|
||||||
|
|
||||||
[nextcloud]: https://git.coopcloud.tech/coop-cloud/nextcloud
|
|
||||||
[peertube]: https://git.coopcloud.tech/coop-cloud/peertube
|
|
||||||
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
[abra]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||||
[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
|
[cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
---
|
|
||||||
version: "3.8"
|
|
||||||
|
|
||||||
services:
|
|
||||||
app:
|
|
||||||
volumes:
|
|
||||||
- "themes:/opt/keycloak/themes"
|
|
||||||
|
|
||||||
volumes:
|
|
||||||
themes:
|
|
50
compose.yml
50
compose.yml
|
@ -3,9 +3,7 @@ version: "3.8"
|
||||||
|
|
||||||
services:
|
services:
|
||||||
app:
|
app:
|
||||||
image: "keycloak/keycloak:23.0.6"
|
image: "mihaibob/keycloak:15.0.1"
|
||||||
entrypoint: >
|
|
||||||
bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
|
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
- internal
|
- internal
|
||||||
|
@ -13,24 +11,20 @@ services:
|
||||||
- admin_password
|
- admin_password
|
||||||
- db_password
|
- db_password
|
||||||
environment:
|
environment:
|
||||||
- KC_DB=mariadb
|
- DB_ADDR=db
|
||||||
- KC_DB_URL_DATABASE=keycloak
|
- DB_DATABASE=keycloak
|
||||||
- KC_DB_URL_HOST=db
|
- DB_PASSWORD_FILE=/run/secrets/db_password
|
||||||
- KC_HOSTNAME=${DOMAIN}
|
- DB_USER=keycloak
|
||||||
- KC_PROXY=edge
|
- DB_VENDOR=mariadb
|
||||||
- KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
|
- KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
|
||||||
- KEYCLOAK_ADMIN=${ADMIN_USERNAME}
|
- KEYCLOAK_USER=${ADMIN_USERNAME}
|
||||||
- KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
|
- PROXY_ADDRESS_FORWARDING=true
|
||||||
# NOTE(3wc): disabled due to missing curl binary, see
|
healthcheck:
|
||||||
# https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
|
test: ["CMD", "curl", "-f", "http://localhost:8080"]
|
||||||
# healthcheck:
|
interval: 30s
|
||||||
# test: ["CMD", "curl", "-f", "http://localhost:8080"]
|
timeout: 10s
|
||||||
# interval: 30s
|
retries: 10
|
||||||
# timeout: 10s
|
start_period: 1m
|
||||||
# retries: 10
|
|
||||||
# start_period: 1m
|
|
||||||
volumes:
|
|
||||||
- "providers:/opt/keycloak/providers"
|
|
||||||
depends_on:
|
depends_on:
|
||||||
- mariadb
|
- mariadb
|
||||||
deploy:
|
deploy:
|
||||||
|
@ -46,10 +40,10 @@ services:
|
||||||
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||||
- "coop-cloud.${STACK_NAME}.version=8.0.1+23.0.6"
|
- "coop-cloud.${STACK_NAME}.version=3.0.0+15.0.2"
|
||||||
|
|
||||||
db:
|
db:
|
||||||
image: "mariadb:11.2"
|
image: "mariadb:10.6"
|
||||||
environment:
|
environment:
|
||||||
- MYSQL_DATABASE=keycloak
|
- MYSQL_DATABASE=keycloak
|
||||||
- MYSQL_USER=keycloak
|
- MYSQL_USER=keycloak
|
||||||
|
@ -62,15 +56,6 @@ services:
|
||||||
- "mariadb:/var/lib/mysql"
|
- "mariadb:/var/lib/mysql"
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
deploy:
|
|
||||||
labels:
|
|
||||||
backupbot.backup: "true"
|
|
||||||
backupbot.backup.path: "/tmp/dump.sql.gz"
|
|
||||||
backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
|
|
||||||
backupbot.backup.pre-hook: "sh -c 'mysqldump -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak | gzip > /tmp/dump.sql.gz'"
|
|
||||||
backupbot.restore.pre-hook: "sh -c 'cd /tmp && gzip -d dump.sql.gz'"
|
|
||||||
backupbot.restore: "true"
|
|
||||||
backupbot.restore.post-hook: "sh -c 'mysql -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak < /tmp/dump.sql && rm -f /tmp/dump.sql'"
|
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
internal:
|
internal:
|
||||||
|
@ -90,4 +75,3 @@ secrets:
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
mariadb:
|
mariadb:
|
||||||
providers:
|
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
This major release comes with a blog post about a CVE:
|
|
||||||
|
|
||||||
https://www.keycloak.org/2021/12/cve.html
|
|
||||||
|
|
||||||
Not all versions are affected but they're suggesting that people upgrade soon.
|
|
||||||
|
|
||||||
As per usual, this upgrade didn't go too smoothly and I ended up having to
|
|
||||||
undeploy and deploy the new versions. The healtcheck kept failing on the new
|
|
||||||
instance when trying to deploy alongside the existing old version. Idk, some
|
|
||||||
docker weirdness.
|
|
||||||
|
|
||||||
No app data errors discovered after upgrade.
|
|
|
@ -1,9 +0,0 @@
|
||||||
You'll need to remove `/auth/` from your app SSO URLs, e.g.
|
|
||||||
|
|
||||||
https://foo.example.com/auth/realms/foo/protocol/openid-connect/auth
|
|
||||||
|
|
||||||
Would become:
|
|
||||||
|
|
||||||
https://foo.example.com/realms/foo/protocol/openid-connect/auth
|
|
||||||
|
|
||||||
-- decentral1se @ Autonomic
|
|
|
@ -1,2 +0,0 @@
|
||||||
Healthchecks are disabled, see
|
|
||||||
https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
|
|
|
@ -1,5 +0,0 @@
|
||||||
A persistent volume for themes is now optional, and not enabled by default.
|
|
||||||
|
|
||||||
If you are using a custom theme, consult the recipe `.env.sample` to see the new
|
|
||||||
variables you need to add. You can use `abra app check ...` to verify that
|
|
||||||
they've been added correctly.
|
|
Loading…
Reference in New Issue