.drone.yml

@@ -3,12 +3,10 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: keycloak
-      networks:
-       - proxy
       generate_secrets: true
       purge: true
       deploy_key:
@@ -25,17 +23,11 @@ trigger:
     - master
 ---
 kind: pipeline
-name: generate recipe catalogue
+name: recipe release
 steps:
   - name: release a new version
-    image: plugins/downstream
+    image: thecoopcloud/drone-abra:latest
     settings:
-      server: https://build.coopcloud.tech
+      command: recipe keycloak release
-      token:
+      deploy_key:
-        from_secret: drone_abra-bot_token
+        from_secret: abra_bot_deploy_key
-      fork: true
-      repositories:
-        - toolshed/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -6,13 +6,10 @@ DOMAIN=keycloak.example.com
 LETS_ENCRYPT_ENV=production
 
 ADMIN_USERNAME=admin
-WELCOME_THEME=keycloak
 
-COMPOSE_FILE="compose.yml"
+# CUSTOM_THEME_ENABLED=1
+# CUSTOM_THEME_URL=
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
-
-# Enable persistent theme volume, if you want to apply a custom theme
-#COMPOSE_FILE="$COMPOSE_FILE:compose.theme.yml"

README.md

@@ -6,12 +6,12 @@
 
 <!-- metadata -->
 * **Category**: Apps
-* **Status**: 2, beta
+* **Status**: ❷💛
-* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), 4, upstream
+* **Image**: [`jboss/keycloak`](https://hub.docker.com/r/jboss/keycloak), ❶💚, upstream
 * **Healthcheck**: Yes
 * **Backups**: ?
-* **Email**: 1
+* **Email**: ❸🍎
-* **Tests**: 2
+* **Tests**: ❷💛
 * **SSO**: N/A
 <!-- endmetadata -->
 
@@ -21,26 +21,9 @@
 2. Deploy [`coop-cloud/traefik`][cc-traefik]
 3. `abra app new keycloak --secrets` (optionally with `--pass` if you'd like
    to save secrets in `pass`)
-4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
+4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
-5. `abra app deploy YOURAPPDOMAIN`
+5. `abra app YOURAPPDOMAIN deploy`
 
-## How do I setup a custom theme?
-
-Check [this approach](https://git.autonomic.zone/ruangrupa/login.lumbung.space).
-
-## How do I create another admin user?
-
-- Under the `Master` realm > `Users` > `Add user`
-- Create the user and set a temporary password
-- Under the `Role Mappings` tab, move `admin` from `Available Roles` into `Assigned Roles`
-
-## How do I configure Keycloak login for..
-
-- [Nextcloud][nextcloud]
-- [Peertube][peertube]
-
-[nextcloud]: https://git.coopcloud.tech/coop-cloud/nextcloud
-[peertube]: https://git.coopcloud.tech/coop-cloud/peertube
 [abra]: https://git.autonomic.zone/autonomic-cooperative/abra
 [cc-traefik]: https://git.autonomic.zone/coop-cloud/traefik

abra.sh

@@ -0,0 +1 @@
+export ENTRYPOINT_CONF_VERSION=v1

compose.theme.yml

@@ -1,10 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    volumes:
-      - "themes:/opt/keycloak/themes"
-
-volumes:
-  themes:

compose.yml

@@ -3,9 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: "keycloak/keycloak:26.2.1"
+    image: "jboss/keycloak:15.0.2"
-    entrypoint: >
-      bash -c "KEYCLOAK_ADMIN_PASSWORD=\"$$(cat /run/secrets/admin_password)\" KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
     networks:
       - proxy
       - internal
@@ -13,26 +11,27 @@ services:
       - admin_password
       - db_password
     environment:
-      - KC_DB=mariadb
+      - CUSTOM_THEME_ENABLED
-      - KC_DB_URL_DATABASE=keycloak
+      - CUSTOM_THEME_URL
-      - KC_DB_URL_HOST=db
+      - DB_ADDR=db
-      - KC_HOSTNAME=https://${DOMAIN}
+      - DB_DATABASE=keycloak
-      - KC_PROXY=edge
+      - DB_PASSWORD_FILE=/run/secrets/db_password
-      - KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
+      - DB_USER=keycloak
-      - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
+      - DB_VENDOR=mariadb
-      - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
+      - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
-      - KC_PROXY_HEADERS=xforwarded
+      - KEYCLOAK_USER=${ADMIN_USERNAME}
-      - KC_HTTP_ENABLED=true
+      - PROXY_ADDRESS_FORWARDING=true
-    # NOTE(3wc): disabled due to missing curl binary, see
+    configs:
-    #   https://git.coopcloud.tech/coop-cloud/keycloak/issues/15
+      - source: entrypoint_conf
-    # healthcheck:
+        target: /docker-entrypoint.sh
-    #   test: ["CMD", "curl", "-f", "http://localhost:8080"]
+        mode: 0555
-    #   interval: 30s
+    entrypoint: /docker-entrypoint.sh
-    #   timeout: 10s
+    healthcheck:
-    #   retries: 10
+      test: ["CMD", "curl", "-f", "http://localhost:8080"]
-    #   start_period: 1m
+      interval: 30s
-    volumes:
+      timeout: 10s
-      - "providers:/opt/keycloak/providers"
+      retries: 10
+      start_period: 1m
     depends_on:
       - mariadb
     deploy:
@@ -48,13 +47,10 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "caddy=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+15.0.2"
-        - "caddy.reverse_proxy={{upstreams 8080}}"
-        - "caddy.tls.on_demand="
-        - "coop-cloud.${STACK_NAME}.version=10.3.0+26.2.1"
 
   db:
-    image: "mariadb:11.7"
+    image: "mariadb:10.6"
     environment:
       - MYSQL_DATABASE=keycloak
       - MYSQL_USER=keycloak
@@ -67,15 +63,6 @@ services:
       - "mariadb:/var/lib/mysql"
     networks:
       - internal
-    deploy:
-      labels:
-        backupbot.backup: "true"
-        backupbot.backup.path: "/tmp/dump.sql.gz"
-        backupbot.backup.post-hook: "rm -f /tmp/dump.sql.gz"
-        backupbot.backup.pre-hook: "sh -c 'mariadb-dump -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak | gzip > /tmp/dump.sql.gz'"
-        backupbot.restore.pre-hook: "sh -c 'cd /tmp && gzip -d dump.sql.gz'" 
-        backupbot.restore: "true"
-        backupbot.restore.post-hook: "sh -c 'mariadb -u root -p\"$$(cat /run/secrets/db_root_password)\" keycloak < /tmp/dump.sql && rm -f /tmp/dump.sql'"
 
 networks:
   internal:
@@ -95,4 +82,9 @@ secrets:
 
 volumes:
   mariadb:
-  providers:
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang

entrypoint.sh.tmpl

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+{{ if eq (env "CUSTOM_THEME_ENABLED") "1" }}
+microdnf update && microdnf install git
+git clone "$CUSTOM_THEME_URL" "/opt/jboss/keycloak/themes/$CUSTOM_THEME_NAME"
+{{ end }}
+
+# upstream entrypoint
+# https://github.com/keycloak/keycloak-containers/blob/aa2e5515ccb05116e49ab38839d8fcfdd17c45aa/server/Dockerfile#L30
+/usr/local/bin/entrypoint.sh "$@"

release/4.0.0+16.1.0

@@ -1,12 +0,0 @@
-This major release comes with a blog post about a CVE:
-
-    https://www.keycloak.org/2021/12/cve.html
-
-Not all versions are affected but they're suggesting that people upgrade soon.
-
-As per usual, this upgrade didn't go too smoothly and I ended up having to
-undeploy and deploy the new versions. The healtcheck kept failing on the new
-instance when trying to deploy alongside the existing old version. Idk, some
-docker weirdness.
-
-No app data errors discovered after upgrade.

release/5.0.0+20.0.1

@@ -1,9 +0,0 @@
-You'll need to remove `/auth/` from your app SSO URLs, e.g.
-
-    https://foo.example.com/auth/realms/foo/protocol/openid-connect/auth
-
-Would become:
-
-    https://foo.example.com/realms/foo/protocol/openid-connect/auth
-
--- decentral1se @ Autonomic

release/6.0.0+21.0.2

@@ -1,2 +0,0 @@
-Healthchecks are disabled, see
-https://git.coopcloud.tech/coop-cloud/keycloak/issues/15

release/7.2.0+22.0.5

@@ -1,5 +0,0 @@
-A persistent volume for themes is now optional, and not enabled by default.
-
-If you are using a custom theme, consult the recipe `.env.sample` to see the new
-variables you need to add. You can use `abra app check ...` to verify that
-they've been added correctly.