Merge pull request #5 from swarkentin/keycloak-20.0.3-support

Support for Keycloak 20.0.3

build/keycloak/Dockerfile

@@ -1,41 +1,56 @@
-FROM jboss/keycloak:15.1.1
+##################################################
+# Step 1 - Build an optimized image
+##################################################
+FROM quay.io/keycloak/keycloak:20.0.3 as builder
+
+# These options can be modified to produce a different
+# optimized build.
+#
+# See  https://www.keycloak.org/server/containers
+# for more details.
+ENV KC_METRICS_ENABLED=true
+ENV KC_HEALTH_ENABLED=true
+ENV KC_FEATURES=preview
+ENV KC_DB=postgres
+ENV KC_HTTP_RELATIVE_PATH=/auth
+
+# # Clustering
+# (https://gist.github.com/xgp/768eea11f92806b9c83f95902f7f8f80)
+COPY ./cache-ispn-jdbc-ping.xml /opt/keycloak/conf/cache-ispn-jdbc-ping.xml
+ENV KC_CACHE_CONFIG_FILE=cache-ispn-jdbc-ping.xml
 
-USER root
+# Install custom themes
+COPY themes/ /opt/keycloak/themes
+
+# Create an optimized build
+RUN /opt/keycloak/bin/kc.sh build
+
+##################################################
+# Step 2 - Copy optimized build into running image
+##################################################
+FROM quay.io/keycloak/keycloak:20.0.3
 
 # parses ecs metadata
+USER root
 RUN microdnf update -y && \
     microdnf install -y jq && \
     microdnf clean all
 
-USER jboss
+USER keycloak
+COPY --from=builder /opt/keycloak /opt/keycloak
 
-# Setup keystore
-RUN /opt/jboss/tools/x509.sh
+WORKDIR /opt/keycloak
 
+# Allows server to start in prod mode. Actual certs provided by ALB.
+RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
 # Customize entrypoint and config
-# NOTE: jboss/keycloak includes JDBC drivers.
-COPY docker-entrypoint.sh /opt/jboss/tools/docker-entrypoint.sh
-COPY standalone-ha.xml /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
-# https://www.keycloak.org/docs/latest/server_installation/index.html#profiles
-COPY profile.properties /opt/jboss/keycloak/standalone/configuration/profile.properties
-
-# Install custom themes
-RUN mkdir -p /opt/jboss/keycloak/themes
-COPY themes/ /opt/jboss/keycloak/themes/
-
-# Clustering
-ENV JGROUPS_DISCOVERY_PROTOCOL JDBC_PING
-ENV JGROUPS_DISCOVERY_PROPERTIES datasource_jndi_name=java:jboss/datasources/KeycloakDS
-# https://github.com/keycloak/keycloak-containers/blob/master/server/README.md#replication-and-fail-over
-ENV CACHE_OWNERS_COUNT 2
-ENV CACHE_OWNERS_AUTH_SESSIONS_COUNT 2
-# https://github.com/keycloak/keycloak-containers/blob/master/server/README.md#enabling-proxy-address-forwarding
-ENV PROXY_ADDRESS_FORWARDING true
+COPY docker-entrypoint.sh /docker-entrypoint.sh
 
 # Paranoia: Keycloak is not vulnerable to CVE-2021-44228
 # https://github.com/keycloak/keycloak-containers/issues/344
 # https://logging.apache.org/log4j/log4j-2.14.1/manual/configuration.html#SystemProperties
 ENV FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS true
 
-EXPOSE 7600
-CMD ["-b", "0.0.0.0", "--server-config", "standalone-ha.xml"]
+# Port 7800 is used by JDBC_PING by default
+EXPOSE 7800
+ENTRYPOINT ["/docker-entrypoint.sh"]

build/keycloak/cache-ispn-jdbc-ping.xml

@@ -0,0 +1,89 @@
+<infinispan
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="urn:infinispan:config:11.0 http://www.infinispan.org/schemas/infinispan-config-11.0.xsd"
+  xmlns="urn:infinispan:config:11.0">
+
+  <jgroups>
+    <stack name="jdbc-ping-tcp" extends="tcp">
+
+      <!--
+      https://keycloak.discourse.group/t/use-of-jdbc-ping-with-keycloak-17-quarkus-distro/13571/4 -->
+      <JDBC_PING connection_driver="org.postgresql.Driver"
+        connection_username="${env.KC_DB_USERNAME}" connection_password="${env.KC_DB_PASSWORD}"
+        connection_url="${env.KC_DB_URL}"
+        initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, bind_addr VARCHAR(200) NOT NULL, created timestamp NOT NULL, cluster_name varchar(200) NOT NULL, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name));"
+        insert_single_sql="INSERT INTO JGROUPSPING (own_addr, bind_addr, created, cluster_name, ping_data) values (?,'${env.EXTERNAL_ADDR:127.0.0.1}',NOW(), ?, ?);"
+        delete_single_sql="DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?;"
+        select_all_pingdata_sql="SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?;"
+        info_writer_sleep_time="5000"
+        info_writer_max_writes_after_view="2"
+        remove_all_data_on_view_change="true"
+        stack.combine="REPLACE"
+        stack.position="MPING" />
+    </stack>
+  </jgroups>
+
+  <cache-container name="keycloak">
+    <!-- custom stack must be referenced by name in the stack attribute of the transport element -->
+    <transport lock-timeout="60000" stack="jdbc-ping-tcp" />
+
+    <local-cache name="realms">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <memory max-count="10000" />
+    </local-cache>
+    <local-cache name="users">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <memory max-count="10000" />
+    </local-cache>
+    <distributed-cache name="sessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="authenticationSessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="offlineSessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="clientSessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="offlineClientSessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="loginFailures" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <local-cache name="authorization">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <memory max-count="10000" />
+    </local-cache>
+    <replicated-cache name="work">
+      <expiration lifespan="-1" />
+    </replicated-cache>
+    <local-cache name="keys">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <expiration max-idle="3600000" />
+      <memory max-count="1000" />
+    </local-cache>
+    <distributed-cache name="actionTokens" owners="2">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <expiration max-idle="-1" lifespan="-1" interval="300000" />
+      <memory max-count="-1" />
+    </distributed-cache>
+  </cache-container>
+</infinispan>

build/keycloak/docker-entrypoint.sh

@@ -17,44 +17,10 @@ if [ -z "${EXTERNAL_ADDR}" ]; then
 fi
 export EXTERNAL_ADDR
 
-# Add admin user
-if [ -n "${KEYCLOAK_USER}" ] && [ -n "${KEYCLOAK_PASSWORD}" ]; then
-  /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "${KEYCLOAK_USER}" --password "${KEYCLOAK_PASSWORD}"
-fi
-
-# Default to H2 if DB type not detected
-if [ -z "${DB_VENDOR}" ]; then
-  export DB_VENDOR="h2"
-fi
-
-# Set DB name
-DB_VENDOR=$(echo "${DB_VENDOR}" | tr '[:upper:]' '[:lower:]')
-case "${DB_VENDOR}" in
-  h2)
-    DB_NAME="Embedded H2" ;;
-  mariadb)
-    DB_NAME="MariaDB" ;;
-  mysql)
-    DB_NAME="MySQL" ;;
-  postgres)
-    DB_NAME="PostgreSQL" ;;
-  *)
-    echo "Unknown DB vendor ${DB_VENDOR}"
-    exit 1
-esac
-echo "Using ${DB_NAME} database"
-
-if [ "${DB_VENDOR}" != "h2" ]; then
-  /bin/sh /opt/jboss/tools/databases/change-database.sh "${DB_VENDOR}"
-fi
 
 if [ -z "${HOSTNAME}" ]; then
   HOSTNAME="localhost"
 fi
 
-SYS_PROPS="-Dkeycloak.hostname.provider=fixed \
-  -Dkeycloak.hostname.fixed.hostname=${HOSTNAME} \
-  -Dkeycloak.hostname.fixed.httpPort=8080"
-
-exec /opt/jboss/keycloak/bin/standalone.sh "${SYS_PROPS}" "$@"
+exec /opt/keycloak/bin/kc.sh start --optimized "$@"
 exit $?