Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keycloak upgrade #5

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Keycloak upgrade #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
caddy_data
2 changes: 1 addition & 1 deletion Codeowners
View file
Open in desktop
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1 +1 @@
* @devnoname120 @roosnic1 @dominicdoerigswisstxt @RudolfSchreier
* @devnoname120 @roosnic1 @RudolfSchreier @swisstxtsokol
16 changes: 7 additions & 9 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,20 @@
FROM quay.io/keycloak/keycloak:23.0.1 as base
COPY postgres-socket-factory-1.13.1-jar-with-dependencies.jar /opt/keycloak/providers/
FROM quay.io/phasetwo/phasetwo-keycloak:25.0.5 AS base
#FROM quay.io/keycloak/keycloak:25.0.5 AS base
Comment on lines +1 to +2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the difference between these two?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@devnoname120 the first one is the image with phasetwo plugin, the second one is pure keycloak

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok in this case I suggest to remove the commented out code:

Suggested change
FROM quay.io/phasetwo/phasetwo-keycloak:25.0.5 AS base
#FROM quay.io/keycloak/keycloak:25.0.5 AS base
FROM quay.io/phasetwo/phasetwo-keycloak:25.0.5 AS base

COPY jars/postgres-socket-factory-1.20.1-jar-with-dependencies.jar /opt/keycloak/providers/
COPY jars/jgroups-google-2.0.1.Final-SNAPSHOT.jar /opt/keycloak/providers/
WORKDIR /opt/keycloak

# Build as stage
FROM base as builder
FROM base AS builder
ENV KC_METRICS_ENABLED=true
ENV KC_DB_KIND=postgres
ENV KC_DB_DIALECT=org.hibernate.dialect.PostgreSQL10Dialect
ENV KC_DB_DRIVER=org.postgresql.Driver
RUN /opt/keycloak/bin/kc.sh build --transaction-xa-enabled=false --cache-stack=kubernetes --db=postgres
RUN /opt/keycloak/bin/kc.sh build --transaction-xa-enabled=false --db=postgres --features=organization

FROM base
COPY --from=builder --chown=1000:0 /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
ENV KC_METRICS_ENABLED=true
ENV KC_DB_KIND=postgres
ENV KC_DB_DIALECT=org.hibernate.dialect.PostgreSQL10Dialect
ENV KC_DB_DRIVER=org.postgresql.Driver
ENV KC_FEATURES=script


USER 1000
EXPOSE 8080 8443
Expand Down
5 changes: 5 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,6 @@
# keycloak-with-socket-factory

# TODO:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there stories to do these TODOs?

I am always a fan of putting a Jira story id on TODOs so it is clear if is more of a nice-to-have style TODO or an actual lets-do-this-next kind of TODO.

- Add info how to build postgres-socket-factory https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory
- Add info how to build jgroups-google
- add info about preview features
38 changes: 38 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
version: '3.8'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change itself was a bit contentious, but version in docker-compose.yml files is now obsolete.

I would not go back through all of them to remove it, but if you are adding a new one, I think it would be better to leave it out.

(Totally optional change though 😆)


services:
keycloak:
build:
context: .
dockerfile: Dockerfile
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
Comment on lines +9 to +10
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a safety mechanism so that we don't accidentally use these weak credentials in production?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @swisstxtsokol (If I understood the comment right, please LMK!):

  • adding an example.env
  • referencing a env_file: .env here
  • having the developer rename example.env to .env to get started

instead would force the developer to think about it at least once and avoid inadvertent mistakes.

(As free bonus, it would also reduce duplication of the DB username/password)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe move the .env?

KC_DB: postgres
KC_DB_URL: jdbc:postgresql://db:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: keycloak
Comment on lines +13 to +14
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto: Is there a safety mechanism so that we don't accidentally use these weak credentials in production?

KC_HOSTNAME: localhost
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be the url of our keycloak instance?

JAVA_OPTS_APPEND: -Djgroups.dns.query=keycloak-headless
command:
- start
- --hostname=localhost
- --proxy=edge
- --optimized
ports:
- "8080:8080"
- "8443:8443"
depends_on:
- db

db:
image: postgres:latest
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: keycloak
Comment on lines +32 to +33
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto: Is there a safety mechanism so that we don't accidentally use these weak credentials in production?

volumes:
- postgres_data:/var/lib/postgresql/data

volumes:
postgres_data:
Binary file added jars/jgroups-google-2.0.1.Final-SNAPSHOT.jar
View file
Open in desktop
Binary file not shown.
0 ...-factory-1.13.1-jar-with-dependencies.jar → ...-factory-1.13.1-jar-with-dependencies.jar
View file
Open in desktop
File renamed without changes.
Binary file added jars/postgres-socket-factory-1.20.1-jar-with-dependencies.jar
View file
Open in desktop
Binary file not shown.