|
1 | 1 | # Keycloak-deployment |
2 | 2 |
|
3 | | - |
4 | 3 | This repository contains all our scripts to deploy keycloak on Openshift and minishift. |
5 | 4 | Also we have scripts to bake our own docker image using the keycloak source code |
6 | 5 | from our repository `almighty/keycloak`. |
| 6 | + |
| 7 | +# Almighty-Keycloak Docker Image |
| 8 | + |
| 9 | +To build this image it is necessary to have previously generated the executables of this |
| 10 | +project. When building Keycloak for the first time, it is necessary to execute this Maven |
| 11 | +command in the almighty/keycloak repository: |
| 12 | + |
| 13 | +`$ mvn clean install -DskipTests -am -P distribution` |
| 14 | + |
| 15 | +After running successfully, build the keycloak-server-dist distribution in the almighty/keycloak repository also: |
| 16 | + |
| 17 | +`$ mvn clean install -DskipTests -pl :keycloak-server-dist -am -P distribution` |
| 18 | + |
| 19 | +This generates some tarballs with the required executables. To build the docker image, |
| 20 | +copy the generated tar file (e.g. `keycloak-3.0.0.Final.tar.gz`) from the almighty/keycloak |
| 21 | +repository into the docker folder, like so: |
| 22 | + |
| 23 | +`$ cp $KEYCLOAK_REPO/distribution/server-dist/target/keycloak-3.0.0.Final.tar.gz $KEYCLOAK_DEPLOYMENT_REPO/docker` |
| 24 | + |
| 25 | +Then you just need to build the docker image. Change into the docker directory and run the following command: |
| 26 | + |
| 27 | +`$ docker build --tag IMAGE_NAME .` |
| 28 | + |
| 29 | +If you would like to build image for clustered mode add build argument |
| 30 | + |
| 31 | +`$ docker build --build-arg OPERATING_MODE=clustered --tag IMAGE_NAME .` |
| 32 | + |
| 33 | +Note that, this docker image installs the certificate to securely talk to OpenShift Online. |
| 34 | +This step is done inside the `install_certificate.sh` script which adds this |
| 35 | +certificate into the Java system keystore at building time. We assume this certificate |
| 36 | +points to `tsrv.devshift.net`. So any change to the certificate requires rebuilding the |
| 37 | +Docker image. |
| 38 | + |
| 39 | +In the content of the Dockerfile, you can find these ENV variables: |
| 40 | +``` |
| 41 | +ENV OSO_ADDRESS tsrv.devshift.net:8443 |
| 42 | +ENV OSO_DOMAIN_NAME tsrv.devshift.net |
| 43 | +``` |
| 44 | + |
| 45 | +Also note that it is possible to use a certificate from minishift. To do this, first obtain the |
| 46 | +IP address of your minishift instance: |
| 47 | + |
| 48 | +``` |
| 49 | +minishift ip |
| 50 | +``` |
| 51 | + |
| 52 | +Then edit docker/Dockerfile and replace these values with the minishift IP (this is just an example, |
| 53 | +the address will most likely be different): |
| 54 | + |
| 55 | +``` |
| 56 | +ENV OSO_ADDRESS 192.168.42.134:8443 |
| 57 | +ENV OSO_DOMAIN_NAME 192.168.42.134 |
| 58 | +``` |
| 59 | + |
| 60 | +The command for building the docker image will need to be slightly different, since docker build by default does not |
| 61 | +have access to local IP addresses. Add the --network="host" parameter to allow the install_certificate.sh script to |
| 62 | +connect to minishift and retrieve the certificate: |
| 63 | + |
| 64 | +`$ docker build --network="host" --tag IMAGE_NAME .` |
| 65 | + |
| 66 | + |
| 67 | +# Openshift Configuration for clustered deployment |
| 68 | + |
| 69 | +Majority of the config is defined in `DeploymentConfig` files you can find in `openshift` folder in the root of this repository. |
| 70 | + |
| 71 | +There is one thing needed however to have properly functioning cluster (using [k8s PING protocol in `jgroups`](https://github.com/jgroups-extras/jgroups-kubernetes)). |
| 72 | +Service account has to have `view` privileges. This can be enabled using `oc` cli as follows: |
| 73 | + |
| 74 | +``` |
| 75 | +$ oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default -n $(oc project -q) |
| 76 | +``` |
| 77 | + |
| 78 | +# Deploying Keycloak to Minishift |
| 79 | + |
| 80 | +To deploy a Keycloak cluster in minishift use the following commands: |
| 81 | + |
| 82 | +``` |
| 83 | +oc new-project keycloak --display-name="Keycloak server" \ |
| 84 | +--description="keycloak server + postgres" |
| 85 | +
|
| 86 | +oc new-app -f postgresql.json |
| 87 | +sleep 20 |
| 88 | +
|
| 89 | +# deploying 3 keycloak instances |
| 90 | +oc new-app -f keycloak.json |
| 91 | +``` |
| 92 | + |
| 93 | +### Customization options |
| 94 | + |
| 95 | +#### KeyCloak |
| 96 | + |
| 97 | +edit environment variables: |
| 98 | + |
| 99 | + "env":[ |
| 100 | + { |
| 101 | + "name":"KEYCLOAK_USER", |
| 102 | + "value":"admin" |
| 103 | + }, |
| 104 | + { |
| 105 | + "name":"KEYCLOAK_PASSWORD", |
| 106 | + "value":"admin" |
| 107 | + }, |
| 108 | + { |
| 109 | + "name":"POSTGRES_DATABASE", |
| 110 | + "value":"userdb" |
| 111 | + }, |
| 112 | + { |
| 113 | + "name":"POSTGRES_USER", |
| 114 | + "value":"keycloak" |
| 115 | + }, |
| 116 | + { |
| 117 | + "name":"POSTGRES_PASSWORD", |
| 118 | + "value":"password" |
| 119 | + }, |
| 120 | + { |
| 121 | + "name":"POSTGRES_PORT_5432_TCP_ADDR", |
| 122 | + "value":"postgres" |
| 123 | + }, |
| 124 | + { |
| 125 | + "name":"POSTGRES_PORT_5432_TCP_PORT", |
| 126 | + "value":"5432" |
| 127 | + }, |
| 128 | + { |
| 129 | + "name":"OPERATING_MODE", |
| 130 | + "value":"clustered" |
| 131 | + } |
| 132 | + ] |
| 133 | + |
| 134 | + |
| 135 | +#### Postgresql |
| 136 | + |
| 137 | + "env": [ |
| 138 | + { |
| 139 | + "name": "POSTGRESQL_USER", |
| 140 | + "value": "keycloak" |
| 141 | + }, |
| 142 | + { |
| 143 | + "name": "POSTGRESQL_PASSWORD", |
| 144 | + "value": "password" |
| 145 | + }, |
| 146 | + { |
| 147 | + "name": "POSTGRESQL_DATABASE", |
| 148 | + "value": "userdb" |
| 149 | + }, |
| 150 | + { |
| 151 | + "name": "POSTGRESQL_ADMIN_PASSWORD", |
| 152 | + "value": "password" |
| 153 | + } |
| 154 | + ] |
0 commit comments