Une coupure du gitlab et des services associés est prévue en tout début de matinée ce vendredi 19 août 2022 et ne devrait pas durer plus de 30 minutes.

Commit e6df2ed8 authored by Daniel Dehennin's avatar Daniel Dehennin
Browse files

Import from all-in-one zephir repository

parent 8d62765c
####
#### Temporary layer to prepare installation
####
FROM jboss/keycloak:4.5.0.Final AS build
ARG CONTAINERPILOT_VERSION=3.4.3
ARG CONTAINERPILOT_CHECKSUM=e8258ed166bcb3de3e06638936dcc2cae32c7c58
RUN curl -Lso /tmp/containerpilot.tar.gz \
"https://github.com/joyent/containerpilot/releases/download/${CONTAINERPILOT_VERSION}/containerpilot-${CONTAINERPILOT_VERSION}.tar.gz" \
&& echo "${CONTAINERPILOT_CHECKSUM} /tmp/containerpilot.tar.gz" | sha1sum -c \
&& tar zxf /tmp/containerpilot.tar.gz -C /tmp
####
#### Target layer
####
FROM jboss/keycloak:4.5.0.Final
USER root
# Manage container with ContainerPilot
COPY --from=build /tmp/containerpilot /usr/local/bin
COPY containerpilot.json5 /etc/containerpilot.json5
# Service controller
COPY configure-keycloak.sh /configure-keycloak.sh
COPY keycloak-healthcheck.sh /keycloak-healthcheck.sh
RUN chown root /usr/local/bin/containerpilot \
&& chgrp root /usr/local/bin/containerpilot \
&& chmod 755 /usr/local/bin/containerpilot \
&& chmod +x /configure-keycloak.sh \
&& chmod +x /keycloak-healthcheck.sh
WORKDIR /opt/jboss
ENTRYPOINT [""]
CMD ["/usr/local/bin/containerpilot", "-config", "/etc/containerpilot.json5"]
die() { echo "$@" 1>&2 ; exit 1; }
function waitUrl()
{
local URL="$1"
local NB="${2:-30}"
#echo "waitUrl: $URL"
while [ "${NB}" -gt 0 ] ; do
if curl --output /tmp/curl --silent --head "$URL"
then
HTTPCODE=$(awk 'NR==1 { print $2; }' /tmp/curl)
else
HTTPCODE="-1"
fi
if [ "$HTTPCODE" = "200" ] || [ "$HTTPCODE" = "303" ] #|| [ "$HTTPCODE" = "404" ]
then
return 0
fi
sleep 1
NB=$(( NB - 1))
done
cat /tmp/curl
return 1
}
function createRole()
{
local ROLE_NAME="$1"
local ROLE_DESC="$2"
$kcadm create roles -r $realm -s name=$ROLE_NAME -s "$ROLE_DESC"
[ $? = 0 ] || die "Unable to create '$ROLE_NAME' role"
echo "Role $ROLE_NAME created."
}
function affectGroupToRole()
{
local GROUP_ID="$1"
local ROLE_NAME="$2"
$kcadm add-roles -r $realm --gid $GROUP_ID --rolename $ROLE_NAME
[ $? = 0 ] || die "Unable to affect '$GROUP_ID' role to the '$ROLE_NAME' group"
echo "Group $GROUP_ID affected to $ROLE_NAME"
}
function createGroup()
{
local GROUP_NAME="$1"
echo $GROUP_NAME
GROUP_ID=$($kcadm create groups -r $realm -s name=$GROUP_NAME -i)
[ $? = 0 ] || die "Unable to create '$GROUP_NAME' group"
echo "Group $GROUP_NAME created with gid $GROUP_ID"
}
function createUser()
{
local USERNAME="$1"
local PASSWORD="$2"
local GROUP_ID="$3"
#########################################
# Create users
#########################################
USER_UID=$($kcadm create users -r "$realm" -s username="$USERNAME" -s enabled=true -i)
[ $? = 0 ] || die "Unable to create '$USERNAME' user"
$kcadm update users/$USER_UID/reset-password \
-r $realm \
-s type=password \
-s value="$PASSWORD" \
-s temporary=false \
-n
[ $? = 0 ] || die "Unable to set '$USERNAME' password"
echo "User '$USERNAME' created with UID=$USER_UID"
if [ -n "$GROUP_ID" ]
then
#########################################
# Group affectations
#########################################
$kcadm update users/$USER_UID/groups/$GROUP_ID \
-r $realm \
-s realm=$realm \
-s userId=$USER_UID \
-s groupId=$GROUP_ID \
-n
[ $? = 0 ] || die "Unable to affect '$USER_UID' user to the '$GROUP_ID' group"
echo "$USERNAME user affected to the '$GROUP_ID' group."
fi
}
kcadm=$JBOSS_HOME/bin/kcadm.sh
output=/opt/jboss/keycloak
mkdir -p "$output"
realm=$KC_REALM_NAME
[ -z "$realm" ] && die "Realm not set. Beware to call this script with Make!"
#########################################
# Login
#########################################
waitUrl "$KEYCLOAK_URL"
# see : http://www.keycloak.org/docs/3.1/server_admin/topics/admin-cli.html
$kcadm config credentials --server $KEYCLOAK_URL --realm master --user $KEYCLOAK_USER --password $KEYCLOAK_PASSWORD
[ $? = 0 ] || die "Unable to login"
$kcadm get realms/$realm 1> /dev/null
if [ $? = 0 ]
then
echo "Realm '$realm' already exists. Abort configuration."
exit 0
fi
#########################################
# Create realm
#########################################
REALM_ID=$($kcadm create realms -s realm=$realm -s enabled=true -i)
[ $? = 0 ] || die "Unable to create realm"
echo "Realm '$REALM_ID' created."
$kcadm update realms/$realm -s registrationAllowed=true -s rememberMe=true -s revokeRefreshToken=true -s internationalizationEnabled=true -s defaultLocale="fr"
[ $? = 0 ] || die "Unable to configure realm"
echo "Realm '$REALM_ID' configured."
echo "clean ouput keys..."
rm $output/{*.pem,*.json} 2> /dev/null
[ $? = 0 ] && echo "Output directory cleaned!"
echo "Get realm keys..."
$kcadm get keys -r $realm >$output/keys.json
[ $? = 0 ] || die "Unable to get realm keys"
cat $output/keys.json
jq '.keys[] | select(has("publicKey")) | .publicKey ' -r $output/keys.json > $output/pub.tmp
sed -e "1 i -----BEGIN PUBLIC KEY-----" -e "$ a -----END PUBLIC KEY-----" $output/pub.tmp > $output/pub.pem
rm $output/pub.tmp
jq '.keys[] | select(has("certificate")) | .certificate' -r $output/keys.json > $output/cert.tmp
sed -e "1 i -----BEGIN CERTIFICATE-----" -e "$ a -----END CERTIFICATE-----" $output/cert.tmp > $output/cert.pem
rm $output/cert.tmp
#########################################
# Create roles
#########################################
createRole "ADMINISTRATOR" "description=Regular admin with full set of permissions"
createRole "OPERATOR" "description=Regular operator with basic set of permissions"
createRole "INSTALLER" "description=Regular technician with only enrollement permissions"
#########################################
# Create groups
#########################################
GROUP_ID=""
createGroup "Administrator"
gidAdmin=$GROUP_ID
createGroup "Operator"
gidOperator=$GROUP_ID
createGroup "Installator"
gidInstaller=$GROUP_ID
#########################################
# Role affectation
#########################################
affectGroupToRole "$gidAdmin" "ADMINISTRATOR"
affectGroupToRole "$gidOperator" "OPERATOR"
affectGroupToRole "$gidInstaller" "INSTALLER"
#########################################
# Create users
#########################################
USER_UID=""
createUser "$KC_REALM_USERNAME" "$KC_REALM_PASSWORD" "$gidAdmin"
createUser "yo" "yo" "$gidOperator"
createUser "test" "test" "$gidInstaller"
#########################################
# Create client(s)
#########################################
client_id=$($kcadm create clients \
-r $realm \
-s clientId=$KC_API_CLIENT_ID \
-s baseUrl=$SSO_END_POINT \
-s "redirectUris=[\"$SSO_END_POINT/*\",\"$SSO_END_POINT/*\"]" \
-s "webOrigins=[\"*\"]" \
-s publicClient=true \
-s directAccessGrantsEnabled=true \
-i)
[ $? = 0 ] || die "Unable to create client"
echo "Client '$client_id' created."
#########################################
# Change Authentification browser flows
#########################################
echo "Update Authentification browser Flows..."
$kcadm get authentication/flows/browser/executions -r $realm > /tmp/tmp.tok
cat /tmp/tmp.tok | jq '.[0]' > /tmp/tmp.tmp.tok
cat /tmp/tmp.tmp.tok | jq '.requirement="DISABLED"' > /tmp/tmp.tok
$kcadm update authentication/flows/browser/executions -f /tmp/tmp.tok -r $realm -o
#########################################
# Getting adapter configuration file
#########################################
echo "Get adapter configuration file..."
$kcadm get clients/$client_id/installation/providers/keycloak-oidc-keycloak-json \
-r $realm \
| jq ".[\"auth-server-url\"]=\"$SSO_END_POINT/auth\"" \
> $output/keycloak.json
[ $? = 0 ] || die "Unable to get configuration file"
cat $output/keycloak.json
cp $output/keycloak.json /tmp/zephir
echo "Keycloak successfully configured."
{
consul: {
address: "consul:8500"
},
jobs: [
{
name: "keycloak",
exec: ["/bin/su", "jboss", "-s", "/bin/bash", "-c" , "/opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0"],
when: {
source: "watch.postgres",
once: "healthy"
},
health: {
exec: '/keycloak-healthcheck.sh',
interval: 10,
ttl: 20
},
restarts: "unlimited",
port: 8080
},
{
name: 'configure-keycloak',
exec: ["/bin/bash", '/configure-keycloak.sh'],
when: {
source: "keycloak",
once: "healthy"
}
},
],
watches: [
{
name: "postgres",
interval: 5
}
]
}
#!/bin/bash
set -eo pipefail
curl -s "$KEYCLOAK_URL/realms/master" | [[ "$(jq 'has("token-service")')" == 'true' ]]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment