Commit e6df2ed8 authored by Daniel Dehennin's avatar Daniel Dehennin

Import from all-in-one zephir repository

parent 8d62765c
####
#### Temporary layer to prepare installation
####
FROM jboss/keycloak:4.5.0.Final AS build
ARG CONTAINERPILOT_VERSION=3.4.3
ARG CONTAINERPILOT_CHECKSUM=e8258ed166bcb3de3e06638936dcc2cae32c7c58
RUN curl -Lso /tmp/containerpilot.tar.gz \
"https://github.com/joyent/containerpilot/releases/download/${CONTAINERPILOT_VERSION}/containerpilot-${CONTAINERPILOT_VERSION}.tar.gz" \
&& echo "${CONTAINERPILOT_CHECKSUM} /tmp/containerpilot.tar.gz" | sha1sum -c \
&& tar zxf /tmp/containerpilot.tar.gz -C /tmp
####
#### Target layer
####
FROM jboss/keycloak:4.5.0.Final
USER root
# Manage container with ContainerPilot
COPY --from=build /tmp/containerpilot /usr/local/bin
COPY containerpilot.json5 /etc/containerpilot.json5
# Service controller
COPY configure-keycloak.sh /configure-keycloak.sh
COPY keycloak-healthcheck.sh /keycloak-healthcheck.sh
RUN chown root /usr/local/bin/containerpilot \
&& chgrp root /usr/local/bin/containerpilot \
&& chmod 755 /usr/local/bin/containerpilot \
&& chmod +x /configure-keycloak.sh \
&& chmod +x /keycloak-healthcheck.sh
WORKDIR /opt/jboss
ENTRYPOINT [""]
CMD ["/usr/local/bin/containerpilot", "-config", "/etc/containerpilot.json5"]
die() { echo "$@" 1>&2 ; exit 1; }
function waitUrl()
{
local URL="$1"
local NB="${2:-30}"
#echo "waitUrl: $URL"
while [ "${NB}" -gt 0 ] ; do
if curl --output /tmp/curl --silent --head "$URL"
then
HTTPCODE=$(awk 'NR==1 { print $2; }' /tmp/curl)
else
HTTPCODE="-1"
fi
if [ "$HTTPCODE" = "200" ] || [ "$HTTPCODE" = "303" ] #|| [ "$HTTPCODE" = "404" ]
then
return 0
fi
sleep 1
NB=$(( NB - 1))
done
cat /tmp/curl
return 1
}
function createRole()
{
local ROLE_NAME="$1"
local ROLE_DESC="$2"
$kcadm create roles -r $realm -s name=$ROLE_NAME -s "$ROLE_DESC"
[ $? = 0 ] || die "Unable to create '$ROLE_NAME' role"
echo "Role $ROLE_NAME created."
}
function affectGroupToRole()
{
local GROUP_ID="$1"
local ROLE_NAME="$2"
$kcadm add-roles -r $realm --gid $GROUP_ID --rolename $ROLE_NAME
[ $? = 0 ] || die "Unable to affect '$GROUP_ID' role to the '$ROLE_NAME' group"
echo "Group $GROUP_ID affected to $ROLE_NAME"
}
function createGroup()
{
local GROUP_NAME="$1"
echo $GROUP_NAME
GROUP_ID=$($kcadm create groups -r $realm -s name=$GROUP_NAME -i)
[ $? = 0 ] || die "Unable to create '$GROUP_NAME' group"
echo "Group $GROUP_NAME created with gid $GROUP_ID"
}
function createUser()
{
local USERNAME="$1"
local PASSWORD="$2"
local GROUP_ID="$3"
#########################################
# Create users
#########################################
USER_UID=$($kcadm create users -r "$realm" -s username="$USERNAME" -s enabled=true -i)
[ $? = 0 ] || die "Unable to create '$USERNAME' user"
$kcadm update users/$USER_UID/reset-password \
-r $realm \
-s type=password \
-s value="$PASSWORD" \
-s temporary=false \
-n
[ $? = 0 ] || die "Unable to set '$USERNAME' password"
echo "User '$USERNAME' created with UID=$USER_UID"
if [ -n "$GROUP_ID" ]
then
#########################################
# Group affectations
#########################################
$kcadm update users/$USER_UID/groups/$GROUP_ID \
-r $realm \
-s realm=$realm \
-s userId=$USER_UID \
-s groupId=$GROUP_ID \
-n
[ $? = 0 ] || die "Unable to affect '$USER_UID' user to the '$GROUP_ID' group"
echo "$USERNAME user affected to the '$GROUP_ID' group."
fi
}
kcadm=$JBOSS_HOME/bin/kcadm.sh
output=/opt/jboss/keycloak
mkdir -p "$output"
realm=$KC_REALM_NAME
[ -z "$realm" ] && die "Realm not set. Beware to call this script with Make!"
#########################################
# Login
#########################################
waitUrl "$KEYCLOAK_URL"
# see : http://www.keycloak.org/docs/3.1/server_admin/topics/admin-cli.html
$kcadm config credentials --server $KEYCLOAK_URL --realm master --user $KEYCLOAK_USER --password $KEYCLOAK_PASSWORD
[ $? = 0 ] || die "Unable to login"
$kcadm get realms/$realm 1> /dev/null
if [ $? = 0 ]
then
echo "Realm '$realm' already exists. Abort configuration."
exit 0
fi
#########################################
# Create realm
#########################################
REALM_ID=$($kcadm create realms -s realm=$realm -s enabled=true -i)
[ $? = 0 ] || die "Unable to create realm"
echo "Realm '$REALM_ID' created."
$kcadm update realms/$realm -s registrationAllowed=true -s rememberMe=true -s revokeRefreshToken=true -s internationalizationEnabled=true -s defaultLocale="fr"
[ $? = 0 ] || die "Unable to configure realm"
echo "Realm '$REALM_ID' configured."
echo "clean ouput keys..."
rm $output/{*.pem,*.json} 2> /dev/null
[ $? = 0 ] && echo "Output directory cleaned!"
echo "Get realm keys..."
$kcadm get keys -r $realm >$output/keys.json
[ $? = 0 ] || die "Unable to get realm keys"
cat $output/keys.json
jq '.keys[] | select(has("publicKey")) | .publicKey ' -r $output/keys.json > $output/pub.tmp
sed -e "1 i -----BEGIN PUBLIC KEY-----" -e "$ a -----END PUBLIC KEY-----" $output/pub.tmp > $output/pub.pem
rm $output/pub.tmp
jq '.keys[] | select(has("certificate")) | .certificate' -r $output/keys.json > $output/cert.tmp
sed -e "1 i -----BEGIN CERTIFICATE-----" -e "$ a -----END CERTIFICATE-----" $output/cert.tmp > $output/cert.pem
rm $output/cert.tmp
#########################################
# Create roles
#########################################
createRole "ADMINISTRATOR" "description=Regular admin with full set of permissions"
createRole "OPERATOR" "description=Regular operator with basic set of permissions"
createRole "INSTALLER" "description=Regular technician with only enrollement permissions"
#########################################
# Create groups
#########################################
GROUP_ID=""
createGroup "Administrator"
gidAdmin=$GROUP_ID
createGroup "Operator"
gidOperator=$GROUP_ID
createGroup "Installator"
gidInstaller=$GROUP_ID
#########################################
# Role affectation
#########################################
affectGroupToRole "$gidAdmin" "ADMINISTRATOR"
affectGroupToRole "$gidOperator" "OPERATOR"
affectGroupToRole "$gidInstaller" "INSTALLER"
#########################################
# Create users
#########################################
USER_UID=""
createUser "$KC_REALM_USERNAME" "$KC_REALM_PASSWORD" "$gidAdmin"
createUser "yo" "yo" "$gidOperator"
createUser "test" "test" "$gidInstaller"
#########################################
# Create client(s)
#########################################
client_id=$($kcadm create clients \
-r $realm \
-s clientId=$KC_API_CLIENT_ID \
-s baseUrl=$SSO_END_POINT \
-s "redirectUris=[\"$SSO_END_POINT/*\",\"$SSO_END_POINT/*\"]" \
-s "webOrigins=[\"*\"]" \
-s publicClient=true \
-s directAccessGrantsEnabled=true \
-i)
[ $? = 0 ] || die "Unable to create client"
echo "Client '$client_id' created."
#########################################
# Change Authentification browser flows
#########################################
echo "Update Authentification browser Flows..."
$kcadm get authentication/flows/browser/executions -r $realm > /tmp/tmp.tok
cat /tmp/tmp.tok | jq '.[0]' > /tmp/tmp.tmp.tok
cat /tmp/tmp.tmp.tok | jq '.requirement="DISABLED"' > /tmp/tmp.tok
$kcadm update authentication/flows/browser/executions -f /tmp/tmp.tok -r $realm -o
#########################################
# Getting adapter configuration file
#########################################
echo "Get adapter configuration file..."
$kcadm get clients/$client_id/installation/providers/keycloak-oidc-keycloak-json \
-r $realm \
| jq ".[\"auth-server-url\"]=\"$SSO_END_POINT/auth\"" \
> $output/keycloak.json
[ $? = 0 ] || die "Unable to get configuration file"
cat $output/keycloak.json
cp $output/keycloak.json /tmp/zephir
echo "Keycloak successfully configured."
{
consul: {
address: "consul:8500"
},
jobs: [
{
name: "keycloak",
exec: ["/bin/su", "jboss", "-s", "/bin/bash", "-c" , "/opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0"],
when: {
source: "watch.postgres",
once: "healthy"
},
health: {
exec: '/keycloak-healthcheck.sh',
interval: 10,
ttl: 20
},
restarts: "unlimited",
port: 8080
},
{
name: 'configure-keycloak',
exec: ["/bin/bash", '/configure-keycloak.sh'],
when: {
source: "keycloak",
once: "healthy"
}
},
],
watches: [
{
name: "postgres",
interval: 5
}
]
}
#!/bin/bash
set -eo pipefail
curl -s "$KEYCLOAK_URL/realms/master" | [[ "$(jq 'has("token-service")')" == 'true' ]]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment