diff --git a/docker/keycloak/Dockerfile-26 b/docker/keycloak/Dockerfile-26 new file mode 100644 index 00000000..fccbf59b --- /dev/null +++ b/docker/keycloak/Dockerfile-26 @@ -0,0 +1,36 @@ +FROM maven:3.9.9-eclipse-temurin-21 AS extensions-builder + +COPY ./extensions-26 /tmp/ +WORKDIR /tmp/ +RUN mvn -B clean package --file pom.xml + +FROM registry.redhat.io/rhbk/keycloak-rhel9:26.0-3 as builder + +# Enable health and metrics support +ENV KC_HEALTH_ENABLED=true +ENV KC_METRICS_ENABLED=true + +# Configure a database vendor +ENV KC_DB=postgres + +COPY --from=extensions-builder /tmp/services/target/bcgov-services-1.0.0.jar /opt/keycloak/providers/ + +WORKDIR /opt/keycloak + +RUN /opt/keycloak/bin/kc.sh build + +FROM registry.redhat.io/rhbk/keycloak-rhel9:26.0-3 + +COPY --from=builder /opt/keycloak/ /opt/keycloak/ + +# copy the theme directory to `/opt/keycloak/themes/` for now, but we can consider to archive to be deployed later. +COPY ./extensions-26/themes/src/main/resources/theme /opt/keycloak/themes + +COPY ./configuration/26/keycloak.conf /opt/keycloak/conf + +COPY ./configuration/26/quarkus.properties /opt/keycloak/conf + +COPY ./configuration/26/keycloak-default-user-profile.json /tmp + +# change these values to point to a running postgres instance +ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] diff --git a/docker/keycloak/configuration/26/keycloak-default-user-profile.json b/docker/keycloak/configuration/26/keycloak-default-user-profile.json new file mode 100644 index 00000000..231984e3 --- /dev/null +++ b/docker/keycloak/configuration/26/keycloak-default-user-profile.json @@ -0,0 +1,61 @@ +{ + "unmanagedAttributePolicy": "ENABLED", + "attributes": [ + { + "name": "username", + "displayName": "${username}", + "permissions": { + "view": ["admin", "user"], + "edit": ["admin", "user"] + }, + "validations": { + "length": { "min": 3, "max": 255 }, + "username-prohibited-characters": {}, + "up-username-not-idn-homograph": {} + } + }, + { + "name": "email", + "displayName": "${email}", + "permissions": { + "view": ["admin", "user"], + "edit": ["admin", "user"] + }, + "validations": { + "email": {}, + "length": { "max": 255 } + } + }, + { + "name": "firstName", + "displayName": "${firstName}", + "permissions": { + "view": ["admin", "user"], + "edit": ["admin", "user"] + }, + "validations": { + "length": { "max": 255 }, + "person-name-prohibited-characters": {} + } + }, + { + "name": "lastName", + "displayName": "${lastName}", + "permissions": { + "view": ["admin", "user"], + "edit": ["admin", "user"] + }, + "validations": { + "length": { "max": 255 }, + "person-name-prohibited-characters": {} + } + } + ], + "groups": [ + { + "name": "user-metadata", + "displayHeader": "User metadata", + "displayDescription": "Attributes, which refer to user metadata" + } + ] +} diff --git a/docker/keycloak/configuration/26/keycloak.conf b/docker/keycloak/configuration/26/keycloak.conf new file mode 100644 index 00000000..f3d87fb8 --- /dev/null +++ b/docker/keycloak/configuration/26/keycloak.conf @@ -0,0 +1,40 @@ +health-enabled=true +metrics-enabled=true + +# database +db-pool-min-size=5 +db-pool-max-size=20 + +# theme +spi-theme-static-max-age=2592000 +spi-theme-cache-themes=true +spi-theme-cache-templates=true + +# logging +log=console,file +log-console-color=false +log-file=/var/log/eap/${HOSTNAME}.log + +# root-logger-level:INFO +log-level=info,com.arjuna:warn,io.jaegertracing.Configuration:warn,org.jboss.as.config:debug,org.keycloak.events:debug,sun.rmi:warn +log-console-output=json +log-file-output=json + +# SPIs +spi-events-listener-jboss-logging-quotes=none +spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true +spi-user-profile-declarative-user-profile-config-file=/tmp/keycloak-default-user-profile.json + +# cache +cache=ispn +# DNS_PING is particularly useful in environments like Kubernetes and Red Hat OpenShift where UDP multicast, a different cluster discovery method, might not be available. This is because DNS is a standard service that's always available, making DNS_PING a reliable way for Infinispan nodes to discover each other. +# The below option requires passing -Djgroups.dns.query=sso-keycloak-ping..svc.cluster.local to start command +cache-stack=kubernetes +#cache-config-file=cache-ispn-custom.xml + +# tls +# https-key-store-file=server.keystore +# https-key-store-password=password + +http-enabled=true +proxy-headers=forwarded diff --git a/docker/keycloak/configuration/26/quarkus.properties b/docker/keycloak/configuration/26/quarkus.properties new file mode 100644 index 00000000..51f9e1ff --- /dev/null +++ b/docker/keycloak/configuration/26/quarkus.properties @@ -0,0 +1,16 @@ +quarkus.http.access-log.enabled=${QUARKUS_HTTP_ACCESS_LOG_ENABLED:false} +quarkus.pattern.json={ "client":"%{REMOTE_HOST}", "method": "%{METHOD}", "request_url": %{REQUEST_URL}, "status":"%{RESPONSE_CODE}", "duration":"%{RESPONSE_TIME}", "bytes":"%{BYTES_SENT}" } +quarkus.http.access-log.pattern=${quarkus.pattern.json} +quarkus.http.record-request-start-time=${QUARKUS_HTTP_RECORD_REQUEST_START_TIME:false} +quarkus.log.console.json.exception-output-type=formatted +quarkus.log.console.json.key-overrides=timestamp=@timestamp +quarkus.log.console.json.additional-field."@version".value=1 +quarkus.log.file.json.exception-output-type=formatted +quarkus.log.file.json.key-overrides=timestamp=@timestamp +quarkus.log.file.json.additional-field."@version".value=1 +# Quarkus will auto-compress if ending with .zip: https://quarkus.io/guides/logging. +quarkus.log.file.rotation.file-suffix=${QUARKUS_LOG_FILE_ROTATION_FILE_SUFFIX:.zip} +# Optional: Disable rotation by size (adjust value as needed) +quarkus.log.file.rotation.max-file-size=${QUARKUS_LOG_FILE_ROTATION_MAX_FILE_SIZE:200M} +# The number of rotated files per pod. From above configuration, this will keep 200M * 14 files * 3pods ~= 8Gigabytes of data before replacing. +quarkus.log.file.rotation.max-backup-index=${QUARKUS_LOG_FILE_ROTATION_MAX_BACKUP_INDEX:14} diff --git a/docker/keycloak/extensions-26/services/src/test/java/com/github/bcgov/keycloak/testsuite/authenticators/UserSessionRemoverTest.java b/docker/keycloak/extensions-26/services/src/test/java/com/github/bcgov/keycloak/authenticators/UserSessionRemoverTest.java similarity index 100% rename from docker/keycloak/extensions-26/services/src/test/java/com/github/bcgov/keycloak/testsuite/authenticators/UserSessionRemoverTest.java rename to docker/keycloak/extensions-26/services/src/test/java/com/github/bcgov/keycloak/authenticators/UserSessionRemoverTest.java