QPod · haobibo · Mar 14, 2024 · Mar 14, 2024 · Mar 14, 2024
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -36,6 +36,15 @@ jobs:
       - run: |
           source ./tool.sh && build_image app-clash latest docker_app_clash/Dockerfile && push_image
 
+  ## Keycloak
+  docker_keycloak:
+    name: 'keycloak'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          source ./tool.sh && build_image keycloak latest docker_keycloak/Dockerfile && push_image
+
   ## DevHub
   qpod_dev-hub:
     name: 'dev-hub'

diff --git a/docker_keycloak/Dockerfile b/docker_keycloak/Dockerfile
@@ -0,0 +1,41 @@
+# Distributed under the terms of the Modified BSD License.
+
+ARG BASE_NAMESPACE
+ARG BASE_IMG="jdk17"
+FROM ${BASE_NAMESPACE:+$BASE_NAMESPACE/}${BASE_IMG}
+
+LABEL maintainer="haobibo@gmail.com"
+
+COPY work /opt/utils/
+
+RUN source /opt/utils/script-setup-keycloak.sh \
+ && setup_keycloak \
+ && echo "keycloak:x:0:root" >> /etc/group \
+ && echo "keycloak:x:1000:0:keycloak user:/opt/keycloak:/sbin/nologin" >> /etc/passwd \
+ && chown -R 1000:0 /opt/keycloak
+
+ENV KEYCLOAK_HOME /opt/keycloak
+ENV KC_RUN_IN_CONTAINER true
+ENV KC_HEALTH_ENABLED true
+ENV KC_METRICS_ENABLED true
+
+USER 1000
+EXPOSE 8080
+
+WORKDIR ${KEYCLOAK_HOME}
+ENTRYPOINT ["tini", "-g", "--"]
+
+# '-c' option make bash commands are read from string.
+#   If there are arguments after the string, they are assigned to the positional parameters, starting with $0.
+# '-o pipefail'  prevents errors in a pipeline from being masked.
+#   If any command in a pipeline fails, that return code will be used as the return code of the whole pipeline.
+# '--login': make bash first reads and executes commands from  the file /etc/profile, if that file exists.
+#   After that, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable.
+SHELL ["/bin/bash", "--login", "-o", "pipefail", "-c"]
+CMD ["/bin/bash", "--login", "bin/kc.sh", "start-dev"]
+
+# HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "curl", "--head", "-fsSk", "https://localhost:8080/health/ready" ]
+
+# docker build -t qpod/keycloak --build-arg "BASE_NAMESPACE=qpod" .
+# (docker rm svc-keycloak || true) && docker run -d  -p 8080:8080 --name=svc-keycloak --hostname=svc-keycloak qpod/keycloak
+# (docker rm svc-keycloak || true) && docker run -it -p 8080:8080 --name=svc-keycloak --hostname=svc-keycloak qpod/keycloak bin/kc.sh start-dev --verbose
diff --git a/docker_keycloak/demo/docker-compose.yml b/docker_keycloak/demo/docker-compose.yml
@@ -0,0 +1,51 @@
+version: '3.7'
+
+services:
+  db-postgres:
+  # su postgres && psql -d keycloak -U pg-keycloak-username
+      image: postgres:15
+      container_name: db-postgres
+      environment:
+        POSTGRES_DB: keycloak
+        POSTGRES_USER: pg-keycloak-username
+        POSTGRES_PASSWORD: pg-keycloak-password
+
+  svc-keycloak:
+      # image: qpod/keycloak
+      build:
+        context: ../
+        dockerfile: Dockerfile
+        args:
+          BASE_NAMESPACE: qpod
+      container_name: svc-keycloak
+      # command: ["/bin/bash", "--login", "bin/kc.sh", "start-dev", "--verbose"]
+      command: |
+        /bin/bash -l -c '
+          [ -f conf/server.keystore ] || keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 \
+            -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
+          bin/kc.sh start --verbose --features=token-exchange \
+            --https-port=8080
+          # --db postgres --db-url jdbc:postgresql://db-postgres:5432/keycloak \
+          # --db-username pg-keycloak-username \
+          # --db-password pg-keycloak-password
+        '
+      environment:
+        KC_HOSTNAME: localhost
+        KC_DB: postgres
+        KC_DB_URL: "jdbc:postgresql://db-postgres:5432/keycloak"
+        KC_DB_USERNAME: "pg-keycloak-username"
+        KC_DB_PASSWORD: "pg-keycloak-password"
+        KEYCLOAK_ADMIN: keycloak-admin
+        KEYCLOAK_ADMIN_PASSWORD: keycloak-password
+        PROXY_ADDRESS_FORWARDING: "true"
+      ports:
+        - 8080:8080
+      depends_on:
+        - db-postgres
+      healthcheck:
+        test:  ["CMD-SHELL", "curl", "--head", "-fsSk", "https://localhost:8080/health/ready" ]
+        interval: 30s
+        timeout: 30s
+        start_period: 5s
+        retries: 3
+
diff --git a/docker_keycloak/work/script-setup-keycloak.sh b/docker_keycloak/work/script-setup-keycloak.sh
@@ -0,0 +1,14 @@
+source /opt/utils/script-utils.sh
+
+setup_keycloak() {
+  # Install the latest (but not nightly) version of keycloak
+     VERSION_KEYCLOAK=$(curl -sL https://github.com/keycloak/keycloak/releases.atom | grep 'releases/tag' | grep -v nightly | head -1 | grep -Po '\d[\d.]+' ) \
+  && URL_KEYCLOAK="https://github.com/keycloak/keycloak/releases/download/$VERSION_KEYCLOAK/keycloak-$VERSION_KEYCLOAK.tar.gz" \
+  && echo "Downloading Keycloak version ${VERSION_KEYCLOAK} from: ${URL_KEYCLOAK}" \
+  && install_tar_gz $URL_KEYCLOAK \
+  && mv /opt/keycloak-* /opt/keycloak && mkdir -pv /opt/keycloak/data \
+  && chmod -R g+rwX /opt/keycloak \
+  && echo 'export PATH=${PATH}:/opt/keycloak/bin' >> /etc/profile.d/path-keycloak.sh \
+  && export PATH=${PATH}:/opt/keycloak/bin \
+  && echo "@ Version of Keycloadk $(kc.sh --version)"
+}