job "keycloak-test" {
  type = "service"

  group "main" {
    count = 2

    restart {
      attempts = 3
      delay    = "15s"
      interval = "10m"
      mode     = "delay"
    }
    ephemeral_disk { size = 200 }
    network {
      mode = "bridge"
      port "health"  { }
      port "jgroups" { to = -1 }
    }

    service {
      name = "keycloak-test"
      port = "jgroups"
      tags = [ "jgroups" ]
    }

    service {
      name = "keycloak-test"
      port = "8080"

      tags = [
          "http"
        , "traefik.enable=true"
        , "traefik.consulcatalog.connect=true"
        , "traefik.http.routers.keycloak-test.entrypoints=websecure"
        , "traefik.http.routers.keycloak-test.tls=true"
        , "traefik.http.routers.keycloak-test.rule=Host(`auth-test.example.org`)"
        , "traefik.http.services.keycloak-test.loadbalancer.sticky.cookie=true"
        , "traefik.http.services.keycloak-test.loadbalancer.sticky.cookie.name=keycloak-test"
      ]

      check {
        name     = "alive"
        type     = "http"
        interval = "5s"
        timeout  = "2s"
        port     = "health"
        path     = "/health"
        check_restart {
          limit = 3
          grace = "300s"
        }
      }

      connect {
        sidecar_service {
          proxy {
            expose {
              path {
                path = "/health"
                protocol = "http"
                local_path_port = 9990
                listener_port = "health"
              }
            }
          }
        }
        sidecar_task {
          resources {
            cpu = 20
            memory = 64
            memory_max = 128
          }
        }
      }
    }

    task "keycloak-test" {
      driver = "docker"

      config {
        image = "jboss/keycloak:16.1.0"
        ports = [ "jgroups" ]
      }
      env {
        JGROUPS_DISCOVERY_PROTOCOL   = "dns.DNS_PING"
        JGROUPS_DISCOVERY_PROPERTIES = "dns_query=_keycloak-test._jgroups.service.consul,dns_record_type=SRV"

        CACHE_OWNERS_COUNT = 2
        CACHE_OWNERS_AUTH_SESSIONS_COUNT = 2

        PROXY_ADDRESS_FORWARDING      = "true"
      }
      template {
        destination = "secrets/env_vars"
        env = true
        data = <<EOF
DB_VENDOR="{{ key "test/keycloak/db_vendor" }}"
DB_ADDR="{{ key "test/keycloak/db_host" }}"
DB_PASSWORD="{{ key "test/keycloak/db_pass" }}"
DB_USER="{{ key "test/keycloak/db_user" }}"
DB_SCHEMA="{{ key "test/keycloak/db_schema" }}"
JDBC_PARAMS="{{ key "test/keycloak/jdbc_params" }}"
EOF
      }
      template {
        destination = "${NOMAD_TASK_DIR}/dns.DNS_PING.cli"
        data = <<EOF
embed-server --server-config=standalone-ha.xml --std-out=echo
batch

# Tell jgroups what our view of our IP is
/subsystem=jgroups/stack=tcp/transport=TCP/property=external_addr/:add(value={{ env "NOMAD_IP_jgroups" }})

# Change the port jgroups will use
/socket-binding-group=standard-sockets/socket-binding=jgroups-tcp:write-attribute(name=port,value={{ env "NOMAD_PORT_jgroups" }})

# Not explicitly necessary since we don't use UDP, but it's in all the examples, so...
/subsystem=jgroups/stack=udp/protocol=PING:remove()
/subsystem=jgroups/stack=udp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)

# Switch from using multicast ping to DNS_PING
/subsystem=jgroups/stack=tcp/protocol=MPING:remove()
/subsystem=jgroups/stack=tcp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)

/subsystem=jgroups/channel=ee:write-attribute(name="stack", value=$keycloak_jgroups_transport_stack)

run-batch

stop-embedded-server
EOF
      }

      resources {
        cpu = 150
        memory = 1024
        memory_max = 2048
      }
    }
  }
}