dbildungs-iam-keycloak is a customized Keycloak
docker image for the dBildungscloud-iam-server.
Images for local development or production are build for each Git tag via GitHub Actions.
On every push to a branch (except main) a GitHub Workflow builds, uploads (to GHCR) and scans the image (with trivy). The image is tagged with the ticket extracted from the branch name. The trivy scan results are available under Security -> Code scanning -> Filter: "is:open branch:<branch>".
After a merge to main a GitHub Workflow builds, uploads (to GHCR) and scans the image (with trivy). The image is tagged with the short commit hash and "latest". The trivy scan results are available under Security -> Code scanning.
The latest image on GHCR is scanned with trivy every night.
Following steps are intent to build the container for local development purpose.
You may use a pre-build image from GitHub Packages
. To build the container on your own execute following command:
docker build --load --target development -t dbildungsplattform/dbildungs-iam-keycloak/dev .
To create the container execute following command:
docker create --name dbildungs-iam-keycloak -p 8080:8080 -p 8443:8443 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin dbildungsplattform/dbildungs-iam-keycloak/dev:latest
To start (or stop) the container execute following command:
docker start dbildungs-iam-keycloak
docker stop dbildungs-iam-keycloak
The Keycloak Admin Console will be available at http://localhost:8080
or https://localhost:8443
. You may login into the instance with username admin
and password admin
.
The developer build is configured to start Keycloak in developer mode. It is configured without proxy or clustering capabilities (discovery, replication, fail-over). It'll use a local flat-file database, has self-signed certificates for TLS, and exposes metrics
.
Note, the production image can not be used locally without setting up an TLS termination proxy. Following steps are intent to build the container for production purpose to test it locally. For your development environment you want to make use of the development image
.
The production image is build automatically. You may use a pre-build image from GitHub Packages
.
To build the container execute following command:
docker build --target production -t schulcloud/dbildungs-iam-keycloak .
To use the container, e.g. to test it locally, you'll need a PostgresSQL database up and running. To start a PostgresSQL container execute following commands:
docker network create dbildungs-iam
docker run --name postgres --network=dbildungs-iam-keycloak -p 5432:5432 -e POSTGRES_PASSWORD=postgres -d postgres
Adjust, and execute following command to start the Keycloak production container for local testing:
docker create --name dbildungs-iam-keycloak --network=dbildungs-iam-keycloak -p 8080:8080 \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \
-e KC_DB_URL=jdbc:postgresql://postgres:5432/postgres \
-e KC_DB_USERNAME=postgres \
-e KC_DB_PASSWORD=postgres \
-e KC_HTTP_ENABLED=true \
-e KC_PROXY=edge \
-e KC_HOSTNAME=localhost:8080 \
schulcloud/dbildungs-iam:latest
To start (or stop) the container execute following command:
docker start dbildungs-iam-keycloak
docker stop dbildungs-iam-keycloak
The Keycloak Admin Console will be available at http://localhost:8080
. To make use of the production image locally, you need to configure a TLS termination proxy (setup is beyond the scope of this document).
To make use of BCrypt hashed passwords, the keycloak-bcrypt
is used.
The Bcrypt provider can be found here. During build, it will be copied into the image and is available for late use.
- By default, the default Keycloak hashing provider will be used for password hashing
- To change the default behavior, login as admin under http://localhost:8080
- Under
Authentication -> Password Policy
create a newHashing Algorithm
entry with valuebcrypt
- Optional: Under
Authentication -> Password Policy
create a newHashing Iterations
entry with your desired value, this will be used as cost for bcrypt and the default value is 10
./src
: Folder containing Keycloak customization (e.g. plug-ins, themes)./Dockerfile
: The multi-staged Dockerfile for develop or production build../build-dev.sh
: Builds the Keycloak image for local development../create-dev.sh
: Creates the Keycloak container for local development.
- Make sure a DB exists
- Create Secret in Cluster beforehand
- Run Helm Install command
helm install --kubeconfig <path-to-kubeconfig> --namespace <namespace> dbildungs-iam-keycloak ./charts/dbildungs-iam-keycloak -f DB_NAME <db-name> -f KC_DB_USERNAME <kc-db-username>