129 lines
4.8 KiB
Markdown
129 lines
4.8 KiB
Markdown
**Purpose**: Keycloak is an open source identity and access management systen for modern applications and services.
|
|
|
|
- [Original Reference Compose File](https://github.com/JamesTurland/JimsGarage/blob/main/Keycloak/docker-compose.yaml)
|
|
- [Original Reference Deployment Video](https://www.youtube.com/watch?v=6ye4lP9EA2Y)
|
|
|
|
|
|
## Docker Configuration
|
|
|
|
=== "docker-compose.yml"
|
|
|
|
``` yaml
|
|
version: '3.7'
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres:16.2
|
|
volumes:
|
|
- /srv/containers/keycloak/db:/var/lib/postgresql/data
|
|
environment:
|
|
POSTGRES_DB: ${POSTGRES_DB}
|
|
POSTGRES_USER: ${POSTGRES_USER}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
|
networks:
|
|
docker_network:
|
|
ipv4_address: 192.168.5.3
|
|
|
|
keycloak:
|
|
image: quay.io/keycloak/keycloak:23.0.6
|
|
command: start
|
|
environment:
|
|
TZ: America/Denver # (1)
|
|
KC_PROXY_ADDRESS_FORWARDING: true # (2)
|
|
KC_HOSTNAME_STRICT: false
|
|
KC_HOSTNAME: auth.bunny-lab.io # (3)
|
|
KC_PROXY: edge # (4)
|
|
KC_HTTP_ENABLED: true
|
|
KC_DB: postgres
|
|
# KC_DB_URL: jdbc:postgresql://postgres/${POSTGRES_DB} # (5)
|
|
KC_DB_USERNAME: ${POSTGRES_USER}
|
|
KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
|
|
KC_DB_URL_HOST: postgres
|
|
KC_DB_URL_PORT: 5432
|
|
KC_DB_URL_DATABASE: ${POSTGRES_DB}
|
|
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
|
|
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
|
|
# KC_HOSTNAME_DEBUG: true # (6)
|
|
KC_HEALTH_ENABLED: true
|
|
ports:
|
|
- 8080:8080
|
|
restart: always
|
|
depends_on:
|
|
- postgres
|
|
networks:
|
|
docker_network:
|
|
ipv4_address: 192.168.5.2
|
|
|
|
networks:
|
|
default:
|
|
external:
|
|
name: docker_network
|
|
docker_network:
|
|
external: true
|
|
|
|
```
|
|
|
|
1. This sets the timezone of the Keycloak server to your timezone. This is not really necessary according to the official documentation, however I just like to add it to all of my containers as a baseline environment variable to add
|
|
2. This assumes you are running Keycloak behind a reverse proxy, in my particular case, Traefik
|
|
3. Set this to the FQDN that you are expecting to reach the Keycloak server at behind your reverse proxy
|
|
4. This assumes you are running Keycloak behind a reverse proxy, in my particular case, Traefik
|
|
5. Official documentation says to use this, but its not really necessary. In this particular deployment method, we will just specify the parameters manually seen in the next few variables below this one
|
|
6. If this is enabled, Navigate to https://auth.bunny-lab.io/realms/master/hostname-debug to troubleshoot issues with the deployment if you experience any issues logging into the web portal or admin UI
|
|
|
|
=== ".env"
|
|
|
|
``` yaml
|
|
POSTGRES_DB=keycloak
|
|
POSTGRES_USER=keycloak
|
|
POSTGRES_PASSWORD=SomethingSecure # (1)
|
|
KEYCLOAK_ADMIN=admin
|
|
KEYCLOAK_ADMIN_PASSWORD=SomethingSuperSecureToLoginAsAdmin # (2)
|
|
```
|
|
|
|
1. This is used internally by Keycloak to interact with the PostgreSQL database server
|
|
2. This is used to log into the web admin portal at https://auth.bunny-lab.io
|
|
|
|
## Traefik Reverse Proxy Configuration
|
|
If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below.
|
|
``` yaml
|
|
http:
|
|
routers:
|
|
auth:
|
|
entryPoints:
|
|
- websecure
|
|
tls:
|
|
certResolver: letsencrypt
|
|
service: auth
|
|
rule: Host(`auth.bunny-lab.io`)
|
|
middlewares:
|
|
- auth-headers
|
|
|
|
services:
|
|
auth:
|
|
loadBalancer:
|
|
servers:
|
|
- url: http://192.168.5.2:8080
|
|
passHostHeader: true
|
|
|
|
middlewares:
|
|
auth-headers:
|
|
headers:
|
|
sslRedirect: true
|
|
stsSeconds: 31536000
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|
|
forceSTSHeader: true
|
|
customRequestHeaders:
|
|
X-Forwarded-Proto: https
|
|
X-Forwarded-Port: "443"
|
|
```
|
|
|
|
## Traefik Keycloak Plugin
|
|
At this point, we need to add the official Keycloak plugin to Traefik's main configuration. In this example, it will be assumed you need to configure this in Portainer/Docker Compose, and not via a static yml/toml file. Assume you follow the [Docker Compose based Traefik Deployment](https://docs.bunny-lab.io/Docker%20%2526%20Kubernetes/Docker/Docker%20Compose/Traefik/).
|
|
|
|
If you do not already have the following added to the end of your `command:` section of the docker-compose.yml file in Portainer, go ahead and add it:
|
|
``` yml
|
|
# Keycloak plugin configuration
|
|
- "--experimental.plugins.keycloakopenid.moduleName=github.com/Gwojda/keycloakopenid"
|
|
- "--experimental.plugins.keycloakopenid.version=v0.1.34"
|
|
``` |