automatic realm import on startup

2026-03-04 15:27:17 -05:00 · 2021-01-29 10:39:23 +01:00
parent 5a74c1f49f
commit 080d348d19
5 changed files with 1996 additions and 24 deletions
--- a/deployments/examples/ocis_keycloak/.env
+++ b/deployments/examples/ocis_keycloak/.env
@@ -23,7 +23,7 @@ OCIS_OIDC_CLIENT_ID=
 ### Keycloak ###
 # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test"
 KEYCLOAK_DOMAIN=
-# Realm which to be used with oCIS. Defaults to "master"
+# Realm which to be used with oCIS. Defaults to "oCIS"
 KEYCLOAK_REALM=
 # Admin user login name. Defaults to "admin"
 KEYCLOAK_ADMIN_USER=
--- a/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.json
+++ b/deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.json
--- a/deployments/examples/ocis_keycloak/docker-compose.yml
+++ b/deployments/examples/ocis_keycloak/docker-compose.yml
@@ -50,10 +50,10 @@ services:
    environment:
      # Keycloak IDP specific configuration
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
-      PROXY_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-master}
-      WEB_OIDC_AUTHORITY: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-master}
+      PROXY_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-oCIS}
+      WEB_OIDC_AUTHORITY: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-oCIS}
      WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web}
-      WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-master}/.well-known/openid-configuration
+      WEB_OIDC_METADATA_URL: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}/auth/realms/${KEYCLOAK_REALM:-oCIS}/.well-known/openid-configuration
      STORAGE_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
      STORAGE_LDAP_IDP: https://${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
      # general config
@@ -98,7 +98,7 @@ services:
    networks:
      ocis-net:
    volumes:
-      - ./config/keycloak/keycloak-import.json:/opt/jboss/keycloak/keycloak-import.json
+      - ./config/keycloak/ocis-realm.json:/opt/jboss/keycloak/ocis-realm.json
    environment:
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres
@@ -109,7 +109,7 @@ services:
      KEYCLOAK_USER: ${KEYCLOAK_ADMIN_USER:-admin}
      KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
      PROXY_ADDRESS_FORWARDING: "true"
-      KEYCLOAK_IMPORT: /opt/jboss/keycloak/keycloak-import.json
+      KEYCLOAK_IMPORT: /opt/jboss/keycloak/ocis-realm.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.keycloak.entrypoints=http"
@@ -129,7 +129,7 @@ services:
      - "traefik.http.routers.idp-wellknown-secure.tls.certresolver=http"
      - "traefik.http.routers.idp-wellknown-secure.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`) && Path(`/.well-known/openid-configuration`)"
      - "traefik.http.middlewares.idp-headers.headers.customrequestheaders.X-Forwarded-Host=${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}"
-      - "traefik.http.middlewares.idp-prefix.addprefix.prefix=/auth/realms/${KEYCLOAK_REALM:-master}"
+      - "traefik.http.middlewares.idp-prefix.addprefix.prefix=/auth/realms/${KEYCLOAK_REALM:-oCIS}"
      - "traefik.http.middlewares.idp-override.chain.middlewares=idp-headers,idp-prefix"
      - "traefik.http.routers.idp-wellknown-secure.middlewares=idp-override"
      - "traefik.http.routers.idp-wellknown-secure.service=keycloak"
--- a/deployments/examples/ocis_keycloak/keycloak-export.sh
+++ b/deployments/examples/ocis_keycloak/keycloak-export.sh
@@ -2,12 +2,9 @@
 docker-compose exec keycloak \
    sh -c "cd /opt/jboss/keycloak && \
    timeout 60 bin/standalone.sh \
+    -Djboss.httin/standalone.sh \
    -Djboss.socket.binding.port-offset=100 \
    -Dkeycloak.migration.action=export \
    -Dkeycloak.migration.provider=singleFile \
-    -Dkeycloak.migration.file=keycloak-export.json \
-    -Djboss.httin/standalone.sh -Dkeycloak.migration.action=export \
-    -Dkeycloak.migration.provider=singleFile \
-    -Dkeycloak.migration.file=keycloak-export.json"
-
-docker-compose exec keycloak cat /opt/jboss/keycloak/keycloak-export.json > keycloak-export.json
+    -Dkeycloak.migration.realmName=oCIS \
+    -Dkeycloak.migration.file=ocis-realm.json"
--- a/docs/ocis/deployment/ocis_keycloak.md
+++ b/docs/ocis/deployment/ocis_keycloak.md
@@ -74,7 +74,7 @@ See also [example server setup]({{< ref "preparing_server.md" >}})
  ### Keycloak ###
  # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test"
  KEYCLOAK_DOMAIN=
-  # Realm which to be used with oCIS. Defaults to "master"
+  # Realm which to be used with oCIS. Defaults to "oCIS"
  KEYCLOAK_REALM=
  # Admin user login name. Defaults to "admin"
  KEYCLOAK_ADMIN_USER=
@@ -99,7 +99,7 @@ See also [example server setup]({{< ref "preparing_server.md" >}})

  Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` eg. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`.

-  Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the master realm `KEYCLOAK_REALM=master`.
+  Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the oCIS realm `KEYCLOAK_REALM=oCIS`. The oCIS realm will be automatically imported on startup and includes our demo users.

  You probably should secure your Keycloak admin account by setting `KEYCLOAK_ADMIN_USER=` and `KEYCLOAK_ADMIN_PASSWORD=` to values other than `admin`.

@@ -109,11 +109,7 @@ See also [example server setup]({{< ref "preparing_server.md" >}})

  `docker-compose up -d`

-* Visit the Keycloak administration console on your configured domain. Go to clients settings and add a client. The client id is `ocis-web` or the one you changed it to. The client protocol is openid-connect. The root url for the client is the url you selected for oCIS. Then save the client.
-
-* You may also add users to Keycloak
-
-* You now can visit oCIS and Traefik dashboard on your configured domains
+* You now can visit oCIS, Keycloak and Traefik dashboard on your configured domains

 ## Local setup
 For a more simple local ocis setup see [Getting started]({{< ref "../getting-started.md" >}})
@@ -132,8 +128,5 @@ After that you're ready to start the application stack:
 `docker-compose up -d`

 Open https://keycloak.owncloud.test in your browser and accept the invalid certificate warning.
-Go to clients settings and add a client. The client id is `ocis-web` or the one you changed it to. The client protocol is openid-connect. THe root url for the client is `https://ocis.owncloud.test`. Then save the client.

-* You may also add users to Keycloak
-
-Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You now can login to oCIS with the admin user of keycloak and additional users you created.
+Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You now can login to oCIS with the demo users.