From cb243448cc8512135afa4e72e170c40b2f0dbfa5 Mon Sep 17 00:00:00 2001 From: Viktor Scharf Date: Thu, 27 Mar 2025 11:45:46 +0100 Subject: [PATCH] move keycloak setup to opencloud_full --- deployments/examples/opencloud_full/.env | 14 +- .../config/keycloak/clients/android_app.json | 0 .../config/keycloak/clients/cyberduck.json | 0 .../keycloak/clients/desktop_client.json | 0 .../config/keycloak/clients/ios_app.json | 0 .../config/keycloak/clients/web.json | 0 .../keycloak/docker-entrypoint-override.sh | 0 .../config/keycloak/opencloud-realm.dist.json | 23 +++ .../opencloud_full/config/opencloud/csp.yaml | 1 + .../examples/opencloud_full/keycloak.yml | 72 ++++++++ .../examples/opencloud_keycloak/README.md | 3 - .../config/opencloud/banned-password-list.txt | 5 - .../config/opencloud/csp.yaml | 37 ----- .../opencloud_keycloak/docker-compose.yml | 155 ------------------ .../docker-compose-additions.yml | 18 -- 15 files changed, 109 insertions(+), 219 deletions(-) rename deployments/examples/{opencloud_keycloak => opencloud_full}/config/keycloak/clients/android_app.json (100%) rename deployments/examples/{opencloud_keycloak => opencloud_full}/config/keycloak/clients/cyberduck.json (100%) rename deployments/examples/{opencloud_keycloak => opencloud_full}/config/keycloak/clients/desktop_client.json (100%) rename deployments/examples/{opencloud_keycloak => opencloud_full}/config/keycloak/clients/ios_app.json (100%) rename deployments/examples/{opencloud_keycloak => opencloud_full}/config/keycloak/clients/web.json (100%) rename deployments/examples/{opencloud_keycloak => opencloud_full}/config/keycloak/docker-entrypoint-override.sh (100%) rename deployments/examples/{opencloud_keycloak => opencloud_full}/config/keycloak/opencloud-realm.dist.json (98%) create mode 100644 deployments/examples/opencloud_full/keycloak.yml delete mode 100644 deployments/examples/opencloud_keycloak/README.md delete mode 100644 deployments/examples/opencloud_keycloak/config/opencloud/banned-password-list.txt delete mode 100644 deployments/examples/opencloud_keycloak/config/opencloud/csp.yaml delete mode 100644 deployments/examples/opencloud_keycloak/docker-compose.yml delete mode 100644 deployments/examples/opencloud_keycloak/monitoring_tracing/docker-compose-additions.yml diff --git a/deployments/examples/opencloud_full/.env b/deployments/examples/opencloud_full/.env index dc968051cf..80e15b25ee 100644 --- a/deployments/examples/opencloud_full/.env +++ b/deployments/examples/opencloud_full/.env @@ -242,8 +242,20 @@ INBUCKET_DOMAIN= # Path separator for supplemental compose files specified in COMPOSE_FILE. COMPOSE_PATH_SEPARATOR=: +### Keycloak Settings ### +# Note: the leading colon is required to enable the service. +#KEYCLOAK=:keycloak.yml +# Domain for Keycloak. Defaults to "keycloak.opencloud.test". +KEYCLOAK_DOMAIN= +# Realm which to be used with OpenCloud. Defaults to "OpenCloud" +KEYCLOAK_REALM= +# Admin user login name. Defaults to "admin" +KEYCLOAK_ADMIN_USER= +# Admin user login password. Defaults to "admin" +KEYCLOAK_ADMIN_PASSWORD= + ## IMPORTANT ## # This MUST be the last line as it assembles the supplemental compose files to be used. # ALL supplemental configs must be added here, whether commented or not. # Each var must either be empty or contain :path/file.yml -COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${POSIX:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-} +COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${POSIX:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-} diff --git a/deployments/examples/opencloud_keycloak/config/keycloak/clients/android_app.json b/deployments/examples/opencloud_full/config/keycloak/clients/android_app.json similarity index 100% rename from deployments/examples/opencloud_keycloak/config/keycloak/clients/android_app.json rename to deployments/examples/opencloud_full/config/keycloak/clients/android_app.json diff --git a/deployments/examples/opencloud_keycloak/config/keycloak/clients/cyberduck.json b/deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json similarity index 100% rename from deployments/examples/opencloud_keycloak/config/keycloak/clients/cyberduck.json rename to deployments/examples/opencloud_full/config/keycloak/clients/cyberduck.json diff --git a/deployments/examples/opencloud_keycloak/config/keycloak/clients/desktop_client.json b/deployments/examples/opencloud_full/config/keycloak/clients/desktop_client.json similarity index 100% rename from deployments/examples/opencloud_keycloak/config/keycloak/clients/desktop_client.json rename to deployments/examples/opencloud_full/config/keycloak/clients/desktop_client.json diff --git a/deployments/examples/opencloud_keycloak/config/keycloak/clients/ios_app.json b/deployments/examples/opencloud_full/config/keycloak/clients/ios_app.json similarity index 100% rename from deployments/examples/opencloud_keycloak/config/keycloak/clients/ios_app.json rename to deployments/examples/opencloud_full/config/keycloak/clients/ios_app.json diff --git a/deployments/examples/opencloud_keycloak/config/keycloak/clients/web.json b/deployments/examples/opencloud_full/config/keycloak/clients/web.json similarity index 100% rename from deployments/examples/opencloud_keycloak/config/keycloak/clients/web.json rename to deployments/examples/opencloud_full/config/keycloak/clients/web.json diff --git a/deployments/examples/opencloud_keycloak/config/keycloak/docker-entrypoint-override.sh b/deployments/examples/opencloud_full/config/keycloak/docker-entrypoint-override.sh similarity index 100% rename from deployments/examples/opencloud_keycloak/config/keycloak/docker-entrypoint-override.sh rename to deployments/examples/opencloud_full/config/keycloak/docker-entrypoint-override.sh diff --git a/deployments/examples/opencloud_keycloak/config/keycloak/opencloud-realm.dist.json b/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json similarity index 98% rename from deployments/examples/opencloud_keycloak/config/keycloak/opencloud-realm.dist.json rename to deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json index 5f02a5c53b..3103a8cfa7 100644 --- a/deployments/examples/opencloud_keycloak/config/keycloak/opencloud-realm.dist.json +++ b/deployments/examples/opencloud_full/config/keycloak/opencloud-realm.dist.json @@ -579,6 +579,29 @@ "webAuthnPolicyPasswordlessAcceptableAaguids": [], "webAuthnPolicyPasswordlessExtraOrigins": [], "users" : [ + { + "id" : "f6866087-061d-4bae-8c3b-ea778868502e", + "username" : "admin", + "firstName" : "Admin", + "email" : "admin@example.org", + "emailVerified" : false, + "createdTimestamp" : 1743071763647, + "enabled" : true, + "totp" : false, + "credentials" : [ { + "id" : "e00326ca-886a-48df-9b2f-a3a70beeaafb", + "type" : "password", + "userLabel" : "My password", + "createdDate" : 1743071778786, + "secretData" : "{\"value\":\"z1GycCaf+820w76aRX+UgEJBBca62BUL03rvtdQ+crw=\",\"salt\":\"w952cvEBBqZ0dPDuseH8tQ==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "opencloudAdmin", "default-roles-opencloud" ], + "notBefore" : 0, + "groups" : [ "/users" ] + }, { "id": "f05733ad-04fc-4b27-b1d4-8de6a7cd16e8", "username": "alan", diff --git a/deployments/examples/opencloud_full/config/opencloud/csp.yaml b/deployments/examples/opencloud_full/config/opencloud/csp.yaml index c650d12f1c..ba41bdf913 100644 --- a/deployments/examples/opencloud_full/config/opencloud/csp.yaml +++ b/deployments/examples/opencloud_full/config/opencloud/csp.yaml @@ -7,6 +7,7 @@ directives: - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/' - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/' - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/' + - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/' default-src: - '''none''' font-src: diff --git a/deployments/examples/opencloud_full/keycloak.yml b/deployments/examples/opencloud_full/keycloak.yml new file mode 100644 index 0000000000..ff6e06b978 --- /dev/null +++ b/deployments/examples/opencloud_full/keycloak.yml @@ -0,0 +1,72 @@ +--- +services: + traefik: + networks: + opencloud-net: + aliases: + - ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} + + opencloud: + environment: + # Keycloak IDP specific configuration + PROXY_AUTOPROVISION_ACCOUNTS: "true" + PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc" + OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud} + PROXY_OIDC_REWRITE_WELLKNOWN: "true" + WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} + + PROXY_USER_OIDC_CLAIM: "preferred_username" + PROXY_USER_CS3_CLAIM: "username" + OC_EXCLUDE_RUN_SERVICES: "idp" + OC_ADMIN_USER_ID: "" + GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" + GRAPH_USERNAME_MATCH: "none" + + postgres: + image: postgres:alpine + networks: + opencloud-net: + volumes: + - keycloak_postgres_data:/var/lib/postgresql/data + environment: + POSTGRES_DB: keycloak + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: keycloak + logging: + driver: ${LOG_DRIVER:-local} + restart: always + + keycloak: + image: quay.io/keycloak/keycloak:25.0.0 + networks: + opencloud-net: + command: ["start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"] + entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"] + volumes: + - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh" + - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json" + environment: + OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test} + KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} + KC_DB: postgres + KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak" + KC_DB_USERNAME: keycloak + KC_DB_PASSWORD: keycloak + KC_FEATURES: impersonation + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN_USER:-admin} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} + labels: + - "traefik.enable=true" + - "traefik.http.routers.keycloak.entrypoints=https" + - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)" + - "traefik.http.routers.keycloak.tls.certresolver=http" + - "traefik.http.routers.keycloak.service=keycloak" + - "traefik.http.services.keycloak.loadbalancer.server.port=8080" + depends_on: + - postgres + logging: + driver: ${LOG_DRIVER:-local} + restart: always + +volumes: + keycloak_postgres_data: diff --git a/deployments/examples/opencloud_keycloak/README.md b/deployments/examples/opencloud_keycloak/README.md deleted file mode 100644 index 9c6e905bf2..0000000000 --- a/deployments/examples/opencloud_keycloak/README.md +++ /dev/null @@ -1,3 +0,0 @@ ---- -document this deployment example in: https://docs.opencloud.eu/docs ---- \ No newline at end of file diff --git a/deployments/examples/opencloud_keycloak/config/opencloud/banned-password-list.txt b/deployments/examples/opencloud_keycloak/config/opencloud/banned-password-list.txt deleted file mode 100644 index aa2cfbde0c..0000000000 --- a/deployments/examples/opencloud_keycloak/config/opencloud/banned-password-list.txt +++ /dev/null @@ -1,5 +0,0 @@ -password -12345678 -123 -openCloud -openCloud-1 diff --git a/deployments/examples/opencloud_keycloak/config/opencloud/csp.yaml b/deployments/examples/opencloud_keycloak/config/opencloud/csp.yaml deleted file mode 100644 index cddca1ba51..0000000000 --- a/deployments/examples/opencloud_keycloak/config/opencloud/csp.yaml +++ /dev/null @@ -1,37 +0,0 @@ -directives: - child-src: - - '''self''' - connect-src: - - '''self''' - - 'blob:' - - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/' - # In contrary to bash and docker the default is given after the | character - - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/' - default-src: - - '''none''' - font-src: - - '''self''' - frame-ancestors: - - '''none''' - frame-src: - - '''self''' - - 'blob:' - - 'https://embed.diagrams.net/' - img-src: - - '''self''' - - 'data:' - - 'blob:' - - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/' - manifest-src: - - '''self''' - media-src: - - '''self''' - object-src: - - '''self''' - - 'blob:' - script-src: - - '''self''' - - '''unsafe-inline''' - style-src: - - '''self''' - - '''unsafe-inline''' diff --git a/deployments/examples/opencloud_keycloak/docker-compose.yml b/deployments/examples/opencloud_keycloak/docker-compose.yml deleted file mode 100644 index 63bcf4bd41..0000000000 --- a/deployments/examples/opencloud_keycloak/docker-compose.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -services: - traefik: - image: traefik:v2.9.1 - networks: - opencloud-net: - aliases: - - ${OC_DOMAIN:-cloud.opencloud.test} - - ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} - command: - - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}" - # letsencrypt configuration - - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}" - - "--certificatesResolvers.http.acme.storage=/certs/acme.json" - - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http" - - "--certificatesResolvers.http.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}" - # enable dashboard - - "--api.dashboard=true" - # define entrypoints - - "--entryPoints.http.address=:80" - - "--entryPoints.http.http.redirections.entryPoint.to=https" - - "--entryPoints.http.http.redirections.entryPoint.scheme=https" - - "--entryPoints.https.address=:443" - # docker provider (get configuration from container labels) - - "--providers.docker.endpoint=unix:///var/run/docker.sock" - - "--providers.docker.exposedByDefault=false" - # access log - - "--accessLog=true" - - "--accessLog.format=json" - - "--accessLog.fields.headers.names.X-Request-Id=keep" - ports: - - "80:80" - - "443:443" - volumes: - - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro" - - "certs:/certs" - labels: - - "traefik.enable=${TRAEFIK_DASHBOARD:-false}" - - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin - - "traefik.http.routers.traefik.entrypoints=https" - - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.opencloud.test}`)" - - "traefik.http.routers.traefik.middlewares=traefik-auth" - - "traefik.http.routers.traefik.tls.certresolver=http" - - "traefik.http.routers.traefik.service=api@internal" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - opencloud: - image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest} - networks: - opencloud-net: - entrypoint: - - /bin/sh - # run OpenCloud init to initialize a configuration file with random secrets - # it will fail on subsequent runs, because the config file already exists - # therefore we ignore the error and then start the OpenCloud server - command: ["-c", "opencloud init || true; opencloud server"] - environment: - # Keycloak IDP specific configuration - PROXY_AUTOPROVISION_ACCOUNTS: "true" - PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc" - OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud} - PROXY_OIDC_REWRITE_WELLKNOWN: "true" - WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web} - # general config - OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test} - OC_LOG_LEVEL: ${OC_LOG_LEVEL:-info} - OC_LOG_COLOR: "${OC_LOG_COLOR:-false}" - PROXY_TLS: "false" # do not use SSL between Traefik and OpenCloud - PROXY_USER_OIDC_CLAIM: "preferred_username" - PROXY_USER_CS3_CLAIM: "username" - # INSECURE: needed if OpenCloud / Traefik is using self generated certificates - OC_INSECURE: "${INSECURE:-false}" - OC_ADMIN_USER_ID: "" - OC_EXCLUDE_RUN_SERVICES: "idp" - GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" - GRAPH_USERNAME_MATCH: "none" - # password policies - OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt" - PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml - KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} - STORAGE_SYSTEM_DRIVER: "posix" - STORAGE_USERS_DRIVER: "posix" - STORAGE_USERS_ID_CACHE_STORE: "nats-js-kv" - volumes: - - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt - - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml - - opencloud-config:/etc/opencloud - - opencloud-data:/var/lib/opencloud - labels: - - "traefik.enable=true" - - "traefik.http.routers.opencloud.entrypoints=https" - - "traefik.http.routers.opencloud.rule=Host(`${OC_DOMAIN:-cloud.opencloud.test}`)" - - "traefik.http.routers.opencloud.tls.certresolver=http" - - "traefik.http.routers.opencloud.service=opencloud" - - "traefik.http.services.opencloud.loadbalancer.server.port=9200" - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - postgres: - image: postgres:alpine - networks: - opencloud-net: - volumes: - - keycloak_postgres_data:/var/lib/postgresql/data - environment: - POSTGRES_DB: keycloak - POSTGRES_USER: keycloak - POSTGRES_PASSWORD: keycloak - logging: - driver: ${LOG_DRIVER:-local} - restart: always - - keycloak: - image: quay.io/keycloak/keycloak:25.0.0 - networks: - opencloud-net: - command: ["start", "--proxy=edge", "--spi-connections-http-client-default-disable-trust-manager=${INSECURE:-false}", "--import-realm"] - entrypoint: ["/bin/sh", "/opt/keycloak/bin/docker-entrypoint-override.sh"] - volumes: - - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh" - - "./config/keycloak/opencloud-realm.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json" - environment: - OC_DOMAIN: ${OC_DOMAIN:-cloud.opencloud.test} - KC_HOSTNAME: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} - KC_DB: postgres - KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak" - KC_DB_USERNAME: keycloak - KC_DB_PASSWORD: keycloak - KC_FEATURES: impersonation - KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN_USER:-admin} - KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin} - labels: - - "traefik.enable=true" - - "traefik.http.routers.keycloak.entrypoints=https" - - "traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}`)" - - "traefik.http.routers.keycloak.tls.certresolver=http" - - "traefik.http.routers.keycloak.service=keycloak" - - "traefik.http.services.keycloak.loadbalancer.server.port=8080" - depends_on: - - postgres - logging: - driver: ${LOG_DRIVER:-local} - restart: always - -volumes: - certs: - opencloud-config: - opencloud-data: - keycloak_postgres_data: - -networks: - opencloud-net: diff --git a/deployments/examples/opencloud_keycloak/monitoring_tracing/docker-compose-additions.yml b/deployments/examples/opencloud_keycloak/monitoring_tracing/docker-compose-additions.yml deleted file mode 100644 index 5070efef5f..0000000000 --- a/deployments/examples/opencloud_keycloak/monitoring_tracing/docker-compose-additions.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -version: "3.7" - -services: - opencloud: - environment: - # tracing - OC_TRACING_ENABLED: "true" - OC_TRACING_TYPE: "jaeger" - OC_TRACING_ENDPOINT: jaeger-agent:6831 - # metrics - # if OpenCloud runs as a single process, all /metrics endpoints - # will expose the same metrics, so it's sufficient to query one endpoint - PROXY_DEBUG_ADDR: 0.0.0.0:9205 - -networks: - opencloud-net: - external: true