Rahti2 config for Keycloak (#238)

keycloak/openshift/rahti2/Dockerfile

@@ -0,0 +1,58 @@
+#
+# Build container
+#
+FROM --platform=linux/amd64 quay.io/keycloak/keycloak:23.0.4 as builder
+ENV KC_HEALTH_ENABLED=true
+ENV KC_METRICS_ENABLED=true
+ENV KC_FEATURES=token-exchange
+ENV KC_DB=mssql
+
+# Install custom providers. Researchfi customization jar file should be added here.
+ADD --chown=keycloak:keycloak https://github.com/CSCfi/research-fi-mydata/raw/master/keycloak/custom/build_dependencies/researchfi.mapper-0.0.1-BETA.jar /opt/keycloak/providers/researchfi.mapper-0.0.1-BETA.jar
+RUN chmod a+r /opt/keycloak/providers/researchfi.mapper-0.0.1-BETA.jar
+
+RUN /opt/keycloak/bin/kc.sh build --transaction-xa-enabled=false
+
+
+
+
+#
+# Optimized container
+#
+FROM --platform=linux/amd64 quay.io/keycloak/keycloak:23.0.4
+
+# Enable SHA1 to prevent JDBC error with SQL Server: "Algorithm constraints check failed on signature algorithm SHA1withRSA"
+# https://github.com/keycloak/keycloak/issues/19185
+USER root
+RUN sed -i "s|MD2, SHA1, MD5|MD2, MD5 |g" /etc/crypto-policies/back-ends/java.config
+
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
+WORKDIR /opt/keycloak
+
+# Database connection can be specified here, but it is better to provide it from container environment. For example, as a secret in OpenShift.
+# ENV KC_DB_URL=jdbc:sqlserver://myservername:1433;DatabaseName=mydatabasename;
+# ENV KC_DB_USERNAME=mydatabaseusername
+# ENV KC_DB_PASSWORD=mydatabasepassword
+
+# Environment variables KC_HOSTNAME_STRICT, KC_HOSTNAME_STRICT_HTTPS, KC_PROXY and HTTP_ADDRESS_FORWARDING are needed, so that Keycloak operate behing a reverse proxy.
+ENV KC_HOSTNAME_STRICT=false
+ENV KC_HOSTNAME_STRICT_HTTPS=false
+ENV KC_PROXY=edge
+ENV HTTP_ADDRESS_FORWARDING=true
+# Environment variable KC_LOG_GELF_LEVEL must be set to 'debug' in order to get Keycloak user events
+ENV KC_LOG_GELF_LEVEL=debug
+
+# Start the container in production mode.
+#
+# Enable backward compatibility in SAML metadata by start up parameter: keycloak.saml.deprecated.encryption=true.
+# NOTE! This will not work from Keycloak 24 onwards, Suomi.fi metadata must be updated according to:
+# https://www.keycloak.org/docs/latest/upgrading/index.html#saml-sp-metadata-changes
+#
+# Configure Keycloak log levels
+# - Set INFO as default
+# - Show Keycloak events in log. Included events are configured in Keycloak user interface. Log level must be DEBUG.
+#     - org.keycloak.events:DEBUG
+# - To reduce logging, set org.keycloak subcategories:
+#     - org.keycloak.events.jpa:ERROR
+#     - org.keycloak.broker:ERROR
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start",  "--optimized", "-Dkeycloak.saml.deprecated.encryption=true", "--log-level=INFO,org.keycloak.events:DEBUG,org.keycloak.events.jpa:ERROR,org.keycloak.broker:ERROR"]

keycloak/openshift/rahti2/README.md

@@ -0,0 +1,3 @@
+# OpenShift configuration for researchfi Keycloak
+
+This folder contains files for building and running Keyclock in Rahti 2 (OpenShift).

keycloak/openshift/rahti2/template-keycloak-devel.yml

@@ -0,0 +1,128 @@
+# This file is part of the research.fi service
+#
+# Copyright 2024 Ministry of Education and Culture, Finland
+#
+# :author: CSC - IT Center for Science Ltd., Espoo Finland [email protected]
+# :license: MIT
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  labels:
+    app: keycloak-devel
+    template: keycloak-devel
+  name: keycloak-devel
+  annotations:
+    description: "Research.fi Keycloak devel"
+objects:
+
+  # Service
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: keycloak-devel
+      labels:
+        app: keycloak-devel
+      annotations:
+        description: Research.fi Keycloak devel
+    spec:
+      ports:
+        - name: keycloak
+          port: 8080
+          targetPort: 8080
+      selector:
+        app: keycloak-devel
+
+  # Route
+  - apiVersion: route.openshift.io/v1
+    kind: Route
+    metadata:
+      name: keycloak-devel
+      labels:
+        app: keycloak-devel
+    spec:
+      host: keycloak-devel.2.rahtiapp.fi
+      to:
+        kind: Service
+        name: keycloak-devel
+        weight: 100
+      port:
+        targetPort: keycloak
+      tls:
+        termination: edge
+        insecureEdgeTerminationPolicy: Redirect
+      wildcardPolicy: None
+
+  # ImageStream
+  - apiVersion: image.openshift.io/v1
+    kind: ImageStream
+    metadata:
+      name: keycloak-devel
+      labels:
+        app: keycloak-devel
+
+  # BuildConfig using Docker build strategy
+  - apiVersion: build.openshift.io/v1
+    kind: BuildConfig
+    metadata:
+      name: keycloak-devel-build
+      labels:
+        app: keycloak-devel
+    spec:
+      source:
+        git:
+          uri: https://github.com/CSCfi/research-fi-mydata.git
+          ref: master
+        contextDir: .
+      strategy:
+        type: Docker
+        dockerStrategy:
+          dockerfilePath: keycloak/openshift/rahti2/Dockerfile
+      output:
+        to:
+          kind: ImageStreamTag
+          name: keycloak-devel:latest
+      successfulBuildsHistoryLimit: 2
+      failedBuildsHistoryLimit: 2
+
+  # Deployment config
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: keycloak-devel
+      labels:
+        app: keycloak-devel
+    spec:
+      selector:
+        matchLabels:
+          app: keycloak-devel
+      template:
+        metadata:
+          labels:
+            app: keycloak-devel
+        spec:
+          containers:
+            - name: keycloak-devel-container
+              image: image-registry.openshift-image-registry.svc:5000/researchfi-devel/keycloak-devel:latest
+              imagePullPolicy: Always
+              ports:
+                - containerPort: 8080
+                  protocol: TCP
+              resources:
+                limits:
+                  cpu: 1
+                  memory: 1Gi
+                requests:
+                  cpu: 250m
+                  memory: 256Mi
+      replicas: 1
+      triggers:
+        - type: ImageChange
+          imageChangeParams:
+            automatic: true
+            containerNames:
+              - keycloak-devel-container
+            from:
+              kind: ImageStreamTag
+              name: keycloak-devel:latest
+      strategy:
+        type: Recreate

keycloak/openshift/rahti2/template-keycloak-production.yml

@@ -0,0 +1,128 @@
+# This file is part of the research.fi service
+#
+# Copyright 2024 Ministry of Education and Culture, Finland
+#
+# :author: CSC - IT Center for Science Ltd., Espoo Finland [email protected]
+# :license: MIT
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  labels:
+    app: keycloak-production
+    template: keycloak-production
+  name: keycloak-production
+  annotations:
+    description: "Research.fi Keycloak production"
+objects:
+
+  # Service
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: keycloak-production
+      labels:
+        app: keycloak-production
+      annotations:
+        description: Research.fi Keycloak production
+    spec:
+      ports:
+        - name: keycloak
+          port: 8080
+          targetPort: 8080
+      selector:
+        app: keycloak-production
+
+  # Route
+  - apiVersion: route.openshift.io/v1
+    kind: Route
+    metadata:
+      name: keycloak-production
+      labels:
+        app: keycloak-production
+    spec:
+      host: researchfi-auth.2.rahtiapp.fi
+      to:
+        kind: Service
+        name: keycloak-production
+        weight: 100
+      port:
+        targetPort: keycloak
+      tls:
+        termination: edge
+        insecureEdgeTerminationPolicy: Redirect
+      wildcardPolicy: None
+
+  # ImageStream
+  - apiVersion: image.openshift.io/v1
+    kind: ImageStream
+    metadata:
+      name: keycloak-production
+      labels:
+        app: keycloak-production
+
+  # BuildConfig using Docker build strategy
+  - apiVersion: build.openshift.io/v1
+    kind: BuildConfig
+    metadata:
+      name: keycloak-production-build
+      labels:
+        app: keycloak-production
+    spec:
+      source:
+        git:
+          uri: https://github.com/CSCfi/research-fi-mydata.git
+          ref: master
+        contextDir: .
+      strategy:
+        type: Docker
+        dockerStrategy:
+          dockerfilePath: keycloak/openshift/rahti2/Dockerfile
+      output:
+        to:
+          kind: ImageStreamTag
+          name: keycloak-production:latest
+      successfulBuildsHistoryLimit: 2
+      failedBuildsHistoryLimit: 2
+
+  # Deployment config
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: keycloak-production
+      labels:
+        app: keycloak-production
+    spec:
+      selector:
+        matchLabels:
+          app: keycloak-production
+      template:
+        metadata:
+          labels:
+            app: keycloak-production
+        spec:
+          containers:
+            - name: keycloak-production-container
+              image: image-registry.openshift-image-registry.svc:5000/researchfi-production/keycloak-production:latest
+              imagePullPolicy: Always
+              ports:
+                - containerPort: 8080
+                  protocol: TCP
+              resources:
+                limits:
+                  cpu: 1
+                  memory: 1Gi
+                requests:
+                  cpu: 500m
+                  memory: 512Mi
+      replicas: 1
+      triggers:
+        - type: ImageChange
+          imageChangeParams:
+            automatic: true
+            containerNames:
+              - keycloak-production-container
+            from:
+              kind: ImageStreamTag
+              name: keycloak-production:latest
+      strategy:
+        type: Recreate