From 1bfb78a889870035e45d4164a0dbc9cfd6f8ed6b Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Mon, 7 Apr 2025 19:15:39 +0200 Subject: [PATCH 1/6] config: keycloack TLS ingesteld --- compose.production.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index e6f140d4..52a46a17 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -47,21 +47,25 @@ services: file: ./compose.yml service: idp # TODO Replace with proper production command - command: ['start-dev', '--http-port', '7080', '--https-port', '7443', '--import-realm'] + command: ['start', '--http-port', '7080', '--https-port', '7443', '--import-realm'] networks: - dwengo-1 labels: - 'traefik.enable=true' - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)' - 'traefik.http.services.idp.loadbalancer.server.port=7080' + - "traefik.tcp.routers.idp.tls.passthrough=true" # Keycloak expects TLS in production mode, so it can't be terminated by the reverse proxy + volumes: + - /etc/keycloak:/opt/keycloak/ env_file: - ./config/idp/.env environment: KC_HOSTNAME: 'sel2-1.ugent.be' PROXY_ADDRESS_FORWARDING: 'true' KC_PROXY_HEADERS: 'xforwarded' - KC_HTTP_ENABLED: 'true' KC_HTTP_RELATIVE_PATH: '/idp' + KC_HTTPS_CERTIFICATE_FILE: '/opt/keycloak/cert.pem' + KC_HTTPS_CERTIFICATE_KEY_FILE: '/opt/keycloak/key.pem' reverse-proxy: image: traefik:v3.3 From 50308b21d524ebcc15f66e49680c4775c3771941 Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Mon, 7 Apr 2025 19:58:26 +0200 Subject: [PATCH 2/6] fix: volume voor keys gefixed, anders wou docker niet starten --- compose.production.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index 52a46a17..c933ac86 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -56,7 +56,7 @@ services: - 'traefik.http.services.idp.loadbalancer.server.port=7080' - "traefik.tcp.routers.idp.tls.passthrough=true" # Keycloak expects TLS in production mode, so it can't be terminated by the reverse proxy volumes: - - /etc/keycloak:/opt/keycloak/ + - /etc/keycloak:/keycloak env_file: - ./config/idp/.env environment: @@ -64,8 +64,8 @@ services: PROXY_ADDRESS_FORWARDING: 'true' KC_PROXY_HEADERS: 'xforwarded' KC_HTTP_RELATIVE_PATH: '/idp' - KC_HTTPS_CERTIFICATE_FILE: '/opt/keycloak/cert.pem' - KC_HTTPS_CERTIFICATE_KEY_FILE: '/opt/keycloak/key.pem' + KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem' + KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem' reverse-proxy: image: traefik:v3.3 From 64d530236f2555142853a2ad413b947e873c438d Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Tue, 8 Apr 2025 11:16:16 +0200 Subject: [PATCH 3/6] config: keycloak overload prevention --- compose.production.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/compose.production.yml b/compose.production.yml index c933ac86..4968e791 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -66,6 +66,7 @@ services: KC_HTTP_RELATIVE_PATH: '/idp' KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem' KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem' + KC_HTTP_MAX_QUEUED_REQUESTS: 30 # Prevent overload situations by limiting number of requests reverse-proxy: image: traefik:v3.3 From 4e87c8d8193890b4c0283800faa8245f699d492c Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Tue, 8 Apr 2025 11:33:08 +0200 Subject: [PATCH 4/6] config: extra db toegevoegd voor keycloak --- compose.production.yml | 21 +++++++++++++++++++++ compose.yml | 2 -- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index 4968e791..6b767181 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -42,6 +42,20 @@ services: networks: - dwengo-1 + keycloak-db: + image: postgres:latest + ports: + - '5441:5442' # Port numbers 10 higher than normal postgres ports + restart: unless-stopped + volumes: + - dwengo_postgres_keycloak:/var/lib/postgresql/keycloak + environment: + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: ChangeMe + POSTGRES_DB: keycloak + networks: + - dwengo-1 + idp: extends: file: ./compose.yml @@ -50,6 +64,8 @@ services: command: ['start', '--http-port', '7080', '--https-port', '7443', '--import-realm'] networks: - dwengo-1 + depends_on: + - keycloak-db labels: - 'traefik.enable=true' - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)' @@ -67,6 +83,10 @@ services: KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem' KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem' KC_HTTP_MAX_QUEUED_REQUESTS: 30 # Prevent overload situations by limiting number of requests + KC_DB: 'postgres' + KC_DB_USERNAME: 'keycloak' + KC_DB_PASSWORD: 'ChangeMe' + KC_DB_URL: 'jdbc:postgresql://keycloak-db/keycloak' reverse-proxy: image: traefik:v3.3 @@ -126,6 +146,7 @@ volumes: dwengo_grafana_data: dwengo_letsencrypt: dwengo_loki_data: + dwengo_postgres_keycloak: networks: dwengo-1: diff --git a/compose.yml b/compose.yml index 9435f6f8..246a35ad 100644 --- a/compose.yml +++ b/compose.yml @@ -25,8 +25,6 @@ services: restart: unless-stopped volumes: - ./config/idp:/opt/keycloak/data/import - depends_on: - - db environment: KC_HOSTNAME: localhost KC_HOSTNAME_PORT: 7080 From c7ab7817bc518f26de2620bdd0086c38dfd6ed06 Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Tue, 8 Apr 2025 17:32:44 +0200 Subject: [PATCH 5/6] config: KC_DB_URL poort toegevoegd --- compose.production.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose.production.yml b/compose.production.yml index 6b767181..9c9a1700 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -86,7 +86,7 @@ services: KC_DB: 'postgres' KC_DB_USERNAME: 'keycloak' KC_DB_PASSWORD: 'ChangeMe' - KC_DB_URL: 'jdbc:postgresql://keycloak-db/keycloak' + KC_DB_URL: 'jdbc:postgresql://keycloak-db:5442/keycloak' reverse-proxy: image: traefik:v3.3 From a2ec9ef7387d537bacf1ebb9c3e34607e6b8dcbf Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Tue, 8 Apr 2025 18:02:38 +0200 Subject: [PATCH 6/6] config: keycloak-db ports goed gezet --- compose.production.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index 9c9a1700..6c1c265b 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -45,7 +45,7 @@ services: keycloak-db: image: postgres:latest ports: - - '5441:5442' # Port numbers 10 higher than normal postgres ports + - '5442:5432' # Port numbers 10 higher than normal postgres ports restart: unless-stopped volumes: - dwengo_postgres_keycloak:/var/lib/postgresql/keycloak @@ -53,6 +53,7 @@ services: POSTGRES_USER: keycloak POSTGRES_PASSWORD: ChangeMe POSTGRES_DB: keycloak + networks: - dwengo-1 @@ -86,7 +87,7 @@ services: KC_DB: 'postgres' KC_DB_USERNAME: 'keycloak' KC_DB_PASSWORD: 'ChangeMe' - KC_DB_URL: 'jdbc:postgresql://keycloak-db:5442/keycloak' + KC_DB_URL: 'jdbc:postgresql://keycloak-db:5432/keycloak' reverse-proxy: image: traefik:v3.3