From 1bfb78a889870035e45d4164a0dbc9cfd6f8ed6b Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Mon, 7 Apr 2025 19:15:39 +0200 Subject: [PATCH 1/9] config: keycloack TLS ingesteld --- compose.production.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index e6f140d4..52a46a17 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -47,21 +47,25 @@ services: file: ./compose.yml service: idp # TODO Replace with proper production command - command: ['start-dev', '--http-port', '7080', '--https-port', '7443', '--import-realm'] + command: ['start', '--http-port', '7080', '--https-port', '7443', '--import-realm'] networks: - dwengo-1 labels: - 'traefik.enable=true' - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)' - 'traefik.http.services.idp.loadbalancer.server.port=7080' + - "traefik.tcp.routers.idp.tls.passthrough=true" # Keycloak expects TLS in production mode, so it can't be terminated by the reverse proxy + volumes: + - /etc/keycloak:/opt/keycloak/ env_file: - ./config/idp/.env environment: KC_HOSTNAME: 'sel2-1.ugent.be' PROXY_ADDRESS_FORWARDING: 'true' KC_PROXY_HEADERS: 'xforwarded' - KC_HTTP_ENABLED: 'true' KC_HTTP_RELATIVE_PATH: '/idp' + KC_HTTPS_CERTIFICATE_FILE: '/opt/keycloak/cert.pem' + KC_HTTPS_CERTIFICATE_KEY_FILE: '/opt/keycloak/key.pem' reverse-proxy: image: traefik:v3.3 From 50308b21d524ebcc15f66e49680c4775c3771941 Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Mon, 7 Apr 2025 19:58:26 +0200 Subject: [PATCH 2/9] fix: volume voor keys gefixed, anders wou docker niet starten --- compose.production.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index 52a46a17..c933ac86 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -56,7 +56,7 @@ services: - 'traefik.http.services.idp.loadbalancer.server.port=7080' - "traefik.tcp.routers.idp.tls.passthrough=true" # Keycloak expects TLS in production mode, so it can't be terminated by the reverse proxy volumes: - - /etc/keycloak:/opt/keycloak/ + - /etc/keycloak:/keycloak env_file: - ./config/idp/.env environment: @@ -64,8 +64,8 @@ services: PROXY_ADDRESS_FORWARDING: 'true' KC_PROXY_HEADERS: 'xforwarded' KC_HTTP_RELATIVE_PATH: '/idp' - KC_HTTPS_CERTIFICATE_FILE: '/opt/keycloak/cert.pem' - KC_HTTPS_CERTIFICATE_KEY_FILE: '/opt/keycloak/key.pem' + KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem' + KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem' reverse-proxy: image: traefik:v3.3 From 64d530236f2555142853a2ad413b947e873c438d Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Tue, 8 Apr 2025 11:16:16 +0200 Subject: [PATCH 3/9] config: keycloak overload prevention --- compose.production.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/compose.production.yml b/compose.production.yml index c933ac86..4968e791 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -66,6 +66,7 @@ services: KC_HTTP_RELATIVE_PATH: '/idp' KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem' KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem' + KC_HTTP_MAX_QUEUED_REQUESTS: 30 # Prevent overload situations by limiting number of requests reverse-proxy: image: traefik:v3.3 From 4e87c8d8193890b4c0283800faa8245f699d492c Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Tue, 8 Apr 2025 11:33:08 +0200 Subject: [PATCH 4/9] config: extra db toegevoegd voor keycloak --- compose.production.yml | 21 +++++++++++++++++++++ compose.yml | 2 -- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index 4968e791..6b767181 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -42,6 +42,20 @@ services: networks: - dwengo-1 + keycloak-db: + image: postgres:latest + ports: + - '5441:5442' # Port numbers 10 higher than normal postgres ports + restart: unless-stopped + volumes: + - dwengo_postgres_keycloak:/var/lib/postgresql/keycloak + environment: + POSTGRES_USER: keycloak + POSTGRES_PASSWORD: ChangeMe + POSTGRES_DB: keycloak + networks: + - dwengo-1 + idp: extends: file: ./compose.yml @@ -50,6 +64,8 @@ services: command: ['start', '--http-port', '7080', '--https-port', '7443', '--import-realm'] networks: - dwengo-1 + depends_on: + - keycloak-db labels: - 'traefik.enable=true' - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)' @@ -67,6 +83,10 @@ services: KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem' KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem' KC_HTTP_MAX_QUEUED_REQUESTS: 30 # Prevent overload situations by limiting number of requests + KC_DB: 'postgres' + KC_DB_USERNAME: 'keycloak' + KC_DB_PASSWORD: 'ChangeMe' + KC_DB_URL: 'jdbc:postgresql://keycloak-db/keycloak' reverse-proxy: image: traefik:v3.3 @@ -126,6 +146,7 @@ volumes: dwengo_grafana_data: dwengo_letsencrypt: dwengo_loki_data: + dwengo_postgres_keycloak: networks: dwengo-1: diff --git a/compose.yml b/compose.yml index 9435f6f8..246a35ad 100644 --- a/compose.yml +++ b/compose.yml @@ -25,8 +25,6 @@ services: restart: unless-stopped volumes: - ./config/idp:/opt/keycloak/data/import - depends_on: - - db environment: KC_HOSTNAME: localhost KC_HOSTNAME_PORT: 7080 From c7ab7817bc518f26de2620bdd0086c38dfd6ed06 Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Tue, 8 Apr 2025 17:32:44 +0200 Subject: [PATCH 5/9] config: KC_DB_URL poort toegevoegd --- compose.production.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose.production.yml b/compose.production.yml index 6b767181..9c9a1700 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -86,7 +86,7 @@ services: KC_DB: 'postgres' KC_DB_USERNAME: 'keycloak' KC_DB_PASSWORD: 'ChangeMe' - KC_DB_URL: 'jdbc:postgresql://keycloak-db/keycloak' + KC_DB_URL: 'jdbc:postgresql://keycloak-db:5442/keycloak' reverse-proxy: image: traefik:v3.3 From a2ec9ef7387d537bacf1ebb9c3e34607e6b8dcbf Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Tue, 8 Apr 2025 18:02:38 +0200 Subject: [PATCH 6/9] config: keycloak-db ports goed gezet --- compose.production.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index 9c9a1700..6c1c265b 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -45,7 +45,7 @@ services: keycloak-db: image: postgres:latest ports: - - '5441:5442' # Port numbers 10 higher than normal postgres ports + - '5442:5432' # Port numbers 10 higher than normal postgres ports restart: unless-stopped volumes: - dwengo_postgres_keycloak:/var/lib/postgresql/keycloak @@ -53,6 +53,7 @@ services: POSTGRES_USER: keycloak POSTGRES_PASSWORD: ChangeMe POSTGRES_DB: keycloak + networks: - dwengo-1 @@ -86,7 +87,7 @@ services: KC_DB: 'postgres' KC_DB_USERNAME: 'keycloak' KC_DB_PASSWORD: 'ChangeMe' - KC_DB_URL: 'jdbc:postgresql://keycloak-db:5442/keycloak' + KC_DB_URL: 'jdbc:postgresql://keycloak-db:5432/keycloak' reverse-proxy: image: traefik:v3.3 From fa51285c5a7975d19e81df14af7add802bd750ad Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Fri, 25 Apr 2025 00:03:55 +0200 Subject: [PATCH 7/9] fix: compose werkt nu --- compose.production.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index e8fd9ef1..6a2e93a3 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -45,7 +45,7 @@ services: keycloak-db: image: postgres:latest ports: - - '5442:5432' # Port numbers 10 higher than normal postgres ports + - '5442:5432' # Port number 10 higher than normal postgres ports restart: unless-stopped volumes: - dwengo_postgres_keycloak:/var/lib/postgresql/keycloak @@ -53,7 +53,6 @@ services: POSTGRES_USER: keycloak POSTGRES_PASSWORD: ChangeMe POSTGRES_DB: keycloak - networks: - dwengo-1 @@ -61,19 +60,17 @@ services: extends: file: ./compose.yml service: idp - # TODO Replace with proper production command command: ['start', '--http-port', '7080', '--https-port', '7443', '--import-realm'] networks: - dwengo-1 - depends_on: - - keycloak-db labels: - 'traefik.enable=true' - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)' - 'traefik.http.services.idp.loadbalancer.server.port=7080' - 'traefik.http.routers.block-admin.rule=PathPrefix(`/idp/admin`)' - 'traefik.http.routers.block-admin.service=web' - - "traefik.tcp.routers.idp.tls.passthrough=true" # Keycloak expects TLS in production mode, so it can't be terminated by the reverse proxy + depends_on: + - keycloak-db volumes: - /etc/keycloak:/keycloak env_file: @@ -82,6 +79,7 @@ services: KC_HOSTNAME: 'sel2-1.ugent.be' PROXY_ADDRESS_FORWARDING: 'true' KC_PROXY_HEADERS: 'xforwarded' + KC_HTTP_ENABLED: 'true' KC_HTTP_RELATIVE_PATH: '/idp' KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem' KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem' @@ -152,4 +150,4 @@ volumes: dwengo_postgres_keycloak: networks: - dwengo-1: + dwengo-1: \ No newline at end of file From e602a83070d5953e06b88a26bd3075a4c5428beb Mon Sep 17 00:00:00 2001 From: Timo De Meyst Date: Fri, 25 Apr 2025 00:05:53 +0200 Subject: [PATCH 8/9] deployment: deployment workflow kopieert juiste env files --- .github/workflows/deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index ced4e178..f29e69e8 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -15,7 +15,7 @@ jobs: uses: actions/checkout@v4 - name: Copy environment variables to correct file - run: cp /home/dev/.backend.env backend/.env + run: cp /home/dev/.backend.env backend/.env && cp /home/dev/.idp.env config/idp/.env - name: Start docker run: docker compose -f compose.yml -f compose.production.yml up --build -d From 3e5399e0264be0627fc4614daf42dcf4f5d6913c Mon Sep 17 00:00:00 2001 From: Lint Action Date: Thu, 24 Apr 2025 22:10:17 +0000 Subject: [PATCH 9/9] style: fix linting issues met Prettier --- compose.production.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/compose.production.yml b/compose.production.yml index 6a2e93a3..65dc199b 100644 --- a/compose.production.yml +++ b/compose.production.yml @@ -45,7 +45,7 @@ services: keycloak-db: image: postgres:latest ports: - - '5442:5432' # Port number 10 higher than normal postgres ports + - '5442:5432' # Port number 10 higher than normal postgres ports restart: unless-stopped volumes: - dwengo_postgres_keycloak:/var/lib/postgresql/keycloak @@ -83,7 +83,7 @@ services: KC_HTTP_RELATIVE_PATH: '/idp' KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem' KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem' - KC_HTTP_MAX_QUEUED_REQUESTS: 30 # Prevent overload situations by limiting number of requests + KC_HTTP_MAX_QUEUED_REQUESTS: 30 # Prevent overload situations by limiting number of requests KC_DB: 'postgres' KC_DB_USERNAME: 'keycloak' KC_DB_PASSWORD: 'ChangeMe' @@ -150,4 +150,4 @@ volumes: dwengo_postgres_keycloak: networks: - dwengo-1: \ No newline at end of file + dwengo-1: