From 9a3b2f9cb310338660d41ed2d6ab8b3a9733f278 Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Wed, 25 Oct 2023 14:48:50 +0200 Subject: [PATCH 01/12] keycloak server working with http --- deployment/commons/sso/keycloak/entrypoint/run-keycloak | 6 ++++-- deployment/docker/compose/sso/docker-compose.keycloak.yml | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/deployment/commons/sso/keycloak/entrypoint/run-keycloak b/deployment/commons/sso/keycloak/entrypoint/run-keycloak index 4db9805a3f8..5d2d5cb18c6 100755 --- a/deployment/commons/sso/keycloak/entrypoint/run-keycloak +++ b/deployment/commons/sso/keycloak/entrypoint/run-keycloak @@ -15,6 +15,8 @@ set -e +export KEYCLOAK_HOST_NAME="${KEYCLOAK_HOST_NAME:="localhost"}" + if [ ! -f /opt/keycloak/first-run ]; then REALM_NAME="kapua" KC_PORT="9090" @@ -30,7 +32,7 @@ if [ ! -f /opt/keycloak/first-run ]; then # # Start and wait Keycloak echo "Starting Keycloak..." - KEYCLOAK_ADMIN=$KEYCLOAK_USER KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_PASSWORD /opt/keycloak/bin/kc.sh start --http-port=$KC_PORT & + KEYCLOAK_ADMIN=$KEYCLOAK_USER KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_PASSWORD /opt/keycloak/bin/kc.sh start --hostname=$KEYCLOAK_HOST_NAME --hostname-strict-https=false --http-enabled=true --http-port=$KC_PORT & while ! curl -sf $KC_URL > /dev/null; do echo "Waiting for keycloak to come up..." @@ -160,5 +162,5 @@ EOF fi echo "Starting Keycloak!" -exec /opt/keycloak/bin/kc.sh start --http-port=$KC_PORT $@ +exec /opt/keycloak/bin/kc.sh start --hostname=$KEYCLOAK_HOST_NAME --hostname-strict-https=false --http-enabled=true --http-port=$KC_PORT $@ exit $? diff --git a/deployment/docker/compose/sso/docker-compose.keycloak.yml b/deployment/docker/compose/sso/docker-compose.keycloak.yml index 6ff3eca39aa..1068ab96c91 100644 --- a/deployment/docker/compose/sso/docker-compose.keycloak.yml +++ b/deployment/docker/compose/sso/docker-compose.keycloak.yml @@ -14,3 +14,5 @@ services: - KEYCLOAK_ADMIN_USER - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=admin + - KEYCLOAK_HOST_NAME + From b9a5a1ee6d55dfe3fab464945da1fef8e7481f5e Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Wed, 25 Oct 2023 14:49:31 +0200 Subject: [PATCH 02/12] fix to keycloack compose file path to certificates directory used in volumes mapping --- deployment/docker/compose/sso/docker-compose.keycloak.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/docker/compose/sso/docker-compose.keycloak.yml b/deployment/docker/compose/sso/docker-compose.keycloak.yml index 1068ab96c91..51ca8472589 100644 --- a/deployment/docker/compose/sso/docker-compose.keycloak.yml +++ b/deployment/docker/compose/sso/docker-compose.keycloak.yml @@ -8,7 +8,7 @@ services: - "${KEYCLOAK_PORT_HTTP}:9090" - "${KEYCLOAK_PORT_HTTPS}:8443" volumes: - - "../../target/compose/sso/certs:/etc/x509/https" + - "../target/compose/sso/certs:/etc/x509/https" environment: - KAPUA_CONSOLE_URL - KEYCLOAK_ADMIN_USER From 30bca2dabb2b8b7ff5257b561a97f7909fe6b6fa Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Wed, 25 Oct 2023 15:39:45 +0200 Subject: [PATCH 03/12] added ssl to keycloak server with default self-signed cert --- deployment/commons/sso/keycloak/entrypoint/run-keycloak | 6 ++++-- deployment/docker/compose/sso/docker-compose.keycloak.yml | 3 +++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/deployment/commons/sso/keycloak/entrypoint/run-keycloak b/deployment/commons/sso/keycloak/entrypoint/run-keycloak index 5d2d5cb18c6..5abae42d01f 100755 --- a/deployment/commons/sso/keycloak/entrypoint/run-keycloak +++ b/deployment/commons/sso/keycloak/entrypoint/run-keycloak @@ -16,6 +16,8 @@ set -e export KEYCLOAK_HOST_NAME="${KEYCLOAK_HOST_NAME:="localhost"}" +export KEYCLOAK_CERT_FILE="${KEYCLOAK_CERT_FILE:="etc/x509/https/tls.crt"}" +export KEYCLOAK_KEY_FILE="${KEYCLOAK_KEY_FILE:="etc/x509/https/tls.key"}" if [ ! -f /opt/keycloak/first-run ]; then REALM_NAME="kapua" @@ -32,7 +34,7 @@ if [ ! -f /opt/keycloak/first-run ]; then # # Start and wait Keycloak echo "Starting Keycloak..." - KEYCLOAK_ADMIN=$KEYCLOAK_USER KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_PASSWORD /opt/keycloak/bin/kc.sh start --hostname=$KEYCLOAK_HOST_NAME --hostname-strict-https=false --http-enabled=true --http-port=$KC_PORT & + KEYCLOAK_ADMIN=$KEYCLOAK_USER KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_PASSWORD /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-strict-https=false --http-enabled=true --http-port="$KC_PORT" & while ! curl -sf $KC_URL > /dev/null; do echo "Waiting for keycloak to come up..." @@ -162,5 +164,5 @@ EOF fi echo "Starting Keycloak!" -exec /opt/keycloak/bin/kc.sh start --hostname=$KEYCLOAK_HOST_NAME --hostname-strict-https=false --http-enabled=true --http-port=$KC_PORT $@ +exec /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-port="$KEYCLOAK_PORT_HTTPS" --https-certificate-file="$KEYCLOAK_CERT_FILE" --https-certificate-key-file="$KEYCLOAK_KEY_FILE" $@ #hostnameport needed because we redirect the ssl port with the docker proxy exit $? diff --git a/deployment/docker/compose/sso/docker-compose.keycloak.yml b/deployment/docker/compose/sso/docker-compose.keycloak.yml index 51ca8472589..71ebe47dcc2 100644 --- a/deployment/docker/compose/sso/docker-compose.keycloak.yml +++ b/deployment/docker/compose/sso/docker-compose.keycloak.yml @@ -15,4 +15,7 @@ services: - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=admin - KEYCLOAK_HOST_NAME + - KEYCLOAK_PORT_HTTPS + - KEYCLOAK_CERT_FILE + - KEYCLOAK_KEY_FILE From 6575af575bde73eb340ec7d71584a87cd3403140 Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Thu, 26 Oct 2023 10:39:51 +0200 Subject: [PATCH 04/12] usage of env variables set in sso common file in keycloak run script --- .../commons/sso/keycloak/entrypoint/run-keycloak | 14 ++++++-------- .../docker/compose/sso/docker-compose.keycloak.yml | 5 +++-- deployment/docker/unix/sso/docker-common-sso.sh | 5 +++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/deployment/commons/sso/keycloak/entrypoint/run-keycloak b/deployment/commons/sso/keycloak/entrypoint/run-keycloak index 5abae42d01f..55749edca35 100755 --- a/deployment/commons/sso/keycloak/entrypoint/run-keycloak +++ b/deployment/commons/sso/keycloak/entrypoint/run-keycloak @@ -15,14 +15,12 @@ set -e -export KEYCLOAK_HOST_NAME="${KEYCLOAK_HOST_NAME:="localhost"}" -export KEYCLOAK_CERT_FILE="${KEYCLOAK_CERT_FILE:="etc/x509/https/tls.crt"}" -export KEYCLOAK_KEY_FILE="${KEYCLOAK_KEY_FILE:="etc/x509/https/tls.key"}" +KEYCLOAK_CERT_FILE="etc/x509/https/${SSO_CERT_FILE}" +KEYCLOAK_KEY_FILE="etc/x509/https/${SSO_KEY_FILE}" if [ ! -f /opt/keycloak/first-run ]; then REALM_NAME="kapua" - KC_PORT="9090" - KC_URL="http://localhost:$KC_PORT" + KC_URL="http://localhost:$KEYCLOAK_PORT_HTTP" KC=/opt/keycloak/bin/kcadm.sh echo "Kapua Keycloak Configuration:" @@ -33,8 +31,8 @@ if [ ! -f /opt/keycloak/first-run ]; then # # Start and wait Keycloak - echo "Starting Keycloak..." - KEYCLOAK_ADMIN=$KEYCLOAK_USER KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_PASSWORD /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-strict-https=false --http-enabled=true --http-port="$KC_PORT" & + echo "Starting Keycloak without TLS for first configuration..." + KEYCLOAK_ADMIN=$KEYCLOAK_USER KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_PASSWORD /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-strict-https=false --http-enabled=true --http-port="$KEYCLOAK_PORT_HTTP" & while ! curl -sf $KC_URL > /dev/null; do echo "Waiting for keycloak to come up..." @@ -163,6 +161,6 @@ EOF echo "" fi -echo "Starting Keycloak!" +echo "Starting Keycloak with TLS in production mode!" exec /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-port="$KEYCLOAK_PORT_HTTPS" --https-certificate-file="$KEYCLOAK_CERT_FILE" --https-certificate-key-file="$KEYCLOAK_KEY_FILE" $@ #hostnameport needed because we redirect the ssl port with the docker proxy exit $? diff --git a/deployment/docker/compose/sso/docker-compose.keycloak.yml b/deployment/docker/compose/sso/docker-compose.keycloak.yml index 71ebe47dcc2..095e2235da5 100644 --- a/deployment/docker/compose/sso/docker-compose.keycloak.yml +++ b/deployment/docker/compose/sso/docker-compose.keycloak.yml @@ -15,7 +15,8 @@ services: - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=admin - KEYCLOAK_HOST_NAME + - KEYCLOAK_PORT_HTTP - KEYCLOAK_PORT_HTTPS - - KEYCLOAK_CERT_FILE - - KEYCLOAK_KEY_FILE + - SSO_CERT_FILE + - SSO_KEY_FILE diff --git a/deployment/docker/unix/sso/docker-common-sso.sh b/deployment/docker/unix/sso/docker-common-sso.sh index 456cd0a7d51..cc9a4bc73f9 100755 --- a/deployment/docker/unix/sso/docker-common-sso.sh +++ b/deployment/docker/unix/sso/docker-common-sso.sh @@ -28,9 +28,10 @@ export SSO_KEY_FILE="${SSO_KEY_FILE:=tls.key}" export SSO_CRT="${SSO_CRT:=${SSO_CRT_DIR}/${SSO_CERT_FILE}}" export SSO_KEY="${SSO_KEY:=${SSO_CRT_DIR}/${SSO_KEY_FILE}}" +export KEYCLOAK_HOST_NAME="${KEYCLOAK_HOST_NAME:="localhost"}" export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=http://${EXTERNAL_IP}:8080}" export KEYCLOAK_IMAGE="${KEYCLOAK_IMAGE:=kapua/kapua-keycloak:${IMAGE_VERSION}}" -export KEYCLOAK_URL="${KEYCLOAK_URL:=http://${EXTERNAL_IP}:9090}" # Use https://${EXTERNAL_IP}:9443} in order to enable TLS +export KEYCLOAK_URL="${KEYCLOAK_URL:=https://${KEYCLOAK_HOST_NAME}:9443}" # Use https://${KEYCLOAK_HOST_NAME}:9443} in order to enable TLS export KEYCLOAK_PORT_HTTP=9090 -export KEYCLOAK_PORT_HTTPS=9443 \ No newline at end of file +export KEYCLOAK_PORT_HTTPS=9443 From 4c131e09a18e2aeef0995fbb6125e55cf6adc1a1 Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Thu, 26 Oct 2023 10:56:58 +0200 Subject: [PATCH 05/12] added a switch for SSL on sso common for keycloak --- .../commons/sso/keycloak/entrypoint/run-keycloak | 14 +++++++++++--- .../docker/compose/sso/docker-compose.keycloak.yml | 1 + deployment/docker/unix/sso/docker-common-sso.sh | 11 +++++++++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/deployment/commons/sso/keycloak/entrypoint/run-keycloak b/deployment/commons/sso/keycloak/entrypoint/run-keycloak index 55749edca35..7da9856a4b9 100755 --- a/deployment/commons/sso/keycloak/entrypoint/run-keycloak +++ b/deployment/commons/sso/keycloak/entrypoint/run-keycloak @@ -27,6 +27,7 @@ if [ ! -f /opt/keycloak/first-run ]; then echo " Kapua Console URL: $KAPUA_CONSOLE_URL" echo " Keycloak Realm: $REALM_NAME" echo " Keycloak Admin User: $KEYCLOAK_USER" + echo " Keycloak TLS disabled: $KEYCLOAK_DISABLE_SSL" echo "" # @@ -161,6 +162,13 @@ EOF echo "" fi -echo "Starting Keycloak with TLS in production mode!" -exec /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-port="$KEYCLOAK_PORT_HTTPS" --https-certificate-file="$KEYCLOAK_CERT_FILE" --https-certificate-key-file="$KEYCLOAK_KEY_FILE" $@ #hostnameport needed because we redirect the ssl port with the docker proxy -exit $? +if [ "$KEYCLOAK_DISABLE_SSL" = "true" ]; then + echo "Starting Keycloak without TLS in production mode!" + exec /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-strict-https=false --http-enabled=true --http-port="$KEYCLOAK_PORT_HTTP" $@ + exit $? +else + echo "Starting Keycloak with TLS in production mode!" + exec /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-port="$KEYCLOAK_PORT_HTTPS" --https-certificate-file="$KEYCLOAK_CERT_FILE" --https-certificate-key-file="$KEYCLOAK_KEY_FILE" $@ #hostnameport needed because we redirect the ssl port with the docker proxy + exit $? +fi + diff --git a/deployment/docker/compose/sso/docker-compose.keycloak.yml b/deployment/docker/compose/sso/docker-compose.keycloak.yml index 095e2235da5..b82b29c2078 100644 --- a/deployment/docker/compose/sso/docker-compose.keycloak.yml +++ b/deployment/docker/compose/sso/docker-compose.keycloak.yml @@ -19,4 +19,5 @@ services: - KEYCLOAK_PORT_HTTPS - SSO_CERT_FILE - SSO_KEY_FILE + - KEYCLOAK_DISABLE_SSL diff --git a/deployment/docker/unix/sso/docker-common-sso.sh b/deployment/docker/unix/sso/docker-common-sso.sh index cc9a4bc73f9..fb4480fb0bf 100755 --- a/deployment/docker/unix/sso/docker-common-sso.sh +++ b/deployment/docker/unix/sso/docker-common-sso.sh @@ -28,10 +28,17 @@ export SSO_KEY_FILE="${SSO_KEY_FILE:=tls.key}" export SSO_CRT="${SSO_CRT:=${SSO_CRT_DIR}/${SSO_CERT_FILE}}" export SSO_KEY="${SSO_KEY:=${SSO_CRT_DIR}/${SSO_KEY_FILE}}" -export KEYCLOAK_HOST_NAME="${KEYCLOAK_HOST_NAME:="localhost"}" +export KEYCLOAK_HOST_NAME="${KEYCLOAK_HOST_NAME:=${EXTERNAL_IP}}" export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=http://${EXTERNAL_IP}:8080}" export KEYCLOAK_IMAGE="${KEYCLOAK_IMAGE:=kapua/kapua-keycloak:${IMAGE_VERSION}}" -export KEYCLOAK_URL="${KEYCLOAK_URL:=https://${KEYCLOAK_HOST_NAME}:9443}" # Use https://${KEYCLOAK_HOST_NAME}:9443} in order to enable TLS export KEYCLOAK_PORT_HTTP=9090 export KEYCLOAK_PORT_HTTPS=9443 +export KEYCLOAK_DISABLE_SSL=${KEYCLOAK_DISABLE_SSL:=true} #similarly to the console, this flag disables ssl connections + +if [ "$KEYCLOAK_DISABLE_SSL" = "true" ]; then + export KEYCLOAK_URL="${KEYCLOAK_URL:=http://${KEYCLOAK_HOST_NAME}:${KEYCLOAK_PORT_HTTP}}" +else + export KEYCLOAK_URL="${KEYCLOAK_URL:=https://${KEYCLOAK_HOST_NAME}:${KEYCLOAK_PORT_HTTPS}}" +fi + From eb5b7500c49f2a9c913a20a72d3be9498fff8728 Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Tue, 31 Oct 2023 15:12:10 +0100 Subject: [PATCH 06/12] updated the developer guide on sso section --- docs/developer-guide/en/sso.md | 105 +++++++++++++++++---------------- 1 file changed, 54 insertions(+), 51 deletions(-) diff --git a/docs/developer-guide/en/sso.md b/docs/developer-guide/en/sso.md index ac43b573bd6..295752254a5 100644 --- a/docs/developer-guide/en/sso.md +++ b/docs/developer-guide/en/sso.md @@ -54,7 +54,7 @@ values: Note that these properties, in combination with the ones defined in the previous paragraph, can be set via environment variables thanks to the `run-console` bash script included in the Console docker container. Please refer to -the [assembly module README file](assembly/README.md) for detailed information about those properties. +the [assembly module README file](https://github.com/eclipse/kapua/blob/develop/assembly/README.md) for detailed information about those properties. #### Note about 'client id' and 'audience' values @@ -87,18 +87,16 @@ Note that the _auth_ and _token_ endpoints are automatically computed by the Key about Keycloak, see the [Keycloak Documentation](http://www.keycloak.org/documentation.html). Similarly to the 'generic' provider, these properties, in combination with the common properties defined previously, can -be set via environment variables thanks to the `run-console` bash script included in the Console docker container. -Please refer to the [assembly module README file](assembly/README.md) for detailed information about these environment -variables. +be set via environment variables thanks to the `run-console` bash script included in the Console docker container (see [here](#configuring-kapua-to-use-sso-with-the-keycloak-server) for more detailed information) ### Enabling users to SSO In order to enable a user to login through an OpenID provider, the user must first be created on the OpenID Connect -server (e.g. using Keycloak, on the Keycloak Admin Console). Secondly, the user can be added to Kapua. Such user differs +server (e.g. using Keycloak, on the Keycloak Admin Console, inside the kapua realm created for this application). Secondly, the user can be added to Kapua. Such user differs from a 'normal' one for its type (which is `EXTERNAL`, while a normal user is `INTERNAL`) and for not having any credentials (since his credentials are stored in the OpenID Provider). -Currently there are three methods to register an external user in Kapua: +Currently, there are three methods to register an external user in Kapua: using the _SimpleRegistrationProcessor_ , using _REST API_ or using the _console_. #### Insert the user through the SimpleRegistrationProcessor module @@ -122,9 +120,11 @@ After getting the session token using an authentication REST API, a user can be provide the following attributes: - **`scopeId`**: the scope id to which the user will belong in Kapua; -- **`name`**: represents the name in the OpenID Provider; +- **`name`**: represents the name of the user in the Kapua platform; - **`userType`**: must always be set as **_EXTERNAL_**; -- **`externalId`**: represents the unique ID on the OpenID Provider. +- **`externalId`** OR **`externalUsername`**: represents the unique ID/name on the OpenID Provider. + +Notice how it's not mandatory to insert the **`externalId`**: the external Username is sufficient for Kapua in order to fetch the correct user upon SSO log-in. #### Insert the user through the Console @@ -134,10 +134,13 @@ to add a user. 1. Add the new user through the "Add" button. 2. The Add dialog allows to choose between an "Internal user" and an "External user"; choose the latter in order to add an external one. -3. Insert the Username and the External Id; all the other fields are optional. +3. Insert a **`Username`**, represents the name of the user in the Kapua platform and doesn't need to be equal to the keycloak Username. +4. Insert the **`external Id`** and/or the **`external Username`**; all the other fields are optional. + +Notice how it's not mandatory to insert the **`externalId`**: the external Username is sufficient in order to fetch the correct user upon SSO log-in. An external user can also be modified through the button "Edit" -(please note that the "Username" and "External Id" fields are not modifiable). Note that the user has no assigned roles. +(please note that the "Username" field is not modifiable). Note that the user has no assigned roles. In order to add a "Role", use the "Assign" button of the "Roles" tab. Note also that the external user has no " Credentials" at all, since the credentials are established and stored in the external Provider. @@ -164,61 +167,58 @@ credentials. We detail here the steps to run an OpenID Keycloak provider. The example described here makes use of a Keycloak Server Docker image -(see [here](https://hub.docker.com/r/jboss/keycloak/) for more details). +(see [here](https://www.keycloak.org/server/containers) for more details). ### Installing the Keycloak Server (Docker image) In order to deploy automatically the Keycloak image, is sufficient to add the `--sso` option to the `docker-deploy.sh` script inside the directory of the docker deployment scripts. In such a way the environment is ready to be used without -the need for further configuration. +the need for further configuration. If you want to access the keycloak console page, open your browser to _http://:9090/_. DO NOT USE localhost as ip address, because it will conflict with the hostname configured for keycloak. +with 'machine-ip-address' we mean the ip address of the host machine running docker, so for example the ip in your local network. However, if you want to use a stand alone Keycloak image, please follow the instruction below in order to configure it. -#### Manual installation of the Keycloak server. +#### Manual installation of the Keycloak server -In order to download and install the image, run `docker pull jboss/keycloak` on a bash terminal. Then, -run `docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 9090:8080 jboss/keycloak` to start the docker +In order to download and install the latest image, run `docker pull quay.io/keycloak/keycloak` on a bash terminal. Then, +run `docker run -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 9090:8080 quay.io/keycloak/keycloak start-dev` to start the docker container, setting up the "_admin_" user (with "_admin_" as password). The Keycloak Server Admin Console will be -available at the following URL: _http://:9090/_. - -#### SSL configuration +available at the following URL: _http://:9090/_. Notice that this command will start keycloak in developer mode for demo purposes, see [here](https://www.keycloak.org/server/containers for some instructions regarding the production mode. +For the production mode, you must specify the hostname at startup (with the --host cli parameter, for example). We did not recommend to use 'localhost' for this as this could conflict with Docker containers host-name resolution. To this end, a valid approach would be to set the machine external ip as hostname. -_Following section needs to be updated_ +#### TLS configuration -The Keycloak provider can be configured to use SSL, which is enabled by setting the 9443 port for the `KEYCLOAK_URL` -in the `docker-common-sso.sh` file. A self-signed certificate and a key are produced through `sso-docker-deploy.sh` +The Keycloak provider can be configured to use TLS, setting to false the environment variable KEYCLOAK_DISABLE_SSL before calling the `docker-deploy.sh` script. A self-signed certificate and a key are produced through `sso-docker-deploy.sh` script and passed via the volume based on the `./certs:/etc/x509/https` directory. The script also installs the -certificate in the Kapua Console docker image (which is tagged with the 'sso' tag). +certificate in the Kapua Console docker image (which is tagged with the 'sso' tag). Notice that in this case the keycloak console can be accessed at _http://:9443/_. -**WARNING**: This SSL configuration is intended to be used only for testing purposes and should not be used in a +**WARNING**: This TLS configuration is intended to be used only for testing purposes and should not be used in a production environment. If you want to use Keycloak in a production environment and provide your own TLS certificate, please refer to the official -[Keycloak documentation](https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl). +[Keycloak documentation](https://www.keycloak.org/server/enabletls). ### Manually configuring the Keycloak Server The Keycloak instance provided with the docker deployment is already configured with a dedicated -"Kapua" realm and a client when using the script `docker-deploy.sh` with `--sso` option. +"Kapua" realm and a client for the console when using the script `docker-deploy.sh` with `--sso` option. However, if you already have a running Keycloak instance, you can follow the instructions below in order to configure it manually. Open the Keycloak Admin Console on your preferred browser and follow the steps below in order to configure it. +Remember that with more recent versions of the keycloak image the UI could have changed, these instructions refer to the image version 21. 1. Create a new realm on Keycloak, call it "_kapua_" -1. Create a new client for this realm, call it "_console_" (this name represents the "Client ID"). -2. Configure the client "Settings" tab as follows: +2. Create a new client for this realm, call it "_console_" (this name represents the "Client ID"). +3. Configure the client "Settings" tab as follows: - Client Protocol : "_openid-connect_" - Access : "_public_" - Standard Flow Enabled : _ON_ - Direct Access Grants Enabled : _ON_ - - Valid Redirect URIs : _http://localhost:8080/*_ (use your IP address in place of localhost) - - Base URL : _http://localhost:8080/_ -3. Under the "Mappers" tab, create a new mapper called "console" with the following parameters: + - Valid Redirect URIs : _http://:8080/*_ (machine-ip-address means the ip address of the host machine running docker) + - Web origins: _http://:8080/_ +4. Having selected the "_console_" client, under the "Client scopes" tab, select the "console-dedicated" one, then select "configure a new mapper" called "Audience" and use the following parameters: - Name : "_console_" - - Mapper Type : "_Audience_" - Included Custom Audience : "_console_" - Add to access token : _ON_ -4. On the "Realm Settings", under the "Tokens" tab, set "Access Token Lifespan" to 10 minutes (the default time is too - short) ### Configuring Kapua to use SSO with the Keycloak Server @@ -226,7 +226,7 @@ The Kapua console docker image is already configured and deployed in docker with script `docker-deploy.sh` with `--sso` option. If you need to configure it manually, the following properties must be passed (as VM options) in order to set up the SSO -on Kapua using Keycloak (you can login using the default `admin` user with `admin` password): +on Kapua using Keycloak (you can log in using the default `admin` user with `admin` password): - `sso.openid.provider=keycloak` : to set Keycloak as OpenID provider - `sso.openid.keycloak.realm=kapua` : the Keycloak Realm (we are using the "kapua" realm) @@ -235,21 +235,24 @@ on Kapua using Keycloak (you can login using the default `admin` user with `admi - `sso.openid.client.id=console` : the OpenID Client ID (the one set on Keycloak) - `console.sso.openid.home.uri=http://localhost:8080` : the Kapua web console URI -If you need to start the console docker container alone, it is sufficient to provide the following docker environment +If you need to start the console docker container alone, for example having deployed your keycloak image following [this section](#manual-installation-of-the-keycloak-server), it is sufficient to provide the following docker environment variables (these will automatically set up the configuration properties described above): -- `KEYCLOAK_URL=http://:9090` : the Keycloak Server URI - (use `https://:9443` in case TLS is enabled - see below for further details) -- `KAPUA_CONSOLE_URL=http://localhost:8080` : the Kapua web console URI +- `KEYCLOAK_URL=http://:9090` : sets the `sso.openid.keycloak.uri`; the Keycloak Server URI + (use `https://:` in case you enabled TLS on the keycloak instance) +- `KAPUA_CONSOLE_URL=http://:8080` : sets the `sso.openid.client.id` value; the Kapua web console URI + (use `http://:8443` in case TLS is enabled in the console) -When using `docker-compose`, these two variables are bound through the `docker-compose.yaml` file. Note that even if the -Keycloak server is running locally on a docker container, it is recommended to use your machine IP address instead of ' +When using `docker-compose`, these two variables are bound through the `docker-compose.yaml` file. We recommended to use your machine IP address instead of ' localhost', since this one can be misinterpreted by docker as the 'localhost' of the container in which the Kapua component or Keycloak are running (this is automatically done through the `sso-docker-deploy.sh` script). -Please refer to the [assembly module README file](assembly/README.md) for detailed information about the Console docker -container and related environment variables. +Optionally, you can also set these environment variables: + +- `KEYCLOAK_REALM` : sets the `sso.openid.client.id` value; the keycloak realm (the default value is `kapua`); +- `KEYCLOAK_CLIENT_ID` : sets the `sso.openid.client.id` value; the client id in the keycloak realm (the default value is `console`); +- `KAPUA_OPENID_CLIENT_SECRET` : sets the `sso.openid.client.secret` value; the client secret (optional). ### Setting Up a user on the Keycloak server @@ -259,7 +262,7 @@ assigned by Keycloak must be used as External ID on the Kapua side (see the next If you want to add a new user, please follow the instructions below (remember to use the `admin` user with `admin` password to log in): -1. From the "Users" tab on the left menu, click on "Add user" +1. Inside the "kapua" realm, from the "Users" tab on the left menu, click on "Add user" 2. Configure the user as follows: - Username : e.g. "_alice_" - Email : e.g. "_alice@heremailprovider.com_" @@ -267,31 +270,31 @@ password to log in): 3. Configure the user credentials under the "Credentials" tab Note that the user must have an email set in the OpenID Provider server, otherwise the creation on Kapua through the -SimpleRegistrationProcessor will fail. It is also possible to use the "_admin_" or the "_sso-user_" the users to log in +SimpleRegistrationProcessor will fail. It is also possible to use the "_sso-user_" user to log in (remind to add an email address). ### Setting Up a user on Kapua To add a new user in Kapua, it is sufficient to add it through the console as described in the [Insert the user through the Console](#insert-the-user-through-the-console) section. If you want to use the -SimpleRegistrationProcessor or the REST API, please follow the examples below. +SimpleRegistrationProcessor or the REST API, we provide to you the examples below. Using the SimpleRegistrationProcessor, the user "_alice_" in Keycloak will generate "_alice_" and "_alice-broker_" in Kapua, in a dedicated "_alice_" account. -Using the userCreate REST API with the following body (using the _scopeId_ of the desired account and the ID of the -user "_admin_" in Keycloak as _externalId_): +As anticipated in [here](#insert-the-user-through-rest-api), using the userCreate REST API with the following body (using the _scopeId_ of the desired account and the ID of the +user "_alice_" in Keycloak as _externalId_): ``` { "scopeId": "...", - "name": "admin", + "name": "alice", "userType": "EXTERNAL", "externalId" : "5726876c-...." } ``` -will create the "_admin_" user without the need of the SimpleRegistrationProcessor. +will create the "_alice_" user without the need of the SimpleRegistrationProcessor. ### Keycloak logout endpoint @@ -299,7 +302,7 @@ Logging out from the Keycloak provider is possible through the Keycloak OpenID C `{sso.openid.keycloak.uri}/realms/{realm_name}/protocol/openid-connect/logout` -In our example the endpoint is the following: +In our example, assuming TLS is not used, the endpoint is the following: `http://:9090/realms/kapua/protocol/openid-connect/logout` @@ -323,7 +326,7 @@ can be called at a later time to re-configure Kapua (e.g. when re-installing Kap Both scripts (`deploy` and `activate`) require both Kapua and Keycloak URLs. Keycloak requires the Kapua web console URL in order to allow requests from this source, while Kapua requires the Keycloak URL in order to forward requests to Keycloak. The URLs are being constructed from OpenShift routes, which are configured for both Kapua and Keycloak. -However this requires that Kapua is set up before Keycloak and that the `activate` script can only be called after +However, this requires that Kapua is set up before Keycloak and that the `activate` script can only be called after the `deploy` script has been successfully run. Please refer to the [Keycloak Example (Docker based)](#keycloak-example-docker-based) section for the user creation, or From ea36c23644184fb38f96dcac7f9d26dc1be6dd13 Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Tue, 31 Oct 2023 16:20:01 +0100 Subject: [PATCH 07/12] updated readme file under assembly folder considering redundancy of content with developer guide --- assembly/README.md | 35 +++++++---------------------------- 1 file changed, 7 insertions(+), 28 deletions(-) diff --git a/assembly/README.md b/assembly/README.md index 7f62c26e199..6e942b5a0e4 100644 --- a/assembly/README.md +++ b/assembly/README.md @@ -4,11 +4,11 @@ The section describes how Eclipse Kapua docker images can be used. ### Build -To learn how to build Kapua Docker images, please consult [developer manual](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/running.md#docker-containers). +To learn how to build Kapua Docker images, please consult [developer manual](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/building.md#docker-images). ### Run -To learn how to run Kapua in Docker, please consult [developer manual](https://github.com/eclipse/kapua/blob/c5b2617594d261cec7da50352ad25aafd0faf164/docs/developer-guide/en/building.md#docker-images). +To learn how to run Kapua in Docker, please consult [developer manual](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/running.md#docker-containers). ### Access @@ -22,35 +22,14 @@ the IP address of your docker instance. ### SSO (OpenID Connect) testing -**Note:** This is only a setup for testing SSO support. - The following paragraphs describe how to set up an SSO OpenID Connect Provider in Kapua via environment variables. -For further information, please see the [SSO Developer Guide](docs/developer-guide/en/sso.md). +For further information, please see the [SSO Developer Guide](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md). #### Keycloak Provider -It is possible to test the sso with a Keycloak image by simply launching the `deploy` scripts located in the `deployment/docker/unix/sso` directory. -The provided Keycloak instance is already configured with a dedicated realm and client. -However, if you prefer to manually run and configure Keycloak, please follow the instruction below. - -You can also start a Keycloak instance in addition: - - docker run -td --name sso -p 8082:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=secret jboss/keycloak - -Starting the `kapua-console` image with the following command line instead: - - docker run -td --name kapua-console --link sso --link kapua-sql:db --link kapua-broker:broker --link kapua-elasticsearch:es -p 8080:8080 -e KEYCLOAK_URL=http://$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' sso):8080 -e KAPUA_CONSOLE_URL=http://localhost:8080 kapua/kapua-console - -You will also need to create a new realm named `kapua` in the Keycloak web UI and create a new client called `console`, -assigning `http://localhost:8080/*` as a valid redirect URI. - -To use the Keycloak provider with the Kapua Console, the following environment variables must be provided: - -- `KAPUA_CONSOLE_URL` : the `kapua-console` URL; -- `KEYCLOAK_URL` : the URL of the Keycloak instance; -- `KEYCLOAK_REALM` : the keycloak realm (the default value is `kapua`); -- `KEYCLOAK_CLIENT_ID` : the client id in the keycloak realm (the default value is `console`); -- `KAPUA_OPENID_CLIENT_SECRET` : the client secret (optional). +[Here](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md#keycloak-example-docker-based) you can find a detailed guide for how to run a OpenID keycloak provider. In particular, it is possible to +test the sso with a pre-defined Keycloak image following [this](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md#installing-the-keycloak-server-docker-image) (An instance already configured with a dedicated realm and client) +or, by manually providing a stand-alone Keycloak image, following [that](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md#manual-installation-of-the-keycloak-server) instructions . #### Generic Provider @@ -67,7 +46,7 @@ variables: - `KAPUA_OPENID_LOGOUT_ENDPOINT` : the URL to the logout endpoint (optional, already retrieved via well-known document). Note that `OPENID_CLIENT_ID` and `JWT_AUDIENCE` are usually mapped with the same value, -(see the [SSO Developer Guide](docs/developer-guide/en/sso.md) for further information). +(see the [SSO Developer Guide generic provider section](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md#generic-provider) for further information). ### Tomcat images From 63b28277a2882f5ca79269d8c77026a76de0031b Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Wed, 8 Nov 2023 16:17:46 +0100 Subject: [PATCH 08/12] inverted TLS switch logic to adhere to other kapua containers envs. --- deployment/commons/sso/keycloak/entrypoint/run-keycloak | 4 ++-- deployment/docker/compose/sso/docker-compose.keycloak.yml | 2 +- deployment/docker/unix/sso/docker-common-sso.sh | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/deployment/commons/sso/keycloak/entrypoint/run-keycloak b/deployment/commons/sso/keycloak/entrypoint/run-keycloak index 7da9856a4b9..238828ceb8d 100755 --- a/deployment/commons/sso/keycloak/entrypoint/run-keycloak +++ b/deployment/commons/sso/keycloak/entrypoint/run-keycloak @@ -27,7 +27,7 @@ if [ ! -f /opt/keycloak/first-run ]; then echo " Kapua Console URL: $KAPUA_CONSOLE_URL" echo " Keycloak Realm: $REALM_NAME" echo " Keycloak Admin User: $KEYCLOAK_USER" - echo " Keycloak TLS disabled: $KEYCLOAK_DISABLE_SSL" + echo " Keycloak TLS enabled: $KEYCLOAK_SSL_ENABLE" echo "" # @@ -162,7 +162,7 @@ EOF echo "" fi -if [ "$KEYCLOAK_DISABLE_SSL" = "true" ]; then +if [ "$KEYCLOAK_SSL_ENABLE" = "false" ]; then echo "Starting Keycloak without TLS in production mode!" exec /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-strict-https=false --http-enabled=true --http-port="$KEYCLOAK_PORT_HTTP" $@ exit $? diff --git a/deployment/docker/compose/sso/docker-compose.keycloak.yml b/deployment/docker/compose/sso/docker-compose.keycloak.yml index b82b29c2078..0ebbf512164 100644 --- a/deployment/docker/compose/sso/docker-compose.keycloak.yml +++ b/deployment/docker/compose/sso/docker-compose.keycloak.yml @@ -19,5 +19,5 @@ services: - KEYCLOAK_PORT_HTTPS - SSO_CERT_FILE - SSO_KEY_FILE - - KEYCLOAK_DISABLE_SSL + - KEYCLOAK_SSL_ENABLE diff --git a/deployment/docker/unix/sso/docker-common-sso.sh b/deployment/docker/unix/sso/docker-common-sso.sh index fb4480fb0bf..510a31905f4 100755 --- a/deployment/docker/unix/sso/docker-common-sso.sh +++ b/deployment/docker/unix/sso/docker-common-sso.sh @@ -34,9 +34,9 @@ export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=http://${EXTERNAL_IP}:8080}" export KEYCLOAK_IMAGE="${KEYCLOAK_IMAGE:=kapua/kapua-keycloak:${IMAGE_VERSION}}" export KEYCLOAK_PORT_HTTP=9090 export KEYCLOAK_PORT_HTTPS=9443 -export KEYCLOAK_DISABLE_SSL=${KEYCLOAK_DISABLE_SSL:=true} #similarly to the console, this flag disables ssl connections +export KEYCLOAK_SSL_ENABLE=${KEYCLOAK_SSL_ENABLE:=false} #similarly to the console, this flag disables ssl connections -if [ "$KEYCLOAK_DISABLE_SSL" = "true" ]; then +if [ "$KEYCLOAK_SSL_ENABLE" = "false" ]; then export KEYCLOAK_URL="${KEYCLOAK_URL:=http://${KEYCLOAK_HOST_NAME}:${KEYCLOAK_PORT_HTTP}}" else export KEYCLOAK_URL="${KEYCLOAK_URL:=https://${KEYCLOAK_HOST_NAME}:${KEYCLOAK_PORT_HTTPS}}" From 140604156b6be0e8a277ab44ad6325eae3e10b07 Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Thu, 9 Nov 2023 10:32:39 +0100 Subject: [PATCH 09/12] added automatic TLS activation for keycloak upon deployment with --ssl option --- deployment/docker/unix/docker-deploy.sh | 2 +- deployment/docker/unix/sso/docker-common-sso.sh | 7 ++++++- deployment/docker/unix/sso/docker-sso-config.sh | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/deployment/docker/unix/docker-deploy.sh b/deployment/docker/unix/docker-deploy.sh index 45a8abcfa48..70f78913a3b 100755 --- a/deployment/docker/unix/docker-deploy.sh +++ b/deployment/docker/unix/docker-deploy.sh @@ -66,7 +66,7 @@ docker_compose() { # SSO Mode if [[ "$5" == true ]]; then echo "SSO enabled!" - . "${SCRIPT_DIR}/sso/docker-sso-config.sh" + . "${SCRIPT_DIR}/sso/docker-sso-config.sh" "$4" COMPOSE_FILES+=(-f "${SCRIPT_DIR}/../compose/sso/docker-compose.console-sso.yml") COMPOSE_FILES+=(-f "${SCRIPT_DIR}/../compose/sso/docker-compose.keycloak.yml") diff --git a/deployment/docker/unix/sso/docker-common-sso.sh b/deployment/docker/unix/sso/docker-common-sso.sh index 510a31905f4..984c78c0aa9 100755 --- a/deployment/docker/unix/sso/docker-common-sso.sh +++ b/deployment/docker/unix/sso/docker-common-sso.sh @@ -34,7 +34,12 @@ export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=http://${EXTERNAL_IP}:8080}" export KEYCLOAK_IMAGE="${KEYCLOAK_IMAGE:=kapua/kapua-keycloak:${IMAGE_VERSION}}" export KEYCLOAK_PORT_HTTP=9090 export KEYCLOAK_PORT_HTTPS=9443 -export KEYCLOAK_SSL_ENABLE=${KEYCLOAK_SSL_ENABLE:=false} #similarly to the console, this flag disables ssl connections + +if [[ "$1" == true ]]; then #--ssl deployment + export KEYCLOAK_SSL_ENABLE=true +else + export KEYCLOAK_SSL_ENABLE=${KEYCLOAK_SSL_ENABLE:=false} # --ssl deployment not set, but one can always deploy keycloak with SSL with this env. var +fi if [ "$KEYCLOAK_SSL_ENABLE" = "false" ]; then export KEYCLOAK_URL="${KEYCLOAK_URL:=http://${KEYCLOAK_HOST_NAME}:${KEYCLOAK_PORT_HTTP}}" diff --git a/deployment/docker/unix/sso/docker-sso-config.sh b/deployment/docker/unix/sso/docker-sso-config.sh index ede2aa7268c..a9469515800 100755 --- a/deployment/docker/unix/sso/docker-sso-config.sh +++ b/deployment/docker/unix/sso/docker-sso-config.sh @@ -15,7 +15,7 @@ SCRIPT_DIR_SSO_COFIG="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -. "${SCRIPT_DIR_SSO_COFIG}/docker-common-sso.sh" +. "${SCRIPT_DIR_SSO_COFIG}/docker-common-sso.sh" "$1" # the first argument is the SSL enabler set via the --ssl deployment # # Build the Keycloak image if missing From a550af7b8d85fd3c4f287fee6cab4e98896b9823 Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Thu, 9 Nov 2023 10:33:20 +0100 Subject: [PATCH 10/12] moved env. variables for openID & keycloack from kapua-console to kapua-console-sso compose file --- deployment/docker/compose/docker-compose.yml | 11 ----------- .../compose/sso/docker-compose.console-sso.yml | 12 ++++++++++++ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/deployment/docker/compose/docker-compose.yml b/deployment/docker/compose/docker-compose.yml index 3a49edca2d5..eaad2cc9ea9 100644 --- a/deployment/docker/compose/docker-compose.yml +++ b/deployment/docker/compose/docker-compose.yml @@ -91,17 +91,6 @@ services: - CRYPTO_SECRET_KEY - KAPUA_DISABLE_DATASTORE - LOGBACK_LOG_LEVEL - - KAPUA_CONSOLE_URL - - KAPUA_OPENID_JWT_ISSUER - - KAPUA_OPENID_CLIENT_ID - - KAPUA_OPENID_CLIENT_SECRET - - KAPUA_OPENID_JWT_AUDIENCE - - KAPUA_OPENID_AUTH_ENDPOINT - - KAPUA_OPENID_TOKEN_ENDPOINT - - KAPUA_OPENID_LOGOUT_ENDPOINT - - KEYCLOAK_URL - - KEYCLOAK_CLIENT_ID - - KEYCLOAK_REALM kapua-api: container_name: kapua-api image: kapua/kapua-api:${IMAGE_VERSION} diff --git a/deployment/docker/compose/sso/docker-compose.console-sso.yml b/deployment/docker/compose/sso/docker-compose.console-sso.yml index d52b8e72ad0..52dd05e25ed 100644 --- a/deployment/docker/compose/sso/docker-compose.console-sso.yml +++ b/deployment/docker/compose/sso/docker-compose.console-sso.yml @@ -3,3 +3,15 @@ version: '3.1' services: kapua-console: image: kapua/kapua-console:${IMAGE_VERSION}-sso + environment: + - KAPUA_CONSOLE_URL + - KAPUA_OPENID_JWT_ISSUER + - KAPUA_OPENID_CLIENT_ID + - KAPUA_OPENID_CLIENT_SECRET + - KAPUA_OPENID_JWT_AUDIENCE + - KAPUA_OPENID_AUTH_ENDPOINT + - KAPUA_OPENID_TOKEN_ENDPOINT + - KAPUA_OPENID_LOGOUT_ENDPOINT + - KEYCLOAK_URL + - KEYCLOAK_CLIENT_ID + - KEYCLOAK_REALM From 7ec1bab1a1f179328a4fc9ff1207c64f50f709f0 Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Thu, 9 Nov 2023 10:54:58 +0100 Subject: [PATCH 11/12] updated the developer guide on sso section along with recent modifications on keycloak --- docs/developer-guide/en/sso.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/developer-guide/en/sso.md b/docs/developer-guide/en/sso.md index 295752254a5..1cffc4ae7b0 100644 --- a/docs/developer-guide/en/sso.md +++ b/docs/developer-guide/en/sso.md @@ -188,8 +188,11 @@ For the production mode, you must specify the hostname at startup (with the --ho #### TLS configuration -The Keycloak provider can be configured to use TLS, setting to false the environment variable KEYCLOAK_DISABLE_SSL before calling the `docker-deploy.sh` script. A self-signed certificate and a key are produced through `sso-docker-deploy.sh` -script and passed via the volume based on the `./certs:/etc/x509/https` directory. The script also installs the +The Keycloak provider can be configured to use TLS, this can be accomplished in 2 ways: +1. Deploying Kapua with `docker-deploy.sh` script using the --ssl option (along with the --sso option, obviously). In this way all different services that can set on top of the TLS layer will enable it. +2. Setting the environment variable KEYCLOAK_SSL_ENABLE before calling the `docker-deploy.sh` script (it is false by default). In this way you configure TLS for Keycloak but not for the other services. + +With this configuration, a self-signed certificate and a key are produced through `sso-docker-deploy.sh` script and passed via the volume based on the `./certs:/etc/x509/https` directory. The script also installs the certificate in the Kapua Console docker image (which is tagged with the 'sso' tag). Notice that in this case the keycloak console can be accessed at _http://:9443/_. **WARNING**: This TLS configuration is intended to be used only for testing purposes and should not be used in a @@ -243,7 +246,7 @@ variables (these will automatically set up the configuration properties describe - `KAPUA_CONSOLE_URL=http://:8080` : sets the `sso.openid.client.id` value; the Kapua web console URI (use `http://:8443` in case TLS is enabled in the console) -When using `docker-compose`, these two variables are bound through the `docker-compose.yaml` file. We recommended to use your machine IP address instead of ' +When using `docker-compose`, these two variables are bound through the `docker-compose.console-sso.yaml` file. We recommended to use your machine IP address instead of ' localhost', since this one can be misinterpreted by docker as the 'localhost' of the container in which the Kapua component or Keycloak are running (this is automatically done through the `sso-docker-deploy.sh` script). From 2369c4ad50b666c86e7d2ce3cc345f3ff7ec63cb Mon Sep 17 00:00:00 2001 From: "angelo.andreussi" Date: Thu, 9 Nov 2023 12:55:03 +0100 Subject: [PATCH 12/12] added redirect to ssl console for keycloak if deployment via --ssl option --- deployment/docker/unix/sso/docker-common-sso.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deployment/docker/unix/sso/docker-common-sso.sh b/deployment/docker/unix/sso/docker-common-sso.sh index 984c78c0aa9..249914a11bf 100755 --- a/deployment/docker/unix/sso/docker-common-sso.sh +++ b/deployment/docker/unix/sso/docker-common-sso.sh @@ -29,7 +29,6 @@ export SSO_CRT="${SSO_CRT:=${SSO_CRT_DIR}/${SSO_CERT_FILE}}" export SSO_KEY="${SSO_KEY:=${SSO_CRT_DIR}/${SSO_KEY_FILE}}" export KEYCLOAK_HOST_NAME="${KEYCLOAK_HOST_NAME:=${EXTERNAL_IP}}" -export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=http://${EXTERNAL_IP}:8080}" export KEYCLOAK_IMAGE="${KEYCLOAK_IMAGE:=kapua/kapua-keycloak:${IMAGE_VERSION}}" export KEYCLOAK_PORT_HTTP=9090 @@ -37,8 +36,10 @@ export KEYCLOAK_PORT_HTTPS=9443 if [[ "$1" == true ]]; then #--ssl deployment export KEYCLOAK_SSL_ENABLE=true + export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=https://${EXTERNAL_IP}:8443}" else - export KEYCLOAK_SSL_ENABLE=${KEYCLOAK_SSL_ENABLE:=false} # --ssl deployment not set, but one can always deploy keycloak with SSL with this env. var + export KEYCLOAK_SSL_ENABLE=${KEYCLOAK_SSL_ENABLE:=false} # --ssl deployment not set, but one can always deploy keycloak with SSL with this env. var, so I set the env variable for keycloak compose file + export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=http://${EXTERNAL_IP}:8080}" fi if [ "$KEYCLOAK_SSL_ENABLE" = "false" ]; then