FIX - Keycloak server execution failing at startup

assembly/README.md

@@ -4,11 +4,11 @@ The section describes how Eclipse Kapua docker images can be used.
 
 ### Build
 
-To learn how to build Kapua Docker images, please consult [developer manual](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/running.md#docker-containers).
+To learn how to build Kapua Docker images, please consult [developer manual](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/building.md#docker-images).
 
 ### Run
 
-To learn how to run Kapua in Docker, please consult [developer manual](https://github.com/eclipse/kapua/blob/c5b2617594d261cec7da50352ad25aafd0faf164/docs/developer-guide/en/building.md#docker-images).
+To learn how to run Kapua in Docker, please consult [developer manual](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/running.md#docker-containers).
 
 ### Access
 
@@ -22,35 +22,14 @@ the IP address of your docker instance.
 
 ### SSO (OpenID Connect) testing
 
-**Note:** This is only a setup for testing SSO support.
-
 The following paragraphs describe how to set up an SSO OpenID Connect Provider in Kapua via environment variables.
-For further information, please see the [SSO Developer Guide](docs/developer-guide/en/sso.md).
+For further information, please see the [SSO Developer Guide](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md).
 
 #### Keycloak Provider
 
-It is possible to test the sso with a Keycloak image by simply launching the `deploy` scripts located in the `deployment/docker/unix/sso` directory.
-The provided Keycloak instance is already configured with a dedicated realm and client. 
-However, if you prefer to manually run and configure Keycloak, please follow the instruction below.
-
-You can also start a Keycloak instance in addition:
-
-    docker run -td --name sso -p 8082:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=secret jboss/keycloak
-
-Starting the `kapua-console` image with the following command line instead:
-
-    docker run -td --name kapua-console --link sso --link kapua-sql:db --link kapua-broker:broker --link kapua-elasticsearch:es -p 8080:8080 -e KEYCLOAK_URL=http://$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' sso):8080 -e KAPUA_CONSOLE_URL=http://localhost:8080 kapua/kapua-console
-
-You will also need to create a new realm named `kapua` in the Keycloak web UI and create a new client called `console`, 
-assigning `http://localhost:8080/*` as a valid redirect URI.
-
-To use the Keycloak provider with the Kapua Console, the following environment variables must be provided:
-
-- `KAPUA_CONSOLE_URL` : the `kapua-console` URL;
-- `KEYCLOAK_URL` : the URL of the Keycloak instance;
-- `KEYCLOAK_REALM` : the keycloak realm (the default value is `kapua`);
-- `KEYCLOAK_CLIENT_ID` : the client id in the keycloak realm (the default value is `console`);
-- `KAPUA_OPENID_CLIENT_SECRET` : the client secret (optional).
+[Here](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md#keycloak-example-docker-based) you can find a detailed guide for how to run a OpenID keycloak provider. In particular, it is possible to
+test the sso with a pre-defined Keycloak image following [this](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md#installing-the-keycloak-server-docker-image) (An instance already configured with a dedicated realm and client)
+or, by manually providing a stand-alone Keycloak image, following [that](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md#manual-installation-of-the-keycloak-server) instructions .
 
 #### Generic Provider
 
@@ -67,7 +46,7 @@ variables:
 - `KAPUA_OPENID_LOGOUT_ENDPOINT` : the URL to the logout endpoint (optional, already retrieved via well-known document).
 
 Note that `OPENID_CLIENT_ID` and `JWT_AUDIENCE` are usually mapped with the same value,
-(see the [SSO Developer Guide](docs/developer-guide/en/sso.md) for further information).
+(see the [SSO Developer Guide generic provider section](https://github.com/eclipse/kapua/blob/develop/docs/developer-guide/en/sso.md#generic-provider) for further information).
 
 ### Tomcat images
 

deployment/commons/sso/keycloak/entrypoint/run-keycloak

@@ -15,22 +15,25 @@
 
 set -e
 
+KEYCLOAK_CERT_FILE="etc/x509/https/${SSO_CERT_FILE}"
+KEYCLOAK_KEY_FILE="etc/x509/https/${SSO_KEY_FILE}"
+
 if [ ! -f /opt/keycloak/first-run ]; then
   REALM_NAME="kapua"
-  KC_PORT="9090"
-  KC_URL="http://localhost:$KC_PORT"
+  KC_URL="http://localhost:$KEYCLOAK_PORT_HTTP"
   KC=/opt/keycloak/bin/kcadm.sh
 
   echo "Kapua Keycloak Configuration:"
   echo "    Kapua Console URL: $KAPUA_CONSOLE_URL"
   echo "    Keycloak Realm: $REALM_NAME"
   echo "    Keycloak Admin User: $KEYCLOAK_USER"
+  echo "    Keycloak TLS enabled:  $KEYCLOAK_SSL_ENABLE"
   echo ""
 
   #
   # Start and wait Keycloak
-  echo "Starting Keycloak..."
-  KEYCLOAK_ADMIN=$KEYCLOAK_USER KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_PASSWORD /opt/keycloak/bin/kc.sh start --http-port=$KC_PORT &
+  echo "Starting Keycloak without TLS for first configuration..."
+  KEYCLOAK_ADMIN=$KEYCLOAK_USER KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_PASSWORD /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-strict-https=false --http-enabled=true --http-port="$KEYCLOAK_PORT_HTTP" &
 
   while ! curl -sf $KC_URL > /dev/null; do
     echo "Waiting for keycloak to come up..."
@@ -159,6 +162,13 @@ EOF
   echo ""
 fi
 
-echo "Starting Keycloak!"
-exec /opt/keycloak/bin/kc.sh start --http-port=$KC_PORT $@
-exit $?
+if [ "$KEYCLOAK_SSL_ENABLE" = "false" ]; then
+  echo "Starting Keycloak without TLS in production mode!"
+  exec /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-strict-https=false --http-enabled=true --http-port="$KEYCLOAK_PORT_HTTP" $@
+  exit $?
+else
+  echo "Starting Keycloak with TLS in production mode!"
+  exec /opt/keycloak/bin/kc.sh start --hostname="$KEYCLOAK_HOST_NAME" --hostname-port="$KEYCLOAK_PORT_HTTPS" --https-certificate-file="$KEYCLOAK_CERT_FILE" --https-certificate-key-file="$KEYCLOAK_KEY_FILE" $@ #hostnameport needed because we redirect the ssl port with the docker proxy
+  exit $?
+fi
+

deployment/docker/compose/docker-compose.yml

@@ -91,17 +91,6 @@ services:
       - CRYPTO_SECRET_KEY
       - KAPUA_DISABLE_DATASTORE
       - LOGBACK_LOG_LEVEL
-      - KAPUA_CONSOLE_URL
-      - KAPUA_OPENID_JWT_ISSUER
-      - KAPUA_OPENID_CLIENT_ID
-      - KAPUA_OPENID_CLIENT_SECRET
-      - KAPUA_OPENID_JWT_AUDIENCE
-      - KAPUA_OPENID_AUTH_ENDPOINT
-      - KAPUA_OPENID_TOKEN_ENDPOINT
-      - KAPUA_OPENID_LOGOUT_ENDPOINT
-      - KEYCLOAK_URL
-      - KEYCLOAK_CLIENT_ID
-      - KEYCLOAK_REALM
   kapua-api:
     container_name: kapua-api
     image: kapua/kapua-api:${IMAGE_VERSION}

deployment/docker/compose/sso/docker-compose.console-sso.yml

@@ -3,3 +3,15 @@ version: '3.1'
 services:
   kapua-console:
     image: kapua/kapua-console:${IMAGE_VERSION}-sso
+    environment:
+      - KAPUA_CONSOLE_URL
+      - KAPUA_OPENID_JWT_ISSUER
+      - KAPUA_OPENID_CLIENT_ID
+      - KAPUA_OPENID_CLIENT_SECRET
+      - KAPUA_OPENID_JWT_AUDIENCE
+      - KAPUA_OPENID_AUTH_ENDPOINT
+      - KAPUA_OPENID_TOKEN_ENDPOINT
+      - KAPUA_OPENID_LOGOUT_ENDPOINT
+      - KEYCLOAK_URL
+      - KEYCLOAK_CLIENT_ID
+      - KEYCLOAK_REALM

deployment/docker/compose/sso/docker-compose.keycloak.yml

@@ -8,9 +8,16 @@ services:
       - "${KEYCLOAK_PORT_HTTP}:9090"
       - "${KEYCLOAK_PORT_HTTPS}:8443"
     volumes:
-      - "../../target/compose/sso/certs:/etc/x509/https"
+      - "../target/compose/sso/certs:/etc/x509/https"
     environment:
       - KAPUA_CONSOLE_URL
       - KEYCLOAK_ADMIN_USER
       - KEYCLOAK_USER=admin
       - KEYCLOAK_PASSWORD=admin
+      - KEYCLOAK_HOST_NAME
+      - KEYCLOAK_PORT_HTTP
+      - KEYCLOAK_PORT_HTTPS
+      - SSO_CERT_FILE
+      - SSO_KEY_FILE
+      - KEYCLOAK_SSL_ENABLE
+

deployment/docker/unix/docker-deploy.sh

@@ -66,7 +66,7 @@ docker_compose() {
     # SSO Mode
     if [[ "$5" == true ]]; then
       echo "SSO enabled!"
-      . "${SCRIPT_DIR}/sso/docker-sso-config.sh"
+      . "${SCRIPT_DIR}/sso/docker-sso-config.sh" "$4"
 
       COMPOSE_FILES+=(-f "${SCRIPT_DIR}/../compose/sso/docker-compose.console-sso.yml")
       COMPOSE_FILES+=(-f "${SCRIPT_DIR}/../compose/sso/docker-compose.keycloak.yml")

deployment/docker/unix/sso/docker-common-sso.sh

@@ -28,9 +28,23 @@ export SSO_KEY_FILE="${SSO_KEY_FILE:=tls.key}"
 export SSO_CRT="${SSO_CRT:=${SSO_CRT_DIR}/${SSO_CERT_FILE}}"
 export SSO_KEY="${SSO_KEY:=${SSO_CRT_DIR}/${SSO_KEY_FILE}}"
 
-export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=http://${EXTERNAL_IP}:8080}"
+export KEYCLOAK_HOST_NAME="${KEYCLOAK_HOST_NAME:=${EXTERNAL_IP}}"
 
 export KEYCLOAK_IMAGE="${KEYCLOAK_IMAGE:=kapua/kapua-keycloak:${IMAGE_VERSION}}"
-export KEYCLOAK_URL="${KEYCLOAK_URL:=http://${EXTERNAL_IP}:9090}" # Use https://${EXTERNAL_IP}:9443} in order to enable TLS
 export KEYCLOAK_PORT_HTTP=9090
-export KEYCLOAK_PORT_HTTPS=9443
+export KEYCLOAK_PORT_HTTPS=9443
+
+if [[ "$1" == true ]]; then #--ssl deployment
+  export KEYCLOAK_SSL_ENABLE=true
+  export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=https://${EXTERNAL_IP}:8443}"
+else
+  export KEYCLOAK_SSL_ENABLE=${KEYCLOAK_SSL_ENABLE:=false} # --ssl deployment not set, but one can always deploy keycloak with SSL with this env. var, so I set the env variable for keycloak compose file
+  export KAPUA_CONSOLE_URL="${KAPUA_CONSOLE_URL:=http://${EXTERNAL_IP}:8080}"
+fi
+
+if [ "$KEYCLOAK_SSL_ENABLE" = "false" ]; then
+  export KEYCLOAK_URL="${KEYCLOAK_URL:=http://${KEYCLOAK_HOST_NAME}:${KEYCLOAK_PORT_HTTP}}"
+else
+  export KEYCLOAK_URL="${KEYCLOAK_URL:=https://${KEYCLOAK_HOST_NAME}:${KEYCLOAK_PORT_HTTPS}}"
+fi
+

deployment/docker/unix/sso/docker-sso-config.sh

@@ -15,7 +15,7 @@
 
 SCRIPT_DIR_SSO_COFIG="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-. "${SCRIPT_DIR_SSO_COFIG}/docker-common-sso.sh"
+. "${SCRIPT_DIR_SSO_COFIG}/docker-common-sso.sh" "$1" # the first argument is the SSL enabler set via the --ssl deployment
 
 #
 # Build the Keycloak image if missing