Keycloak + nginx reverse proxy (#63)

* Example Keycloak config. * Proxy for geth, ipld-eth-server, and lighthouse. * Add metrics.
2022-12-14 12:59:40 -06:00 · 2022-12-14 12:59:40 -06:00 · df0bf549a2
commit df0bf549a2
parent c85b29c237
8 changed files with 2232 additions and 0 deletions
--- a/app/data/container-image-list.txt
+++ b/app/data/container-image-list.txt
@ -16,3 +16,4 @@ cerc/watcher-mobymask
 cerc/test-container
 cerc/eth-probe
 cerc/builder-js
 cerc/keycloak
--- a/app/data/pod-list.txt
+++ b/app/data/pod-list.txt
@ -13,3 +13,4 @@ fixturenet-eth
 watcher-mobymask
 test
 eth-probe
 keycloak
--- a/compose/docker-compose-keycloak.yml
+++ b/compose/docker-compose-keycloak.yml
@ -0,0 +1,37 @@
 version: '3.8'
 services:
  keycloak-db:
    image: postgres:14-alpine
    env_file:
      - ../config/keycloak/keycloak.env
    healthcheck:
      test: ["CMD", "nc", "-v", "localhost", "5432"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 3s
    ports:
      - 5432
  keycloak:
    image: cerc/keycloak:local
    env_file:
      - ../config/keycloak/keycloak.env
    environment:
      JAVA_OPTS_APPEND: "-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/import -Dkeycloak.migration.strategy=IGNORE_EXISTING"
    volumes:
      - ../config/keycloak/import:/import
    ports:
      - 8080
    command: ["start"]
    depends_on:
      keycloak-db:
        condition: service_healthy
  keycloak-nginx:
    image: nginx:1.23-alpine
    volumes:
      - ../config/keycloak/nginx:/etc/nginx/conf.d
    ports:
      - 80
    depends_on:
      - keycloak
--- a/config/keycloak/import/cerc-realm.json
+++ b/config/keycloak/import/cerc-realm.json
--- a/config/keycloak/keycloak.env
+++ b/config/keycloak/keycloak.env
@ -0,0 +1,17 @@
 POSTGRES_DB=keycloak
 POSTGRES_USER=keycloak
 POSTGRES_PASSWORD=keycloak
 KC_DB=postgres
 KC_DB_URL_HOST=keycloak-db
 KC_DB_URL_DATABASE=${POSTGRES_DB}
 KC_DB_USERNAME=${POSTGRES_USER}
 KC_DB_PASSWORD=${POSTGRES_PASSWORD}
 KC_DB_SCHEMA=public
 KC_HOSTNAME=localhost
 KC_HTTP_ENABLED="true"
 KC_HTTP_RELATIVE_PATH="/auth"
 KC_HOSTNAME_STRICT_HTTPS="false"
 KEYCLOAK_ADMIN=admin
 KEYCLOAK_ADMIN_PASSWORD=admin
 X_API_CHECK_REALM=cerc
 X_API_CHECK_CLIENT_ID="%api_key%"
--- a/config/keycloak/nginx/keycloak_proxy.conf
+++ b/config/keycloak/nginx/keycloak_proxy.conf
@ -0,0 +1,69 @@
 server {
    listen       80;
    listen  [::]:80;
    server_name  localhost;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
 ### geth
    location ~ ^/eth/?([^/]*)$ {
        set $apiKey $1;
        if ($apiKey = '') {
          set $apiKey $http_X_API_KEY;
        }
        auth_request /auth;
        proxy_buffering off;
        rewrite /.*$ / break;
        proxy_pass  http://fixturenet-eth-geth-1:8545;
    }
 ### ipld-eth-server
 #    location ~ ^/ipld/eth/([^/]*)$ {
 #        set $apiKey $1;
 #        if ($apiKey = '') {
 #          set $apiKey $http_X_API_KEY;
 #        }
 #        auth_request /auth;
 #        proxy_buffering off;
 #        rewrite /.*$ / break;
 #        proxy_pass  http://ipld-eth-server:8081;
 #    }
 #
 #    location ~ ^/ipld/gql/([^/]*)$ {
 #        set $apiKey $1;
 #        if ($apiKey = '') {
 #          set $apiKey $http_X_API_KEY;
 #        }
 #        auth_request /auth;
 #        proxy_buffering off;
 #        rewrite /.*$ / break;
 #        proxy_pass  http://ipld-eth-server:8082;
 #    }
 #
 ### lighthouse
 #    location /beacon/ {
 #        set $apiKey $http_X_API_KEY;
 #        auth_request /auth;
 #        proxy_buffering off;
 #        proxy_pass  http://fixturenet-eth-lighthouse-1:8001/;
 #    }
    location = /auth {
        internal;
        proxy_buffering off;
        resolver 127.0.0.11 ipv6=off;
        proxy_pass http://keycloak:8080/auth/realms/cerc/check?apiKey=$apiKey;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_set_header X-Original-Remote-Addr $remote_addr;
        proxy_set_header X-Original-Host $host;
    }
 #    location = /basic_status {
 #        stub_status;
 #    }
 }
--- a/container-build/cerc-keycloak/Dockerfile
+++ b/container-build/cerc-keycloak/Dockerfile
@ -0,0 +1,12 @@
 FROM maven:3-eclipse-temurin-11-alpine AS builder
 RUN apk add --update --no-cache git
 WORKDIR /build
 RUN git clone https://github.com/cerc-io/keycloak-api-key-demo.git && \
      cd keycloak-api-key-demo && \
      git checkout '60c48b5c3e562c6cf2c85cfdd8f08145b0ebac5a' && \
      mvn -f api-key-module package
 FROM quay.io/keycloak/keycloak:20.0
 COPY --from=builder /build/keycloak-api-key-demo//api-key-module/target/deploy/*  /opt/keycloak/providers/
 WORKDIR /opt/keycloak/providers
 RUN curl -L https://github.com/aerogear/keycloak-metrics-spi/releases/download/2.5.3/keycloak-metrics-spi-2.5.3.jar --output keycloak-metrics-spi.jar
--- a/container-build/cerc-keycloak/build.sh
+++ b/container-build/cerc-keycloak/build.sh
@ -0,0 +1,8 @@
 #!/usr/bin/env bash
 #
 #Build cerc/keycloack
 # See: https://stackoverflow.com/a/246128/1701505
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 docker build -t cerc/keycloak:local ${SCRIPT_DIR}