Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optionally use existing VPC. Upgrade Keycloak to 24.0.2 #12

Merged
merged 8 commits into from
Apr 8, 2024
Merged

Optionally use existing VPC. Upgrade Keycloak to 24.0.2 #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b01aab4
Optional VPC: Allow use of existing VPC and subnets
manics Dec 11, 2023
dc8987c
Keycloak 23.0.4
manics Jan 24, 2024
d3d9805
Keycloak 24.0.0, replace `KC_PROXY` with `KC_PROXY_HEADERS`
manics Mar 5, 2024
7fb825b
keycloak log-level can be configured
manics Mar 6, 2024
d381fa5
Allow KC_DB to be overridden at runtime
manics Mar 6, 2024
0d11baf
Add and check /health endpoint
manics Mar 6, 2024
1a5e458
Healthcheck has to be defined at build time not runtime
manics Mar 6, 2024
0d76936
Keycloak 24.0.2
manics Apr 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion container/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
# https://www.keycloak.org/server/containers

ARG KEYCLOAK_VERSION=22.0.5
ARG KEYCLOAK_VERSION=24.0.2
FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION as builder

ENV KC_DB=postgres
ENV KC_HOSTNAME=localhost
ENV KC_HEALTH_ENABLED=true

RUN /opt/keycloak/bin/kc.sh build

Expand Down
6 changes: 6 additions & 0 deletions container/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,10 @@ set -eu
cd /opt/keycloak
keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=$KC_HOSTNAME" -alias server -ext "SAN:c=DNS:$KC_HOSTNAME,DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore

# If KC_DB has been overridden then need to rebuild the config
if [ "$KC_DB" != postgres ]; then
echo "KC_DB has been overridden to $KC_DB, rebuilding"
/opt/keycloak/bin/kc.sh build
fi

exec /opt/keycloak/bin/kc.sh "$@"
36 changes: 21 additions & 15 deletions ecs-cluster/keycloak.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ data "aws_caller_identity" "current" {}
locals {
container-port = 8443
keycloak-hostname = var.keycloak-hostname == "" ? aws_lb.keycloak.dns_name : var.keycloak-hostname

vpc_id = var.vpc-id == "" ? module.vpc[0].vpc_id : var.vpc-id
public_subnets = var.public-subnets == [] ? module.vpc[0].public_subnets : var.public-subnets
private_subnets = var.private-subnets == [] ? module.vpc[0].private_subnets : var.private-subnets
}

resource "random_password" "db-password" {
Expand All @@ -18,7 +22,7 @@ resource "random_string" "initial-keycloak-password" {

resource "aws_security_group" "rds" {
name = "${var.name}-sg-rds"
vpc_id = module.vpc.vpc_id
vpc_id = local.vpc_id

ingress {
from_port = 5432
Expand All @@ -30,7 +34,7 @@ resource "aws_security_group" "rds" {

resource "aws_security_group" "alb" {
name = "${var.name}-sg-alb"
vpc_id = module.vpc.vpc_id
vpc_id = local.vpc_id

ingress {
protocol = "tcp"
Expand All @@ -56,7 +60,7 @@ resource "aws_security_group" "alb" {

resource "aws_security_group" "ecs-task-keycloak" {
name = "${var.name}-sg-task-keycloak"
vpc_id = module.vpc.vpc_id
vpc_id = local.vpc_id

ingress {
protocol = "tcp"
Expand All @@ -80,7 +84,7 @@ resource "aws_lb" "keycloak" {
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.alb.id]
subnets = module.vpc.public_subnets
subnets = local.public_subnets

enable_deletion_protection = true

Expand All @@ -91,7 +95,7 @@ resource "aws_alb_target_group" "keycloak" {
name = "${var.name}-tg"
port = 443
protocol = "HTTPS"
vpc_id = module.vpc.vpc_id
vpc_id = local.vpc_id
target_type = "ip"

health_check {
Expand All @@ -100,7 +104,7 @@ resource "aws_alb_target_group" "keycloak" {
protocol = "HTTPS"
matcher = "200"
timeout = "5"
path = "/"
path = "/health"
AaronJackson marked this conversation as resolved.
Show resolved Hide resolved
unhealthy_threshold = "2"
}
}
Expand Down Expand Up @@ -172,7 +176,7 @@ resource "aws_db_parameter_group" "keycloak" {

resource "aws_db_subnet_group" "keycloak" {
name = "${var.name}-keycloak"
subnet_ids = module.vpc.private_subnets
subnet_ids = local.private_subnets
}

resource "aws_db_instance" "keycloak" {
Expand Down Expand Up @@ -311,15 +315,17 @@ resource "aws_ecs_task_definition" "keycloak" {
name = "KC_HOSTNAME"
value = local.keycloak-hostname
},
# https://github.com/keycloak/keycloak/issues/13114
# https://www.keycloak.org/server/reverseproxy
# AWS load balancers set X-Forwarded not Forwarded
# https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
{
name = "KC_PROXY_HEADERS"
value = "xforwarded"
},
{
name = "KC_PROXY"
value = "reencrypt"
name = "KC_LOG_LEVEL"
value = var.keycloak-loglevel
},
# {
# name = "KC_LOG_LEVEL"
# value = "debug"
# }
]
portMappings = [{
protocol = "tcp"
Expand Down Expand Up @@ -352,7 +358,7 @@ resource "aws_ecs_service" "keycloak" {
aws_security_group.rds.id,
aws_security_group.ecs-task-keycloak.id
]
subnets = module.vpc.private_subnets
subnets = local.private_subnets
# TODO: Setting this to False means the image can't be pulled. Why? It works in K8s.
# assign_public_ip = true
}
Expand Down
5 changes: 0 additions & 5 deletions ecs-cluster/terraform.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,3 @@
terraform {
AaronJackson marked this conversation as resolved.
Show resolved Hide resolved
backend "s3" {
}
}

provider "aws" {
region = var.region

Expand Down
24 changes: 24 additions & 0 deletions ecs-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,24 @@ variable "lb-cidr-blocks-in" {
description = "CIDR blocks to allow access to the load balancer"
}

variable "vpc-id" {
type = string
default = ""
description = "VPC ID, if empty creates a new VPC"
}

variable "public-subnets" {
type = list(string)
default = []
description = "Public subnet IDs, must be defined if vpc-id is provided"
}

variable "private-subnets" {
type = list(string)
default = []
description = "Private subnet IDs, must be defined if vpc-id is provided"
}

variable "db-name" {
type = string
default = "keycloak"
Expand Down Expand Up @@ -57,6 +75,12 @@ variable "keycloak-hostname" {
description = "Keycloak hostname, if empty uses the load-balancer hostname"
}

variable "keycloak-loglevel" {
type = string
default = "INFO"
description = "Keycloak log-level e.g. DEBUG."
}

variable "desired-count" {
type = number
description = "Number of Keycloak containers to run, set to 0 for DB maintenance"
Expand Down
8 changes: 8 additions & 0 deletions ecs-cluster/vpc.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ data "aws_availability_zones" "available" {}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.2.0"
count = var.vpc-id == "" ? 1 : 0

name = "${var.name}-vpc"
cidr = "10.199.0.0/16"
Expand All @@ -18,3 +19,10 @@ module "vpc" {
manage_default_network_acl = false
map_public_ip_on_launch = true
}

# Backwards compatibility with existing deployments
# https://developer.hashicorp.com/terraform/language/modules/develop/refactoring#enabling-count-or-for_each-for-a-resource
moved {
from = module.vpc
to = module.vpc[0]
}
AaronJackson marked this conversation as resolved.
Show resolved Hide resolved
Loading