From 7c7222c1aa31ef218b3df4d17f476567b4a7d019 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Wed, 9 Jul 2025 16:39:26 +0200 Subject: [PATCH 1/2] initial config --- compose/.gitignore | 6 +++ compose/compose.keycloak.yaml | 69 +++++++++++++++++++++++++++++++++++ compose/cthq.properties | 29 +++++++++------ 3 files changed, 93 insertions(+), 11 deletions(-) create mode 100644 compose/.gitignore create mode 100644 compose/compose.keycloak.yaml diff --git a/compose/.gitignore b/compose/.gitignore new file mode 100644 index 0000000..84f6e10 --- /dev/null +++ b/compose/.gitignore @@ -0,0 +1,6 @@ +data/ +nginx/log/ +nginx/ssl/*.key +nginx/ssl/*.pem +nginx/ssl/*.crt +.env \ No newline at end of file diff --git a/compose/compose.keycloak.yaml b/compose/compose.keycloak.yaml new file mode 100644 index 0000000..feb1029 --- /dev/null +++ b/compose/compose.keycloak.yaml @@ -0,0 +1,69 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + mysql-shared: + image: mysql:8.0 + container_name: mysql-shared + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: keycloak + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + mysql-shared: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: mysql-shared + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + ports: + - "5999:8080" + networks: + - codetogethernet + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"] + interval: 10s + timeout: 10s + retries: 20 + +volumes: + mysql_data: \ No newline at end of file diff --git a/compose/cthq.properties b/compose/cthq.properties index 8b8c254..c8c481a 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -6,19 +6,26 @@ hq.collab.secret=${INTEL_SECRET} # Fill in values specific to your deployment # If you want to run with multiple SSO providers, add their names separated with commas -hq.sso.tenants=github +# hq.sso.tenants=github # GitHub SSO -hq.sso.github.provider=github -hq.sso.github.label=GitHub -hq.sso.github.client.id= -hq.sso.github.client.secret= -hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -hq.sso.github.auth.uri=https://github.com/login/oauth/authorize -hq.sso.github.token.uri=https://github.com/login/oauth/access_token -hq.sso.github.info.uri=https://api.github.com/user -hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks -hq.sso.github.logout.uri=https://github.com/logout +# hq.sso.github.provider=github +# hq.sso.github.label=GitHub +# hq.sso.github.client.id=Iv1.45b9336a78ce2476 +# hq.sso.github.client.secret=c4446ad126ec65b3d926e37de3fe880246aff371 +# hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.github.auth.uri=https://github.com/login/oauth/authorize +# hq.sso.github.token.uri=https://github.com/login/oauth/access_token +# hq.sso.github.info.uri=https://api.github.com/user +# hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks +# hq.sso.github.logout.uri=https://github.com/logout + +hq.sso.provider=keycloak +hq.sso.client.id=codetogether +hq.sso.client.secret=eFl6XSKwMMsEW1yRTY9pHjBrCTHDEY64 +hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +hq.sso.client.authentication.method=client_secret_post # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA From 16bcea2bc8de9a630446228f6877812089e2ca73 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Wed, 9 Jul 2025 13:08:14 -0600 Subject: [PATCH 2/2] Docker compose example to run keycloak --- compose/.gitignore | 4 ++ compose/keycloak/.env-template | 9 ++++ compose/{ => keycloak}/compose.keycloak.yaml | 48 +++++++++++++---- compose/keycloak/nginx/log/placeholder.txt | 0 compose/keycloak/nginx/nginx.conf.template | 57 ++++++++++++++++++++ compose/keycloak/nginx/ssl/placeholder.txt | 0 6 files changed, 107 insertions(+), 11 deletions(-) create mode 100644 compose/keycloak/.env-template rename compose/{ => keycloak}/compose.keycloak.yaml (60%) create mode 100644 compose/keycloak/nginx/log/placeholder.txt create mode 100644 compose/keycloak/nginx/nginx.conf.template create mode 100644 compose/keycloak/nginx/ssl/placeholder.txt diff --git a/compose/.gitignore b/compose/.gitignore index 84f6e10..cdb441f 100644 --- a/compose/.gitignore +++ b/compose/.gitignore @@ -3,4 +3,8 @@ nginx/log/ nginx/ssl/*.key nginx/ssl/*.pem nginx/ssl/*.crt +keycloak/nginx/log/*.log +keycloak/nginx/ssl/*.key +keycloak/nginx/ssl/*.pem +keycloak/nginx/ssl/*.crt .env \ No newline at end of file diff --git a/compose/keycloak/.env-template b/compose/keycloak/.env-template new file mode 100644 index 0000000..5127bae --- /dev/null +++ b/compose/keycloak/.env-template @@ -0,0 +1,9 @@ +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin \ No newline at end of file diff --git a/compose/compose.keycloak.yaml b/compose/keycloak/compose.keycloak.yaml similarity index 60% rename from compose/compose.keycloak.yaml rename to compose/keycloak/compose.keycloak.yaml index feb1029..f842905 100644 --- a/compose/compose.keycloak.yaml +++ b/compose/keycloak/compose.keycloak.yaml @@ -2,16 +2,16 @@ # Set the appropriate values once renamed services: # Relational database for Keycloak (optional) - mysql-shared: + codetogether-mysql: image: mysql:8.0 - container_name: mysql-shared + container_name: codetogether-mysql restart: unless-stopped env_file: - .env environment: MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} MYSQL_DATABASE: keycloak - MYSQL_USER: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} volumes: - mysql_data:/var/lib/mysql @@ -22,6 +22,25 @@ services: interval: 10s timeout: 10s retries: 30 + # Nginx reverse proxy for Keycloak (optional) + codetogether-keycloak-nginx: + image: nginx:latest + container_name: codetogether-keycloak-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx + ports: + - "443:443" + volumes: + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro + - ./nginx/ssl:/etc/nginx/ssl + - ./nginx/log:/var/log/nginx + networks: + - codetogethernet + depends_on: + codetogether-keycloak: + condition: service_healthy # Keycloak service (optional) codetogether-keycloak: @@ -30,7 +49,7 @@ services: env_file: - .env depends_on: - mysql-shared: + codetogether-mysql: condition: service_healthy command: - "start" @@ -43,7 +62,7 @@ services: KC_DB: mysql KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} - KC_DB_URL_HOST: mysql-shared + KC_DB_URL_HOST: codetogether-mysql # Feature flags & observability KC_FEATURES: token-exchange @@ -52,18 +71,25 @@ services: # Reverse‑proxy / HTTP KC_HTTP_ENABLED: "true" + KC_PROXY: edge KC_PROXY_HEADERS: xforwarded KC_HOSTNAME_STRICT: "false" KC_HOSTNAME_STRICT_HTTPS: "false" - ports: - - "5999:8080" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 networks: - codetogethernet healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"] + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] interval: 10s - timeout: 10s - retries: 20 + timeout: 5s + retries: 5 + start_period: 30s volumes: - mysql_data: \ No newline at end of file + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/nginx/log/placeholder.txt b/compose/keycloak/nginx/log/placeholder.txt new file mode 100644 index 0000000..e69de29 diff --git a/compose/keycloak/nginx/nginx.conf.template b/compose/keycloak/nginx/nginx.conf.template new file mode 100644 index 0000000..e48b298 --- /dev/null +++ b/compose/keycloak/nginx/nginx.conf.template @@ -0,0 +1,57 @@ +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file diff --git a/compose/keycloak/nginx/ssl/placeholder.txt b/compose/keycloak/nginx/ssl/placeholder.txt new file mode 100644 index 0000000..e69de29