nomad/keycloak
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update rendered example and fix unclosed parenthesis

Browse Source
This commit is contained in:
Daniel Berteaud
2026-01-21 21:39:20 +01:00
parent b125132f9c
commit 657991d73d
5 changed files with 113 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
example/images/keycloak/Dockerfile
View File

@@ -1,13 +1,14 @@
FROM danielberteaud/java:21-25.9-1 AS builder
FROM danielberteaud/java:21-26.1-2 AS builder
ARG KC_VERSION=26.3.5 \
ARG KC_VERSION=26.4.7 \
KC_EXPORTER_VERSION=7.0.0
ENV KC_HEALTH_ENABLED=true \
KC_METRICS_ENABLED=true \
KC_DB=postgres \
KC_HOSTNAME_STRICT=false \
NODE_NAME=keycloak
NODE_NAME=keycloak \
KC_HTTP_MANAGEMENT_HEALTH_ENABLED=false
USER root
@@ -44,8 +45,13 @@ COPY root/opt/keycloak/conf/cache-ispn.xml /opt/keycloak/conf
RUN set -euxo pipefail &&\
/opt/keycloak/bin/kc.sh build
FROM danielberteaud/java:21-25.9-1
LABEL maintainer="Daniel Berteaud <dbd@ehtrace.com>"
FROM danielberteaud/java:21-26.1-2
LABEL org.opencontainers.image.authors="Daniel Berteaud <dbd@ehtrace.com>"
LABEL org.opencontainers.image.title="keycloak"
LABEL org.opencontainers.image.vendor="Daniel Berteaud <dbd@ehtrace.com>"
LABEL org.opencontainers.image.version="26.4.7"
ENV KC_HEALTH_ENABLED=true \
KC_METRICS_ENABLED=true \

79
example/keycloak.nomad.hcl
View File

@@ -70,14 +70,12 @@ job "keycloak" {
}
}
sidecar_task {
logs {
disabled = false
}
config {
# GRPC Socket is set as a relative path pointing on alloc/tmp/consul_grpc.sock
# So ensure the work_dir is always /
work_dir = "/"
cap_add = ["net_bind_service", "chown", "setgid", "setuid"]
cap_drop = ["all"]
@@ -88,7 +86,8 @@ job "keycloak" {
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
"--disable-hot-restart",
"--file-flush-interval-msec", "100"
]
}
@@ -102,34 +101,24 @@ job "keycloak" {
check {
name = "health"
type = "script"
command = "curl"
args = [
"-k",
"--head",
"-fsS",
"https://127.0.0.1:9000/health"
]
interval = "30s"
timeout = "5s"
name = "health"
type = "http"
path = "/health"
expose = true
interval = "20s"
timeout = "5s"
on_update = "ignore"
task = "keycloak"
}
check {
name = "ready"
type = "script"
command = "curl"
args = [
"-k",
"--head",
"-fsS",
"https://127.0.0.1:9000/health/ready"
]
interval = "30s"
name = "ready"
type = "http"
path = "/health"
expose = true
interval = "20s"
timeout = "5s"
task = "keycloak"
}
tags = [
@@ -138,15 +127,18 @@ job "keycloak" {
"traefik.http.services.keycloak.loadbalancer.sticky.cookie=true",
"traefik.http.services.keycloak.loadbalancer.sticky.cookie.httponly=true",
"traefik.http.routers.keycloak.entrypoints=https",
"traefik.http.routers.keycloak.rule=Host(`id.example.org`) && (PathPrefix(`/js/`) || PathPrefix(`/realms/`) || PathPrefix(`/resources/`) || Path(`/robots.txt`))",
"traefik.http.routers.keycloak.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-relaxed@file",
"traefik.http.routers.keycloak.rule=Host(`https://id.example.org`) && PathRegexp(`^/((js|realms|resources)/.+|robots\\.txt$)`)",
"traefik.http.routers.keycloak.middlewares=compression@file,inflight-std@file,rate-limit-std@file,csp-relaxed@file,hsts@file,security-headers@file,forward-proto@file",
"traefik.enable=true",
"traefik.http.services.keycloak.loadbalancer.sticky=true",
"traefik.http.services.keycloak.loadbalancer.sticky.cookie=true",
"traefik.http.services.keycloak.loadbalancer.sticky.cookie.httponly=true",
"traefik.http.routers.keycloak-admin.entrypoints=https",
"traefik.http.routers.keycloak-admin.priority=250",
"traefik.http.routers.keycloak-admin.rule=Host(`id.example.org`) && PathPrefix(`/admin`)",
"traefik.http.routers.keycloak-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-relaxed@file",
"traefik.http.routers.keycloak-admin.middlewares=compression@file,inflight-std@file,rate-limit-std@file,csp-relaxed@file,hsts@file,security-headers@file,forward-proto@file",
]
}
@@ -160,9 +152,13 @@ job "keycloak" {
user = "1053:1053"
config {
image = "danielberteaud/wait-for:25.9-1"
image = "danielberteaud/wait-for:26.1-2"
cap_drop = [
"all",
]
readonly_rootfs = true
pids_limit = 20
pids_limit = 20
}
@@ -195,7 +191,7 @@ job "keycloak" {
driver = "docker"
config {
image = "danielberteaud/keycloak:26.3.5-1"
image = "danielberteaud/keycloak:26.4.7-4"
pids_limit = 1024
# Keycloak tries to write in different directories, making it hard to use a readonly rootfs
#readonly_rootfs = true
@@ -211,12 +207,15 @@ job "keycloak" {
env {
KC_HTTP_ENABLED = "true"
KC_HTTP_HOST = "127.0.0.1"
KC_PROXY_HEADERS = "xforwarded"
KC_DB = "postgres"
NODE_NAME = "kc-${NOMAD_ALLOC_INDEX}"
JAVA_OPTS_APPEND = "-Djgroups.external_addr=${NOMAD_HOST_IP_ispn} -Djgroups.bind.port=${NOMAD_ALLOC_PORT_ispn}"
KC_HTTP_ENABLED = "true"
KC_HTTP_HOST = "127.0.0.1"
KC_PROXY_HEADERS = "xforwarded"
KC_HOSTNAME = "https://id.example.org"
KC_HTTP_MANAGEMENT_SCHEME = "http"
KC_HTTP_MANAGEMENT_HEALTH_ENABLED = "false"
KC_DB = "postgres"
NODE_NAME = "kc-${NOMAD_ALLOC_INDEX}"
JAVA_OPTS_APPEND = "-Djgroups.external_addr=${NOMAD_HOST_IP_ispn} -Djgroups.bind.port=${NOMAD_ALLOC_PORT_ispn}"
}

16
example_cluster/images/keycloak/Dockerfile
View File

@@ -1,13 +1,14 @@
FROM danielberteaud/java:21-25.9-1 AS builder
FROM danielberteaud/java:21-26.1-2 AS builder
ARG KC_VERSION=26.3.5 \
ARG KC_VERSION=26.4.7 \
KC_EXPORTER_VERSION=7.0.0
ENV KC_HEALTH_ENABLED=true \
KC_METRICS_ENABLED=true \
KC_DB=postgres \
KC_HOSTNAME_STRICT=false \
NODE_NAME=keycloak
NODE_NAME=keycloak \
KC_HTTP_MANAGEMENT_HEALTH_ENABLED=false
USER root
@@ -44,8 +45,13 @@ COPY root/opt/keycloak/conf/cache-ispn.xml /opt/keycloak/conf
RUN set -euxo pipefail &&\
/opt/keycloak/bin/kc.sh build
FROM danielberteaud/java:21-25.9-1
LABEL maintainer="Daniel Berteaud <dbd@ehtrace.com>"
FROM danielberteaud/java:21-26.1-2
LABEL org.opencontainers.image.authors="Daniel Berteaud <dbd@ehtrace.com>"
LABEL org.opencontainers.image.title="keycloak"
LABEL org.opencontainers.image.vendor="Daniel Berteaud <dbd@ehtrace.com>"
LABEL org.opencontainers.image.version="26.4.7"
ENV KC_HEALTH_ENABLED=true \
KC_METRICS_ENABLED=true \

98
example_cluster/keycloak.nomad.hcl
View File

@@ -77,14 +77,12 @@ job "keycloak" {
}
}
sidecar_task {
logs {
disabled = false
}
config {
# GRPC Socket is set as a relative path pointing on alloc/tmp/consul_grpc.sock
# So ensure the work_dir is always /
work_dir = "/"
cap_add = ["net_bind_service", "chown", "setgid", "setuid"]
cap_drop = ["all"]
@@ -95,7 +93,8 @@ job "keycloak" {
"${meta.connect.log_level}",
"--concurrency",
"${meta.connect.proxy_concurrency}",
"--disable-hot-restart"
"--disable-hot-restart",
"--file-flush-interval-msec", "100"
]
}
@@ -109,34 +108,24 @@ job "keycloak" {
check {
name = "health"
type = "script"
command = "curl"
args = [
"-k",
"--head",
"-fsS",
"https://127.0.0.1:9000/health"
]
interval = "30s"
timeout = "5s"
name = "health"
type = "http"
path = "/health"
expose = true
interval = "20s"
timeout = "5s"
on_update = "ignore"
task = "keycloak"
}
check {
name = "ready"
type = "script"
command = "curl"
args = [
"-k",
"--head",
"-fsS",
"https://127.0.0.1:9000/health/ready"
]
interval = "30s"
name = "ready"
type = "http"
path = "/health"
expose = true
interval = "20s"
timeout = "5s"
task = "keycloak"
}
tags = [
@@ -145,15 +134,18 @@ job "keycloak" {
"traefik.http.services.keycloak.loadbalancer.sticky.cookie=true",
"traefik.http.services.keycloak.loadbalancer.sticky.cookie.httponly=true",
"traefik.http.routers.keycloak.entrypoints=https",
"traefik.http.routers.keycloak.rule=Host(`id.example.org`) && (PathPrefix(`/js/`) || PathPrefix(`/realms/`) || PathPrefix(`/resources/`) || Path(`/robots.txt`))",
"traefik.http.routers.keycloak.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-relaxed@file",
"traefik.http.routers.keycloak.rule=Host(`https://id.example.org`) && PathRegexp(`^/((js|realms|resources)/.+|robots\\.txt$)`)",
"traefik.http.routers.keycloak.middlewares=compression@file,inflight-std@file,rate-limit-std@file,csp-relaxed@file,hsts@file,security-headers@file,forward-proto@file",
"traefik.enable=true",
"traefik.http.services.keycloak.loadbalancer.sticky=true",
"traefik.http.services.keycloak.loadbalancer.sticky.cookie=true",
"traefik.http.services.keycloak.loadbalancer.sticky.cookie.httponly=true",
"traefik.http.routers.keycloak-admin.entrypoints=https",
"traefik.http.routers.keycloak-admin.priority=250",
"traefik.http.routers.keycloak-admin.rule=Host(`id.example.org`) && PathPrefix(`/admin`)",
"traefik.http.routers.keycloak-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-relaxed@file",
"traefik.http.routers.keycloak-admin.middlewares=compression@file,inflight-std@file,rate-limit-std@file,csp-relaxed@file,hsts@file,security-headers@file,forward-proto@file",
]
}
@@ -167,9 +159,13 @@ job "keycloak" {
user = "1053:1053"
config {
image = "danielberteaud/wait-for:25.9-1"
image = "danielberteaud/wait-for:26.1-2"
cap_drop = [
"all",
]
readonly_rootfs = true
pids_limit = 20
pids_limit = 20
}
@@ -198,13 +194,13 @@ job "keycloak" {
driver = "docker"
user = "8995:8995"
# Reduce Docker logs collection (huge) overhead
logs {
disabled = true
}
config {
image = "danielberteaud/nginx:25.9-1"
image = "danielberteaud/nginx:26.1-3"
cap_drop = [
"all",
]
readonly_rootfs = true
volumes = ["local/nginx.conf:/etc/nginx/conf.d/default.conf:ro"]
pids_limit = 100
@@ -270,11 +266,16 @@ _EOT
return 405;
}
location /envoy {
set $delimeter "";
if ($is_args) {
set $delimeter "&";
}
set $args "$args${delimeter}histogram_buckets=summary";
proxy_pass http://127.0.0.1:7462/metrics;
proxy_http_version 1.1;
}
location /metrics {
proxy_pass https://127.0.0.1:9000/metrics;
proxy_pass http://127.0.0.1:9000/metrics;
}
}
_EOT
@@ -296,7 +297,7 @@ _EOT
driver = "docker"
config {
image = "danielberteaud/keycloak:26.3.5-1"
image = "danielberteaud/keycloak:26.4.7-4"
pids_limit = 1024
# Keycloak tries to write in different directories, making it hard to use a readonly rootfs
#readonly_rootfs = true
@@ -312,12 +313,15 @@ _EOT
env {
KC_HTTP_ENABLED = "true"
KC_HTTP_HOST = "127.0.0.1"
KC_PROXY_HEADERS = "xforwarded"
KC_DB = "postgres"
NODE_NAME = "kc-${NOMAD_ALLOC_INDEX}"
JAVA_OPTS_APPEND = "-Djgroups.external_addr=${NOMAD_HOST_IP_ispn} -Djgroups.bind.port=${NOMAD_ALLOC_PORT_ispn}"
KC_HTTP_ENABLED = "true"
KC_HTTP_HOST = "127.0.0.1"
KC_PROXY_HEADERS = "xforwarded"
KC_HOSTNAME = "https://id.example.org"
KC_HTTP_MANAGEMENT_SCHEME = "http"
KC_HTTP_MANAGEMENT_HEALTH_ENABLED = "false"
KC_DB = "postgres"
NODE_NAME = "kc-${NOMAD_ALLOC_INDEX}"
JAVA_OPTS_APPEND = "-Djgroups.external_addr=${NOMAD_HOST_IP_ispn} -Djgroups.bind.port=${NOMAD_ALLOC_PORT_ispn}"
}

2
variables.yml
View File

@@ -58,7 +58,7 @@ keycloak:
# Traefik settings for the user forms and API
traefik:
rule: >-
Host(`[[ (urlParse .keycloak.public_url ]]`) &&
Host(`[[ urlParse .keycloak.public_url ]]`) &&
PathRegexp(`^[[ if not (regexp.Match "^/?$" (urlParse .keycloak.public_url).Path) ]][[ (urlParse .keycloak.public_url).Path ]][[ end ]]/((js|realms|resources)/.+|robots\\.txt$)`)
sticky: true