From e0a9851464ccad03c8a5315edd2fe3a618b8b103 Mon Sep 17 00:00:00 2001 From: Bitnami Bot Date: Thu, 7 Aug 2025 20:08:08 +0200 Subject: [PATCH] [bitnami/keycloak] Release 26.3.2-debian-12-r2 (#84959) Signed-off-by: Bitnami Bot --- bitnami/keycloak/26/debian-12/Dockerfile | 4 +- .../opt/bitnami/.bitnami_components.json | 2 +- .../opt/bitnami/scripts/keycloak-env.sh | 221 +++++++------- .../bitnami/scripts/keycloak/entrypoint.sh | 5 +- .../bitnami/scripts/keycloak/postunpack.sh | 7 +- .../opt/bitnami/scripts/keycloak/run.sh | 20 +- .../opt/bitnami/scripts/keycloak/setup.sh | 8 +- .../rootfs/opt/bitnami/scripts/libkeycloak.sh | 279 ++++-------------- bitnami/keycloak/README.md | 154 +++++----- 9 files changed, 260 insertions(+), 440 deletions(-) diff --git a/bitnami/keycloak/26/debian-12/Dockerfile b/bitnami/keycloak/26/debian-12/Dockerfile index 3ce1db629357..23cb0199145f 100644 --- a/bitnami/keycloak/26/debian-12/Dockerfile +++ b/bitnami/keycloak/26/debian-12/Dockerfile @@ -9,7 +9,7 @@ ARG TARGETARCH LABEL com.vmware.cp.artifact.flavor="sha256:c50c90cfd9d12b445b011e6ad529f1ad3daea45c26d20b00732fae3cd71f6a83" \ org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \ - org.opencontainers.image.created="2025-08-07T14:05:13Z" \ + org.opencontainers.image.created="2025-08-07T17:34:44Z" \ org.opencontainers.image.description="Application packaged by Broadcom, Inc." \ org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/keycloak/README.md" \ org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/keycloak" \ @@ -32,7 +32,7 @@ RUN --mount=type=secret,id=downloads_url,env=SECRET_DOWNLOADS_URL \ COMPONENTS=( \ "wait-for-port-1.0.9-2-linux-${OS_ARCH}-debian-12" \ "jre-21.0.8-12-0-linux-${OS_ARCH}-debian-12" \ - "keycloak-26.3.2-0-linux-${OS_ARCH}-debian-12" \ + "keycloak-26.3.2-1-linux-${OS_ARCH}-debian-12" \ ) ; \ for COMPONENT in "${COMPONENTS[@]}"; do \ if [ ! -f "${COMPONENT}.tar.gz" ]; then \ diff --git a/bitnami/keycloak/26/debian-12/prebuildfs/opt/bitnami/.bitnami_components.json b/bitnami/keycloak/26/debian-12/prebuildfs/opt/bitnami/.bitnami_components.json index cd15a3ecef5d..83ca806372bf 100644 --- a/bitnami/keycloak/26/debian-12/prebuildfs/opt/bitnami/.bitnami_components.json +++ b/bitnami/keycloak/26/debian-12/prebuildfs/opt/bitnami/.bitnami_components.json @@ -9,7 +9,7 @@ "arch": "amd64", "distro": "debian-12", "type": "NAMI", - "version": "26.3.2-0" + "version": "26.3.2-1" }, "wait-for-port": { "arch": "amd64", diff --git a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak-env.sh b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak-env.sh index a0383b5d1a45..5201fc298157 100644 --- a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak-env.sh +++ b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak-env.sh @@ -26,73 +26,68 @@ export BITNAMI_DEBUG="${BITNAMI_DEBUG:-false}" keycloak_env_vars=( KEYCLOAK_MOUNTED_CONF_DIR KC_RUN_IN_CONTAINER - KEYCLOAK_ADMIN - KEYCLOAK_ADMIN_PASSWORD - KEYCLOAK_HTTP_RELATIVE_PATH - KEYCLOAK_HTTP_PORT - KEYCLOAK_HTTPS_PORT - KEYCLOAK_BIND_ADDRESS - KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD - KEYCLOAK_HOSTNAME - KEYCLOAK_HOSTNAME_ADMIN - KEYCLOAK_HOSTNAME_STRICT - KEYCLOAK_INIT_MAX_RETRIES - KEYCLOAK_CACHE_TYPE - KEYCLOAK_CACHE_STACK - KEYCLOAK_CACHE_CONFIG_FILE - KEYCLOAK_EXTRA_ARGS - KEYCLOAK_ENABLE_STATISTICS - KEYCLOAK_ENABLE_HEALTH_ENDPOINTS - KEYCLOAK_ENABLE_HTTPS - KEYCLOAK_HTTPS_TRUST_STORE_FILE - KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD - KEYCLOAK_HTTPS_KEY_STORE_FILE - KEYCLOAK_HTTPS_KEY_STORE_PASSWORD - KEYCLOAK_HTTPS_USE_PEM - KEYCLOAK_HTTPS_CERTIFICATE_FILE - KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE - KEYCLOAK_SPI_TRUSTSTORE_FILE - KEYCLOAK_SPI_TRUSTSTORE_PASSWORD - KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY - KEYCLOAK_LOG_LEVEL - KEYCLOAK_LOG_OUTPUT - KEYCLOAK_ROOT_LOG_LEVEL - KEYCLOAK_PROXY_HEADERS KEYCLOAK_PRODUCTION + KEYCLOAK_EXTRA_ARGS KEYCLOAK_EXTRA_ARGS_PREPENDED - KEYCLOAK_DATABASE_VENDOR - KEYCLOAK_DATABASE_HOST - KEYCLOAK_DATABASE_PORT - KEYCLOAK_DATABASE_USER - KEYCLOAK_DATABASE_NAME - KEYCLOAK_DATABASE_PASSWORD - KEYCLOAK_DATABASE_SCHEMA - KEYCLOAK_JDBC_PARAMS - KEYCLOAK_JDBC_DRIVER - KEYCLOAK_DAEMON_USER - KEYCLOAK_DAEMON_GROUP - KEYCLOAK_ADMIN_USER + KC_HTTP_MANAGEMENT_PORT + KEYCLOAK_ENABLE_HTTPS + KEYCLOAK_HTTPS_USE_PEM + KC_BOOTSTRAP_ADMIN_USERNAME KC_BOOTSTRAP_ADMIN_PASSWORD + KC_HTTP_PORT + KC_HTTPS_PORT + KC_HTTP_RELATIVE_PATH + KC_LOG_LEVEL + KC_LOG_CONSOLE_OUTPUT + KC_METRICS_ENABLED + KC_HEALTH_ENABLED + KC_CACHE + KC_CACHE_STACK + KC_CACHE_CONFIG_FILE KC_HOSTNAME KC_HOSTNAME_ADMIN KC_HOSTNAME_STRICT - KC_HEALTH_ENABLED KC_HTTPS_TRUST_STORE_FILE KC_HTTPS_TRUST_STORE_PASSWORD KC_HTTPS_KEY_STORE_FILE KC_HTTPS_KEY_STORE_PASSWORD KC_HTTPS_CERTIFICATE_FILE KC_HTTPS_CERTIFICATE_KEY_FILE - KC_SPI_TRUSTSTORE_FILE_FILE - KC_SPI_TRUSTSTORE_PASSWORD - KC_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY - DB_ADDR - DB_PORT - DB_USER - DB_DATABASE - DB_PASSWORD - DB_SCHEMA - JDBC_PARAMS + KC_DB + KEYCLOAK_DATABASE_HOST + KEYCLOAK_DATABASE_PORT + KEYCLOAK_DATABASE_NAME + KEYCLOAK_JDBC_PARAMS + KEYCLOAK_JDBC_DRIVER + KC_DB_USERNAME + KC_DB_PASSWORD + KC_DB_SCHEMA + KEYCLOAK_INIT_MAX_RETRIES + KEYCLOAK_DAEMON_USER + KEYCLOAK_DAEMON_GROUP + KEYCLOAK_HTTP_PORT + KEYCLOAK_HTTPS_PORT + KEYCLOAK_HTTP_RELATIVE_PATH + KEYCLOAK_LOG_LEVEL + KEYCLOAK_LOG_OUTPUT + KEYCLOAK_ENABLE_STATISTICS + KEYCLOAK_ENABLE_HEALTH_ENDPOINTS + KEYCLOAK_CACHE_TYPE + KEYCLOAK_CACHE_STACK + KEYCLOAK_CACHE_CONFIG_FILE + KEYCLOAK_HOSTNAME + KEYCLOAK_HOSTNAME_ADMIN + KEYCLOAK_HOSTNAME_STRICT + KEYCLOAK_HTTPS_TRUST_STORE_FILE + KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD + KEYCLOAK_HTTPS_KEY_STORE_FILE + KEYCLOAK_HTTPS_KEY_STORE_PASSWORD + KEYCLOAK_HTTPS_CERTIFICATE_FILE + KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE + KEYCLOAK_DATABASE_VENDOR + KEYCLOAK_DATABASE_USER + KEYCLOAK_DATABASE_PASSWORD + KEYCLOAK_DATABASE_SCHEMA ) for env_var in "${keycloak_env_vars[@]}"; do file_env_var="${env_var}_FILE" @@ -116,85 +111,79 @@ export KEYCLOAK_PROVIDERS_DIR="$KEYCLOAK_BASE_DIR/providers" export KEYCLOAK_LOG_DIR="$KEYCLOAK_PROVIDERS_DIR/log" export KEYCLOAK_TMP_DIR="$KEYCLOAK_PROVIDERS_DIR/tmp" export KEYCLOAK_DOMAIN_TMP_DIR="$KEYCLOAK_BASE_DIR/domain/tmp" -export WILDFLY_BASE_DIR="/opt/bitnami/wildfly" export KEYCLOAK_VOLUME_DIR="/bitnami/keycloak" export KEYCLOAK_CONF_DIR="$KEYCLOAK_BASE_DIR/conf" export KEYCLOAK_DEFAULT_CONF_DIR="$KEYCLOAK_BASE_DIR/conf.default" export KEYCLOAK_MOUNTED_CONF_DIR="${KEYCLOAK_MOUNTED_CONF_DIR:-${KEYCLOAK_VOLUME_DIR}/conf}" export KEYCLOAK_INITSCRIPTS_DIR="/docker-entrypoint-initdb.d" export KEYCLOAK_CONF_FILE="keycloak.conf" -export KEYCLOAK_DEFAULT_CONF_FILE="keycloak.conf" # Keycloak kc.sh context export KC_RUN_IN_CONTAINER="${KC_RUN_IN_CONTAINER:-true}" # Keycloak configuration -KEYCLOAK_ADMIN="${KEYCLOAK_ADMIN:-"${KEYCLOAK_ADMIN_USER:-}"}" -export KEYCLOAK_ADMIN="${KEYCLOAK_ADMIN:-user}" -export KEYCLOAK_ADMIN_PASSWORD="${KEYCLOAK_ADMIN_PASSWORD:-bitnami}" -export KEYCLOAK_HTTP_RELATIVE_PATH="${KEYCLOAK_HTTP_RELATIVE_PATH:-/}" -export KEYCLOAK_HTTP_PORT="${KEYCLOAK_HTTP_PORT:-8080}" -export KEYCLOAK_HTTPS_PORT="${KEYCLOAK_HTTPS_PORT:-8443}" -export KEYCLOAK_BIND_ADDRESS="${KEYCLOAK_BIND_ADDRESS:-$(hostname --fqdn)}" -KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD="${KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD:-"${KC_BOOTSTRAP_ADMIN_PASSWORD:-}"}" -export KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD="${KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD:-}" -export KC_BOOTSTRAP_ADMIN_PASSWORD="$KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD" -KEYCLOAK_HOSTNAME="${KEYCLOAK_HOSTNAME:-"${KC_HOSTNAME:-}"}" -export KEYCLOAK_HOSTNAME="${KEYCLOAK_HOSTNAME:-}" -KEYCLOAK_HOSTNAME_ADMIN="${KEYCLOAK_HOSTNAME_ADMIN:-"${KC_HOSTNAME_ADMIN:-}"}" -export KEYCLOAK_HOSTNAME_ADMIN="${KEYCLOAK_HOSTNAME_ADMIN:-}" -KEYCLOAK_HOSTNAME_STRICT="${KEYCLOAK_HOSTNAME_STRICT:-"${KC_HOSTNAME_STRICT:-}"}" -export KEYCLOAK_HOSTNAME_STRICT="${KEYCLOAK_HOSTNAME_STRICT:-false}" -export KEYCLOAK_INIT_MAX_RETRIES="${KEYCLOAK_INIT_MAX_RETRIES:-10}" -export KEYCLOAK_CACHE_TYPE="${KEYCLOAK_CACHE_TYPE:-ispn}" -export KEYCLOAK_CACHE_STACK="${KEYCLOAK_CACHE_STACK:-}" -export KEYCLOAK_CACHE_CONFIG_FILE="${KEYCLOAK_CACHE_CONFIG_FILE:-}" -export KEYCLOAK_EXTRA_ARGS="${KEYCLOAK_EXTRA_ARGS:-}" -export KEYCLOAK_ENABLE_STATISTICS="${KEYCLOAK_ENABLE_STATISTICS:-false}" -KEYCLOAK_ENABLE_HEALTH_ENDPOINTS="${KEYCLOAK_ENABLE_HEALTH_ENDPOINTS:-"${KC_HEALTH_ENABLED:-}"}" -export KEYCLOAK_ENABLE_HEALTH_ENDPOINTS="${KEYCLOAK_ENABLE_HEALTH_ENDPOINTS:-false}" -export KEYCLOAK_ENABLE_HTTPS="${KEYCLOAK_ENABLE_HTTPS:-false}" -KEYCLOAK_HTTPS_TRUST_STORE_FILE="${KEYCLOAK_HTTPS_TRUST_STORE_FILE:-"${KC_HTTPS_TRUST_STORE_FILE:-}"}" -export KEYCLOAK_HTTPS_TRUST_STORE_FILE="${KEYCLOAK_HTTPS_TRUST_STORE_FILE:-}" -KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD="${KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD:-"${KC_HTTPS_TRUST_STORE_PASSWORD:-}"}" -export KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD="${KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD:-}" -KEYCLOAK_HTTPS_KEY_STORE_FILE="${KEYCLOAK_HTTPS_KEY_STORE_FILE:-"${KC_HTTPS_KEY_STORE_FILE:-}"}" -export KEYCLOAK_HTTPS_KEY_STORE_FILE="${KEYCLOAK_HTTPS_KEY_STORE_FILE:-}" -KEYCLOAK_HTTPS_KEY_STORE_PASSWORD="${KEYCLOAK_HTTPS_KEY_STORE_PASSWORD:-"${KC_HTTPS_KEY_STORE_PASSWORD:-}"}" -export KEYCLOAK_HTTPS_KEY_STORE_PASSWORD="${KEYCLOAK_HTTPS_KEY_STORE_PASSWORD:-}" -export KEYCLOAK_HTTPS_USE_PEM="${KEYCLOAK_HTTPS_USE_PEM:-false}" -KEYCLOAK_HTTPS_CERTIFICATE_FILE="${KEYCLOAK_HTTPS_CERTIFICATE_FILE:-"${KC_HTTPS_CERTIFICATE_FILE:-}"}" -export KEYCLOAK_HTTPS_CERTIFICATE_FILE="${KEYCLOAK_HTTPS_CERTIFICATE_FILE:-}" -KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE="${KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE:-"${KC_HTTPS_CERTIFICATE_KEY_FILE:-}"}" -export KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE="${KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE:-}" -KEYCLOAK_SPI_TRUSTSTORE_FILE="${KEYCLOAK_SPI_TRUSTSTORE_FILE:-"${KC_SPI_TRUSTSTORE_FILE_FILE:-}"}" -export KEYCLOAK_SPI_TRUSTSTORE_FILE="${KEYCLOAK_SPI_TRUSTSTORE_FILE:-}" -KEYCLOAK_SPI_TRUSTSTORE_PASSWORD="${KEYCLOAK_SPI_TRUSTSTORE_PASSWORD:-"${KC_SPI_TRUSTSTORE_PASSWORD:-}"}" -export KEYCLOAK_SPI_TRUSTSTORE_PASSWORD="${KEYCLOAK_SPI_TRUSTSTORE_PASSWORD:-}" -KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY="${KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY:-"${KC_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY:-}"}" -export KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY="${KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY:-}" -export KEYCLOAK_LOG_LEVEL="${KEYCLOAK_LOG_LEVEL:-info}" -export KEYCLOAK_LOG_OUTPUT="${KEYCLOAK_LOG_OUTPUT:-default}" -export KEYCLOAK_ROOT_LOG_LEVEL="${KEYCLOAK_ROOT_LOG_LEVEL:-INFO}" -export KEYCLOAK_PROXY_HEADERS="${KEYCLOAK_PROXY_HEADERS:-}" export KEYCLOAK_PRODUCTION="${KEYCLOAK_PRODUCTION:-false}" +export KEYCLOAK_EXTRA_ARGS="${KEYCLOAK_EXTRA_ARGS:-}" export KEYCLOAK_EXTRA_ARGS_PREPENDED="${KEYCLOAK_EXTRA_ARGS_PREPENDED:-}" -export KEYCLOAK_DATABASE_VENDOR="${KEYCLOAK_DATABASE_VENDOR:-postgresql}" -KEYCLOAK_DATABASE_HOST="${KEYCLOAK_DATABASE_HOST:-"${DB_ADDR:-}"}" +export KC_HTTP_MANAGEMENT_PORT="${KC_HTTP_MANAGEMENT_PORT:-9000}" +export KEYCLOAK_ENABLE_HTTPS="${KEYCLOAK_ENABLE_HTTPS:-false}" +export KEYCLOAK_HTTPS_USE_PEM="${KEYCLOAK_HTTPS_USE_PEM:-false}" +export KC_BOOTSTRAP_ADMIN_USERNAME="${KC_BOOTSTRAP_ADMIN_USERNAME:-user}" +export KC_BOOTSTRAP_ADMIN_PASSWORD="${KC_BOOTSTRAP_ADMIN_PASSWORD:-}" +KC_HTTP_PORT="${KC_HTTP_PORT:-"${KEYCLOAK_HTTP_PORT:-}"}" +export KC_HTTP_PORT="${KC_HTTP_PORT:-8080}" +KC_HTTPS_PORT="${KC_HTTPS_PORT:-"${KEYCLOAK_HTTPS_PORT:-}"}" +export KC_HTTPS_PORT="${KC_HTTPS_PORT:-8443}" +KC_HTTP_RELATIVE_PATH="${KC_HTTP_RELATIVE_PATH:-"${KEYCLOAK_HTTP_RELATIVE_PATH:-}"}" +export KC_HTTP_RELATIVE_PATH="${KC_HTTP_RELATIVE_PATH:-}" +KC_LOG_LEVEL="${KC_LOG_LEVEL:-"${KEYCLOAK_LOG_LEVEL:-}"}" +export KC_LOG_LEVEL="${KC_LOG_LEVEL:-info}" +KC_LOG_CONSOLE_OUTPUT="${KC_LOG_CONSOLE_OUTPUT:-"${KEYCLOAK_LOG_OUTPUT:-}"}" +export KC_LOG_CONSOLE_OUTPUT="${KC_LOG_CONSOLE_OUTPUT:-default}" +KC_METRICS_ENABLED="${KC_METRICS_ENABLED:-"${KEYCLOAK_ENABLE_STATISTICS:-}"}" +export KC_METRICS_ENABLED="${KC_METRICS_ENABLED:-false}" +KC_HEALTH_ENABLED="${KC_HEALTH_ENABLED:-"${KEYCLOAK_ENABLE_HEALTH_ENDPOINTS:-}"}" +export KC_HEALTH_ENABLED="${KC_HEALTH_ENABLED:-false}" +KC_CACHE="${KC_CACHE:-"${KEYCLOAK_CACHE_TYPE:-}"}" +export KC_CACHE="${KC_CACHE:-}" +KC_CACHE_STACK="${KC_CACHE_STACK:-"${KEYCLOAK_CACHE_STACK:-}"}" +export KC_CACHE_STACK="${KC_CACHE_STACK:-}" +KC_CACHE_CONFIG_FILE="${KC_CACHE_CONFIG_FILE:-"${KEYCLOAK_CACHE_CONFIG_FILE:-}"}" +export KC_CACHE_CONFIG_FILE="${KC_CACHE_CONFIG_FILE:-}" +KC_HOSTNAME="${KC_HOSTNAME:-"${KEYCLOAK_HOSTNAME:-}"}" +export KC_HOSTNAME="${KC_HOSTNAME:-}" +KC_HOSTNAME_ADMIN="${KC_HOSTNAME_ADMIN:-"${KEYCLOAK_HOSTNAME_ADMIN:-}"}" +export KC_HOSTNAME_ADMIN="${KC_HOSTNAME_ADMIN:-}" +KC_HOSTNAME_STRICT="${KC_HOSTNAME_STRICT:-"${KEYCLOAK_HOSTNAME_STRICT:-}"}" +export KC_HOSTNAME_STRICT="${KC_HOSTNAME_STRICT:-false}" +KC_HTTPS_TRUST_STORE_FILE="${KC_HTTPS_TRUST_STORE_FILE:-"${KEYCLOAK_HTTPS_TRUST_STORE_FILE:-}"}" +export KC_HTTPS_TRUST_STORE_FILE="${KC_HTTPS_TRUST_STORE_FILE:-}" +KC_HTTPS_TRUST_STORE_PASSWORD="${KC_HTTPS_TRUST_STORE_PASSWORD:-"${KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD:-}"}" +export KC_HTTPS_TRUST_STORE_PASSWORD="${KC_HTTPS_TRUST_STORE_PASSWORD:-}" +KC_HTTPS_KEY_STORE_FILE="${KC_HTTPS_KEY_STORE_FILE:-"${KEYCLOAK_HTTPS_KEY_STORE_FILE:-}"}" +export KC_HTTPS_KEY_STORE_FILE="${KC_HTTPS_KEY_STORE_FILE:-}" +KC_HTTPS_KEY_STORE_PASSWORD="${KC_HTTPS_KEY_STORE_PASSWORD:-"${KEYCLOAK_HTTPS_KEY_STORE_PASSWORD:-}"}" +export KC_HTTPS_KEY_STORE_PASSWORD="${KC_HTTPS_KEY_STORE_PASSWORD:-}" +KC_HTTPS_CERTIFICATE_FILE="${KC_HTTPS_CERTIFICATE_FILE:-"${KEYCLOAK_HTTPS_CERTIFICATE_FILE:-}"}" +export KC_HTTPS_CERTIFICATE_FILE="${KC_HTTPS_CERTIFICATE_FILE:-}" +KC_HTTPS_CERTIFICATE_KEY_FILE="${KC_HTTPS_CERTIFICATE_KEY_FILE:-"${KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE:-}"}" +export KC_HTTPS_CERTIFICATE_KEY_FILE="${KC_HTTPS_CERTIFICATE_KEY_FILE:-}" + +# Keycloak database configuration +KC_DB="${KC_DB:-"${KEYCLOAK_DATABASE_VENDOR:-}"}" +export KC_DB="${KC_DB:-postgres}" export KEYCLOAK_DATABASE_HOST="${KEYCLOAK_DATABASE_HOST:-postgresql}" -KEYCLOAK_DATABASE_PORT="${KEYCLOAK_DATABASE_PORT:-"${DB_PORT:-}"}" export KEYCLOAK_DATABASE_PORT="${KEYCLOAK_DATABASE_PORT:-5432}" -KEYCLOAK_DATABASE_USER="${KEYCLOAK_DATABASE_USER:-"${DB_USER:-}"}" -export KEYCLOAK_DATABASE_USER="${KEYCLOAK_DATABASE_USER:-bn_keycloak}" -KEYCLOAK_DATABASE_NAME="${KEYCLOAK_DATABASE_NAME:-"${DB_DATABASE:-}"}" export KEYCLOAK_DATABASE_NAME="${KEYCLOAK_DATABASE_NAME:-bitnami_keycloak}" -KEYCLOAK_DATABASE_PASSWORD="${KEYCLOAK_DATABASE_PASSWORD:-"${DB_PASSWORD:-}"}" -export KEYCLOAK_DATABASE_PASSWORD="${KEYCLOAK_DATABASE_PASSWORD:-}" -KEYCLOAK_DATABASE_SCHEMA="${KEYCLOAK_DATABASE_SCHEMA:-"${DB_SCHEMA:-}"}" -export KEYCLOAK_DATABASE_SCHEMA="${KEYCLOAK_DATABASE_SCHEMA:-public}" -KEYCLOAK_JDBC_PARAMS="${KEYCLOAK_JDBC_PARAMS:-"${JDBC_PARAMS:-}"}" export KEYCLOAK_JDBC_PARAMS="${KEYCLOAK_JDBC_PARAMS:-}" export KEYCLOAK_JDBC_DRIVER="${KEYCLOAK_JDBC_DRIVER:-postgresql}" +KC_DB_USERNAME="${KC_DB_USERNAME:-"${KEYCLOAK_DATABASE_USER:-}"}" +export KC_DB_USERNAME="${KC_DB_USERNAME:-bn_keycloak}" +KC_DB_PASSWORD="${KC_DB_PASSWORD:-"${KEYCLOAK_DATABASE_PASSWORD:-}"}" +export KC_DB_PASSWORD="${KC_DB_PASSWORD:-}" +KC_DB_SCHEMA="${KC_DB_SCHEMA:-"${KEYCLOAK_DATABASE_SCHEMA:-}"}" +export KC_DB_SCHEMA="${KC_DB_SCHEMA:-public}" +export KEYCLOAK_INIT_MAX_RETRIES="${KEYCLOAK_INIT_MAX_RETRIES:-10}" # System users (when running with a privileged user) export KEYCLOAK_DAEMON_USER="${KEYCLOAK_DAEMON_USER:-keycloak}" diff --git a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/entrypoint.sh b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/entrypoint.sh index 188dab62ae48..b847d4a8e3d3 100755 --- a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/entrypoint.sh +++ b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/entrypoint.sh @@ -11,17 +11,16 @@ set -o pipefail # Load libraries . /opt/bitnami/scripts/libbitnami.sh -. /opt/bitnami/scripts/liblog.sh . /opt/bitnami/scripts/libkeycloak.sh -# Load keycloak environment variables +# Load Keycloak environment variables . /opt/bitnami/scripts/keycloak-env.sh print_welcome_page # We add the copy from default config in the entrypoint to not break users # bypassing the setup.sh logic. If the file already exists do not overwrite (in -# case someone mounts a configuration file in /opt/bitnami/postgresql/conf) +# case someone mounts a configuration file in /opt/bitnami/keycloak/conf) debug "Copying files from $KEYCLOAK_DEFAULT_CONF_DIR to $KEYCLOAK_CONF_DIR" cp -nr "$KEYCLOAK_DEFAULT_CONF_DIR"/. "$KEYCLOAK_CONF_DIR" diff --git a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/postunpack.sh b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/postunpack.sh index e0ff5adfc4b7..9c2bc57c0346 100755 --- a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/postunpack.sh +++ b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/postunpack.sh @@ -11,16 +11,13 @@ set -o pipefail # Load libraries . /opt/bitnami/scripts/libkeycloak.sh -. /opt/bitnami/scripts/libfs.sh -. /opt/bitnami/scripts/libos.sh -# Load keycloak environment variables +# Load Keycloak environment variables . /opt/bitnami/scripts/keycloak-env.sh -ensure_user_exists "$KEYCLOAK_ADMIN" ensure_user_exists "$KEYCLOAK_DAEMON_USER" --group "$KEYCLOAK_DAEMON_GROUP" -for dir in "$KEYCLOAK_LOG_DIR" "$KEYCLOAK_TMP_DIR" "$KEYCLOAK_VOLUME_DIR" "$KEYCLOAK_CONF_DIR" "$KEYCLOAK_DEFAULT_CONF_DIR" "$KEYCLOAK_INITSCRIPTS_DIR" "${KEYCLOAK_BASE_DIR}/.installation" "${KEYCLOAK_BASE_DIR}/data" "${KEYCLOAK_BASE_DIR}/lib" "$KEYCLOAK_BASE_DIR" "$KEYCLOAK_PROVIDERS_DIR"; do +for dir in "$KEYCLOAK_BASE_DIR" "$KEYCLOAK_PROVIDERS_DIR" "$KEYCLOAK_LOG_DIR" "$KEYCLOAK_TMP_DIR" "$KEYCLOAK_CONF_DIR" "$KEYCLOAK_DEFAULT_CONF_DIR" "${KEYCLOAK_BASE_DIR}/.installation" "${KEYCLOAK_BASE_DIR}/data" "${KEYCLOAK_BASE_DIR}/lib" "$KEYCLOAK_VOLUME_DIR" "$KEYCLOAK_INITSCRIPTS_DIR"; do ensure_dir_exists "$dir" chmod -R g+rwX "$dir" chown -R "$KEYCLOAK_DAEMON_USER" "$dir" diff --git a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/run.sh b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/run.sh index a5f49d9068dc..30eba8c47d92 100755 --- a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/run.sh +++ b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/run.sh @@ -10,35 +10,25 @@ set -o pipefail # set -o xtrace # Uncomment this line for debugging purposes # Load libraries -. /opt/bitnami/scripts/liblog.sh . /opt/bitnami/scripts/libkeycloak.sh -. /opt/bitnami/scripts/libos.sh -# Load keycloak environment variables +# Load Keycloak environment variables . /opt/bitnami/scripts/keycloak-env.sh -info "** Starting keycloak **" -# Use only basename -conf_file="${KEYCLOAK_CONF_DIR}/${KEYCLOAK_CONF_FILE}" - -is_boolean_yes "$KEYCLOAK_PRODUCTION" && start_param="start" || start_param="start-dev" - -start_command=("${KEYCLOAK_BIN_DIR}/kc.sh" "-cf" "$conf_file") - +start_command=("${KEYCLOAK_BIN_DIR}/kc.sh" "-cf" "${KEYCLOAK_CONF_DIR}/${KEYCLOAK_CONF_FILE}") # Prepend extra args if [[ -n "$KEYCLOAK_EXTRA_ARGS_PREPENDED" ]]; then read -r -a extra_args_prepended <<<"$KEYCLOAK_EXTRA_ARGS_PREPENDED" start_command+=("${extra_args_prepended[@]}") fi - -start_command+=("$start_param") - -# Add extra args +is_boolean_yes "$KEYCLOAK_PRODUCTION" && start_command+=("start") || start_command+=("start-dev") +# Append extra args if [[ -n "$KEYCLOAK_EXTRA_ARGS" ]]; then read -r -a extra_args <<<"$KEYCLOAK_EXTRA_ARGS" start_command+=("${extra_args[@]}") fi +info "** Starting Keycloak **" if am_i_root; then exec_as_user "$KEYCLOAK_DAEMON_USER" /bin/bash -c "${start_command[*]}" else diff --git a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/setup.sh b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/setup.sh index 805b1cbb8908..801a7274603e 100755 --- a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/setup.sh +++ b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/keycloak/setup.sh @@ -12,17 +12,17 @@ set -o pipefail # Load libraries . /opt/bitnami/scripts/libkeycloak.sh -# Load keycloak environment variables +# Load Keycloak environment variables . /opt/bitnami/scripts/keycloak-env.sh -# Ensure keycloak environment variables are valid +# Ensure Keycloak environment variables are valid keycloak_validate # Ensure 'daemon' user exists when running as 'root' am_i_root && ensure_user_exists "$KEYCLOAK_DAEMON_USER" --group "$KEYCLOAK_DAEMON_GROUP" -# Ensure keycloak is initialized +# Ensure Keycloak is initialized keycloak_initialize -# keycloak init scripts +# Keycloak init scripts keycloak_custom_init_scripts diff --git a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/libkeycloak.sh b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/libkeycloak.sh index a087a5ac7850..68e0b65c7c9f 100644 --- a/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/libkeycloak.sh +++ b/bitnami/keycloak/26/debian-12/rootfs/opt/bitnami/scripts/libkeycloak.sh @@ -9,22 +9,21 @@ # Load Generic Libraries . /opt/bitnami/scripts/libfs.sh . /opt/bitnami/scripts/liblog.sh -. /opt/bitnami/scripts/libnet.sh . /opt/bitnami/scripts/libos.sh . /opt/bitnami/scripts/libfile.sh . /opt/bitnami/scripts/libvalidations.sh ######################## -# Validate settings in KEYCLOAK_* env. variables +# Validate settings in KEYCLOAK_*,KC_* env. variables # Globals: -# KEYCLOAK_* +# KEYCLOAK_*,KC_* # Arguments: # None # Returns: # None ######################### keycloak_validate() { - info "Validating settings in KEYCLOAK_* env vars..." + info "Validating settings in KEYCLOAK_*,KC_* env vars..." local error_code=0 # Auxiliary functions @@ -32,7 +31,11 @@ keycloak_validate() { error "$1" error_code=1 } - + check_true_false_value() { + if ! is_true_false_value "${!1}"; then + print_validation_error "The allowed values for $1 are [true, false]" + fi + } check_allowed_port() { local port_var="${1:?missing port variable}" local -a validate_port_args=() @@ -42,54 +45,48 @@ keycloak_validate() { print_validation_error "An invalid port was specified in the environment variable ${port_var}: ${err}." fi } + check_conflicting_ports() { + local -r total="$#" + for i in $(seq 1 "$((total - 1))"); do + for j in $(seq "$((i + 1))" "$total"); do + if (("${!i}" == "${!j}")); then + print_validation_error "${!i} and ${!j} are bound to the same port" + fi + done + done + } - if ! is_empty_value "$KEYCLOAK_PROXY_HEADERS" && ! [[ "$KEYCLOAK_PROXY_HEADERS" =~ ^(forwarded|xforwarded)$ ]]; then - print_validation_error "The value of KEYCLOAK_PROXY_HEADERS should be either empty, 'forwarded' or 'xforwarded'" - fi - + check_true_false_value KEYCLOAK_ENABLE_HTTPS if is_boolean_yes "$KEYCLOAK_ENABLE_HTTPS"; then if is_boolean_yes "$KEYCLOAK_HTTPS_USE_PEM"; then - if is_empty_value "$KEYCLOAK_HTTPS_CERTIFICATE_FILE"; then - print_validation_error "Path to the TLS certificate not defined. Please set the KEYCLOAK_HTTPS_CERTIFICATE_FILE variable to the mounted PEM certificate" + if is_empty_value "$KC_HTTPS_CERTIFICATE_FILE"; then + print_validation_error "Path to the TLS certificate not defined. Please set the KC_HTTPS_CERTIFICATE_FILE variable to the mounted PEM certificate" fi - if is_empty_value "$KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE"; then - print_validation_error "Path to the TLS key not defined. Please set the KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE variable to the mounted PEM key" + if is_empty_value "$KC_HTTPS_CERTIFICATE_KEY_FILE"; then + print_validation_error "Path to the TLS key not defined. Please set the KC_HTTPS_CERTIFICATE_KEY_FILE variable to the mounted PEM key" fi else - if is_empty_value "$KEYCLOAK_HTTPS_TRUST_STORE_FILE"; then - print_validation_error "Path to the TLS truststore file not defined. Please set the KEYCLOAK_HTTPS_TRUST_STORE_FILE variable to the mounted truststore" + if is_empty_value "$KC_HTTPS_TRUST_STORE_FILE"; then + print_validation_error "Path to the TLS truststore file not defined. Please set the KC_HTTPS_TRUST_STORE_FILE variable to the mounted truststore" fi - if is_empty_value "$KEYCLOAK_HTTPS_KEY_STORE_FILE"; then - print_validation_error "Path to the TLS keystore file not defined. Please set the KEYCLOAK_HTTPS_KEY_STORE_FILE variable to the mounted keystore" + if is_empty_value "$KC_HTTPS_KEY_STORE_FILE"; then + print_validation_error "Path to the TLS keystore file not defined. Please set the KC_HTTPS_KEY_STORE_FILE variable to the mounted keystore" fi fi fi - if ! validate_ip "${KEYCLOAK_BIND_ADDRESS}"; then - if ! is_hostname_resolved "${KEYCLOAK_BIND_ADDRESS}"; then - print_validation_error print_validation_error "The value for KEYCLOAK_BIND_ADDRESS ($KEYCLOAK_BIND_ADDRESS) should be an IPv4 or IPv6 address, or it must be a resolvable hostname" - fi - fi - - if [[ "$KEYCLOAK_HTTP_PORT" -eq "$KEYCLOAK_HTTPS_PORT" ]]; then - print_validation_error "KEYCLOAK_HTTP_PORT and KEYCLOAK_HTTPS_PORT are bound to the same port!" - fi - check_allowed_port KEYCLOAK_HTTP_PORT - check_allowed_port KEYCLOAK_HTTPS_PORT - - for var in KEYCLOAK_ENABLE_HTTPS KEYCLOAK_ENABLE_STATISTICS KEYCLOAK_ENABLE_HEALTH_ENDPOINTS; do - if ! is_true_false_value "${!var}"; then - print_validation_error "The allowed values for $var are [true, false]" - fi + check_conflicting_ports KC_HTTP_PORT KC_HTTPS_PORT KC_HTTP_MANAGEMENT_PORT + for var in KC_HTTP_PORT KC_HTTPS_PORT KC_HTTP_MANAGEMENT_PORT; do + check_allowed_port "$var" done [[ "$error_code" -eq 0 ]] || exit "$error_code" } ######################## -# Add or modify an entry in the Discourse configuration file +# Add or modify an entry in the Keycloak configuration file # Globals: -# KEYCLOAK_* +# KEYCLOAK_CONF_* # Arguments: # $1 - Variable name # $2 - Value to assign to the variable @@ -99,12 +96,7 @@ keycloak_validate() { keycloak_conf_set() { local -r key="${1:?key missing}" local -r value="${2:-}" - # Redact sensitive values before outputting to debug log - local redacted_value="${value}" - if [[ "${key}" =~ ^(db|https-key-store|https-trust-store|spi-truststore-file)-password$ ]]; then - redacted_value="_redacted_" - fi - debug "Setting ${key} to '${redacted_value}' in Keycloak configuration" + # Sanitize key (sed does not support fixed string substitutions) local sanitized_pattern sanitized_pattern="^\s*(#\s*)?$(sed 's/[]\[^$.*/]/\\&/g' <<<"$key")\s*=\s*(.*)" @@ -121,7 +113,7 @@ keycloak_conf_set() { ######################## # Configure database settings # Globals: -# KEYCLOAK_* +# KEYCLOAK_*,KC_DB_* # Arguments: # None # Returns: @@ -132,163 +124,18 @@ keycloak_configure_database() { jdbc_params="$(echo "$KEYCLOAK_JDBC_PARAMS" | sed -E '/^$|^\&.+$/!s/^/\&/;s/\&/\\&/g')" info "Configuring database settings" - if [[ "${KEYCLOAK_DATABASE_VENDOR}" == "postgresql" ]]; then - keycloak_conf_set "db" "postgres" - keycloak_conf_set "db-username" "$KEYCLOAK_DATABASE_USER" - keycloak_conf_set "db-password" "$KEYCLOAK_DATABASE_PASSWORD" - keycloak_conf_set "db-url" "jdbc:${KEYCLOAK_JDBC_DRIVER}://${KEYCLOAK_DATABASE_HOST}:${KEYCLOAK_DATABASE_PORT}/${KEYCLOAK_DATABASE_NAME}?currentSchema=${KEYCLOAK_DATABASE_SCHEMA}${jdbc_params}" - else - keycloak_conf_set "db" "$KEYCLOAK_DATABASE_VENDOR" + if [[ "$KC_DB" = "postgres" ]]; then + # Backwards compatibility with old environment variables + if [[ -z "${KC_DB_URL:-}" ]]; then + keycloak_conf_set "db-url" "jdbc:${KEYCLOAK_JDBC_DRIVER}://${KEYCLOAK_DATABASE_HOST}:${KEYCLOAK_DATABASE_PORT}/${KEYCLOAK_DATABASE_NAME}?currentSchema=${KC_DB_SCHEMA}${jdbc_params}" + fi fi } -######################## -# Configure cluster caching -# Globals: -# KEYCLOAK_* -# Arguments: -# None -# Returns: -# None -######################### -keycloak_configure_cache() { - info "Configuring cache count" - ! is_empty_value "$KEYCLOAK_CACHE_STACK" && keycloak_conf_set "cache-stack" "${KEYCLOAK_CACHE_STACK}" - ! is_empty_value "$KEYCLOAK_CACHE_CONFIG_FILE" && keycloak_conf_set "cache-config-file" "${KEYCLOAK_CACHE_CONFIG_FILE}" - keycloak_conf_set "cache" "$KEYCLOAK_CACHE_TYPE" -} - -######################## -# Enable statistics -# Globals: -# KEYCLOAK_* -# Arguments: -# None -# Returns: -# None -######################### -keycloak_configure_metrics() { - info "Enabling statistics" - keycloak_conf_set "metrics-enabled" "$KEYCLOAK_ENABLE_STATISTICS" -} - -######################## -# Enable health endpoints -# Globals: -# KEYCLOAK_* -# Arguments: -# None -# Returns: -# None -######################### -keycloak_configure_health_endpoints() { - info "Enabling health endpoints" - keycloak_conf_set "health-enabled" "$KEYCLOAK_ENABLE_HEALTH_ENDPOINTS" -} - -######################## -# Configure hostname -# Globals: -# KEYCLOAK_* -# Arguments: -# None -# Returns: -# None -######################### -keycloak_configure_hostname() { - info "Configuring hostname settings" - ! is_empty_value "$KEYCLOAK_HOSTNAME" && keycloak_conf_set "hostname" "${KEYCLOAK_HOSTNAME}" - ! is_empty_value "$KEYCLOAK_HOSTNAME_ADMIN" && keycloak_conf_set "hostname-admin" "${KEYCLOAK_HOSTNAME_ADMIN}" - keycloak_conf_set "hostname-strict" "${KEYCLOAK_HOSTNAME_STRICT}" -} - -######################## -# Configure http -# Globals: -# KEYCLOAK_* -# Arguments: -# None -# Returns: -# None -######################### -keycloak_configure_http() { - info "Configuring http settings" - keycloak_conf_set "http-enabled" "true" - keycloak_conf_set "http-relative-path" "${KEYCLOAK_HTTP_RELATIVE_PATH}" - keycloak_conf_set "http-port" "${KEYCLOAK_HTTP_PORT}" - keycloak_conf_set "https-port" "${KEYCLOAK_HTTPS_PORT}" -} - -######################## -# Configure logging settings -# Globals: -# KEYCLOAK_* -# Arguments: -# None -# Returns: -# None -######################### -keycloak_configure_loglevel() { - info "Configuring log level" - keycloak_conf_set "log-level" "${KEYCLOAK_LOG_LEVEL}" - keycloak_conf_set "log-console-output" "${KEYCLOAK_LOG_OUTPUT}" -} - -######################## -# Configure proxy settings using JBoss CLI -# Globals: -# KEYCLOAK_* -# Arguments: -# None -# Returns: -# None -######################### -keycloak_configure_proxy() { - info "Configuring proxy" - keycloak_conf_set "proxy-headers" "${KEYCLOAK_PROXY_HEADERS}" -} - -######################## -# Configure HTTPS settings -# Globals: -# KEYCLOAK_* -# Arguments: -# Returns: -# None -######################### -keycloak_configure_https() { - info "Configuring Keycloak HTTPS settings" - if is_boolean_yes "$KEYCLOAK_HTTPS_USE_PEM"; then - keycloak_conf_set "https-certificate-file" "${KEYCLOAK_HTTPS_CERTIFICATE_FILE}" - keycloak_conf_set "https-certificate-key-file" "${KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE}" - else - ! is_empty_value "$KEYCLOAK_HTTPS_KEY_STORE_PASSWORD" && keycloak_conf_set "https-key-store-password" "${KEYCLOAK_HTTPS_KEY_STORE_PASSWORD}" - ! is_empty_value "$KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD" && keycloak_conf_set "https-trust-store-password" "${KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD}" - keycloak_conf_set "https-key-store-file" "${KEYCLOAK_HTTPS_KEY_STORE_FILE}" - keycloak_conf_set "https-trust-store-file" "${KEYCLOAK_HTTPS_TRUST_STORE_FILE}" - fi -} - -######################## -# Configure SPI TLS settings -# Globals: -# KEYCLOAK_* -# Arguments: -# Returns: -# None -######################### -keycloak_configure_spi_tls() { - info "Configuring Keycloak SPI TLS settings" - ! is_empty_value "$KEYCLOAK_SPI_TRUSTSTORE_PASSWORD" && keycloak_conf_set "spi-truststore-file-password" "${KEYCLOAK_SPI_TRUSTSTORE_PASSWORD}" - ! is_empty_value "$KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY" && keycloak_conf_set "spi-truststore-file-hostname-verification-policy" "${KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY}" - keycloak_conf_set "spi-truststore-file-file" "${KEYCLOAK_SPI_TRUSTSTORE_FILE}" - -} - ######################## # Initialize keycloak installation # Globals: -# KEYCLOAK_* +# KEYCLOAK_*,KC_* # Arguments: # None # Returns: @@ -296,40 +143,40 @@ keycloak_configure_spi_tls() { ######################### keycloak_initialize() { # Clean to avoid issues when running docker restart - if [[ "${KEYCLOAK_DATABASE_VENDOR}" == "postgresql" ]]; then + if [[ "$KC_DB" = "postgres" ]]; then + local db_host db_port + if [[ -z "${KC_DB_URL:-}" ]]; then + db_host="$KEYCLOAK_DATABASE_HOST" + db_port="$KEYCLOAK_DATABASE_PORT" + else + # Extract host and port from KC_DB_URL + db_host="$(echo "$KC_DB_URL" | sed -E 's/.*\/\/([^:]+):([0-9]+).*/\1/')" + db_port="$(echo "$KC_DB_URL" | sed -E 's/.*\/\/[^:]+:([0-9]+).*/\1/')" + fi # Wait for database - info "Trying to connect to PostgreSQL server $KEYCLOAK_DATABASE_HOST..." - if ! retry_while "wait-for-port --host $KEYCLOAK_DATABASE_HOST --timeout 10 $KEYCLOAK_DATABASE_PORT" "$KEYCLOAK_INIT_MAX_RETRIES"; then - error "Unable to connect to host $KEYCLOAK_DATABASE_HOST" + info "Trying to connect to PostgreSQL server $db_host..." + if ! retry_while "wait-for-port --host $db_host --timeout 10 $db_port" "$KEYCLOAK_INIT_MAX_RETRIES"; then + error "Unable to connect to host $db_host" exit 1 else - info "Found PostgreSQL server listening at $KEYCLOAK_DATABASE_HOST:$KEYCLOAK_DATABASE_PORT" - fi - - if ! is_dir_empty "$KEYCLOAK_MOUNTED_CONF_DIR"; then - cp -Lr "$KEYCLOAK_MOUNTED_CONF_DIR"/* "$KEYCLOAK_CONF_DIR" - # Add new line to the end of the file to avoid issues when mounting - # config files with no new line at the end - echo >> "${KEYCLOAK_CONF_DIR}/${KEYCLOAK_CONF_FILE}" + info "Found PostgreSQL server listening at $db_host:$db_port" fi fi + if ! is_dir_empty "$KEYCLOAK_MOUNTED_CONF_DIR"; then + cp -Lr "$KEYCLOAK_MOUNTED_CONF_DIR"/* "$KEYCLOAK_CONF_DIR" + # Add new line to the end of the file to avoid issues when mounting + # config files with no new line at the end + echo >> "${KEYCLOAK_CONF_DIR}/${KEYCLOAK_CONF_FILE}" + fi + keycloak_configure_database - keycloak_configure_metrics - keycloak_configure_health_endpoints - keycloak_configure_http - keycloak_configure_hostname - keycloak_configure_cache - keycloak_configure_loglevel - ! is_empty_value "$KEYCLOAK_PROXY_HEADERS" && keycloak_configure_proxy - is_boolean_yes "$KEYCLOAK_ENABLE_HTTPS" && keycloak_configure_https - ! is_empty_value "$KEYCLOAK_SPI_TRUSTSTORE_FILE" && keycloak_configure_spi_tls true } ######################## # Run custom initialization scripts # Globals: -# KEYCLOAK_* +# KEYCLOAK_INITSCRIPTS_DIR,KEYCLOAK_VOLUME_DIR # Arguments: # None # Returns: @@ -355,6 +202,6 @@ keycloak_custom_init_scripts() { esac done <$tmp_file rm -f "$tmp_file" - touch "$KEYCLOAK_VOLUME_DIR"/.user_scripts_initialized + touch "${KEYCLOAK_VOLUME_DIR}/.user_scripts_initialized" fi } diff --git a/bitnami/keycloak/README.md b/bitnami/keycloak/README.md index 782bd353f284..4d07119579dc 100644 --- a/bitnami/keycloak/README.md +++ b/bitnami/keycloak/README.md @@ -81,75 +81,67 @@ docker build -t bitnami/APP:latest . #### Customizable environment variables -| Name | Description | Default Value | -|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|-------------------------------| -| `KEYCLOAK_MOUNTED_CONF_DIR` | Directory for including custom configuration files (that override the default generated ones) | `${KEYCLOAK_VOLUME_DIR}/conf` | -| `KC_RUN_IN_CONTAINER` | Keycloak kc.sh context | `true` | -| `KEYCLOAK_ADMIN` | Keycloak administrator user | `user` | -| `KEYCLOAK_ADMIN_PASSWORD` | Keycloak administrator password | `bitnami` | -| `KEYCLOAK_HTTP_RELATIVE_PATH` | Set the path relative to "/" for serving resources. | `/` | -| `KEYCLOAK_HTTP_PORT` | HTTP port | `8080` | -| `KEYCLOAK_HTTPS_PORT` | HTTPS port | `8443` | -| `KEYCLOAK_BIND_ADDRESS` | Bind address | `$(hostname --fqdn)` | -| `KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD` | Keycloak initial admin password | `nil` | -| `KEYCLOAK_HOSTNAME` | Keycloak hostname | `nil` | -| `KEYCLOAK_HOSTNAME_ADMIN` | Keycloak admin hostname | `nil` | -| `KEYCLOAK_HOSTNAME_STRICT` | Disables dynamically resolving the hostname from request headers | `false` | -| `KEYCLOAK_INIT_MAX_RETRIES` | Maximum retries for checking that the database works | `10` | -| `KEYCLOAK_CACHE_TYPE` | Defines the cache mechanism for high-availability. | `ispn` | -| `KEYCLOAK_CACHE_STACK` | Apply a specific cache stack | `nil` | -| `KEYCLOAK_CACHE_CONFIG_FILE` | Path to the cache config file | `nil` | -| `KEYCLOAK_EXTRA_ARGS` | Add extra startup parameters to keycloak | `nil` | -| `KEYCLOAK_ENABLE_STATISTICS` | Enable metrics for the database | `false` | -| `KEYCLOAK_ENABLE_HEALTH_ENDPOINTS` | Enable health endpoints | `false` | -| `KEYCLOAK_ENABLE_HTTPS` | Enable SSL certificates | `false` | -| `KEYCLOAK_HTTPS_TRUST_STORE_FILE` | Path to the SSL truststore file | `nil` | -| `KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD` | Password for decrypting the truststore file | `nil` | -| `KEYCLOAK_HTTPS_KEY_STORE_FILE` | Path to the SSL keystore file | `nil` | -| `KEYCLOAK_HTTPS_KEY_STORE_PASSWORD` | Password for decrypting the keystore file | `nil` | -| `KEYCLOAK_HTTPS_USE_PEM` | Set to true to configure HTTPS using PEM certificates | `false` | -| `KEYCLOAK_HTTPS_CERTIFICATE_FILE` | Path to the PEM certificate file | `nil` | -| `KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE` | Path to the PEM key file | `nil` | -| `KEYCLOAK_SPI_TRUSTSTORE_FILE` | Path to the Keycloak SPI truststore file | `nil` | -| `KEYCLOAK_SPI_TRUSTSTORE_PASSWORD` | Password for decrypting the SPI truststore file | `nil` | -| `KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY` | Hostqname verification policy for SPI connection over HTTPS/TLS | `nil` | -| `KEYCLOAK_LOG_LEVEL` | Keycloak log level | `info` | -| `KEYCLOAK_LOG_OUTPUT` | Keycloak log output | `default` | -| `KEYCLOAK_ROOT_LOG_LEVEL` | Keycloak root log level | `INFO` | -| `KEYCLOAK_PROXY_HEADERS` | Keycloak reverse proxy headers | `nil` | -| `KEYCLOAK_PRODUCTION` | Run in production mode | `false` | -| `KEYCLOAK_EXTRA_ARGS_PREPENDED` | Run with flags which are applied directly to keycloak executable | `nil` | -| `KEYCLOAK_DATABASE_VENDOR` | Database vendor | `postgresql` | -| `KEYCLOAK_DATABASE_HOST` | Database backend hostname | `postgresql` | -| `KEYCLOAK_DATABASE_PORT` | Database backend port | `5432` | -| `KEYCLOAK_DATABASE_USER` | Database backend username | `bn_keycloak` | -| `KEYCLOAK_DATABASE_NAME` | Database name | `bitnami_keycloak` | -| `KEYCLOAK_DATABASE_PASSWORD` | Database backend password | `nil` | -| `KEYCLOAK_DATABASE_SCHEMA` | PostgreSQL database schema | `public` | -| `KEYCLOAK_JDBC_PARAMS` | Extra JDBC connection parameters for the database (e.g.: `sslmode=verify-full&connectTimeout=30000`\) | `nil` | -| `KEYCLOAK_JDBC_DRIVER` | JDBC driver to set in the connection string for the database | `postgresql` | -| `KEYCLOAK_DAEMON_USER` | Keycloak daemon user when running as root | `keycloak` | -| `KEYCLOAK_DAEMON_GROUP` | Keycloak daemon group when running as root | `keycloak` | +| Name | Description | Default Value | +|---------------------------------|----------------------------------------------------------------------------------------------------|-------------------------------| +| `KEYCLOAK_MOUNTED_CONF_DIR` | Directory for including custom configuration files (that override the default generated ones) | `${KEYCLOAK_VOLUME_DIR}/conf` | +| `KC_RUN_IN_CONTAINER` | Keycloak kc.sh context | `true` | +| `KEYCLOAK_PRODUCTION` | Run in production mode. | `false` | +| `KEYCLOAK_EXTRA_ARGS` | Append extra arguments to Keycloak start command. | `nil` | +| `KEYCLOAK_EXTRA_ARGS_PREPENDED` | Prepend extra arguments to Keycloak start command. | `nil` | +| `KC_HTTP_MANAGEMENT_PORT` | Management interface port. | `9000` | +| `KEYCLOAK_ENABLE_HTTPS` | Enable SSL certificates | `false` | +| `KEYCLOAK_HTTPS_USE_PEM` | Set to true to configure HTTPS using PEM certificates | `false` | +| `KC_BOOTSTRAP_ADMIN_USERNAME` | Bootstrap admin username | `user` | +| `KC_BOOTSTRAP_ADMIN_PASSWORD` | Bootstrap admin password | `nil` | +| `KC_HTTP_PORT` | HTTP port | `8080` | +| `KC_HTTPS_PORT` | HTTPS port | `8443` | +| `KC_HTTP_RELATIVE_PATH` | Set the path relative to "/" for serving resources. | `nil` | +| `KC_LOG_LEVEL` | Keycloak log level | `info` | +| `KC_LOG_CONSOLE_OUTPUT` | Keycloak log output | `default` | +| `KC_METRICS_ENABLED` | Enable metrics. | `false` | +| `KC_HEALTH_ENABLED` | Enable health check endpoints. | `false` | +| `KC_CACHE` | Cache mechanism for high-availability. | `nil` | +| `KC_CACHE_STACK` | Default stack to use for cluster communication and node discovery. | `nil` | +| `KC_CACHE_CONFIG_FILE` | Path to the file from which cache configuration should be loaded from. | `nil` | +| `KC_HOSTNAME` | Keycloak hostname | `nil` | +| `KC_HOSTNAME_ADMIN` | Keycloak admin hostname | `nil` | +| `KC_HOSTNAME_STRICT` | Disables dynamically resolving the hostname from request headers | `false` | +| `KC_HTTPS_TRUST_STORE_FILE` | Path to the SSL truststore file | `nil` | +| `KC_HTTPS_TRUST_STORE_PASSWORD` | Password for decrypting the truststore file | `nil` | +| `KC_HTTPS_KEY_STORE_FILE` | Path to the SSL keystore file | `nil` | +| `KC_HTTPS_KEY_STORE_PASSWORD` | Password for decrypting the keystore file | `nil` | +| `KC_HTTPS_CERTIFICATE_FILE` | Path to the PEM certificate file | `nil` | +| `KC_HTTPS_CERTIFICATE_KEY_FILE` | Path to the PEM key file | `nil` | +| `KC_DB` | Database vendor | `postgres` | +| `KEYCLOAK_DATABASE_HOST` | Database hostname | `postgresql` | +| `KEYCLOAK_DATABASE_PORT` | Database port | `5432` | +| `KEYCLOAK_DATABASE_NAME` | Database name | `bitnami_keycloak` | +| `KEYCLOAK_JDBC_PARAMS` | Extra JDBC connection parameters for the database (e.g.: sslmode=verify-full&connectTimeout=30000) | `nil` | +| `KEYCLOAK_JDBC_DRIVER` | JDBC driver to set in the connection string for the database | `postgresql` | +| `KC_DB_USERNAME` | Database username | `bn_keycloak` | +| `KC_DB_PASSWORD` | Database password | `nil` | +| `KC_DB_SCHEMA` | PostgreSQL database schema | `public` | +| `KEYCLOAK_INIT_MAX_RETRIES` | Maximum retries for checking that the database works | `10` | +| `KEYCLOAK_DAEMON_USER` | Keycloak daemon user when running as root | `keycloak` | +| `KEYCLOAK_DAEMON_GROUP` | Keycloak daemon group when running as root | `keycloak` | #### Read-only environment variables -| Name | Description | Value | -|------------------------------|---------------------------------------------------------|-----------------------------------| -| `BITNAMI_VOLUME_DIR` | Directory where to mount volumes. | `/bitnami` | -| `JAVA_HOME` | Java installation directory | `/opt/bitnami/java` | -| `KEYCLOAK_BASE_DIR` | Keycloak base directory | `/opt/bitnami/keycloak` | -| `KEYCLOAK_BIN_DIR` | Keycloak bin directory | `$KEYCLOAK_BASE_DIR/bin` | -| `KEYCLOAK_PROVIDERS_DIR` | Keycloak Wildfly extensions directory | `$KEYCLOAK_BASE_DIR/providers` | -| `KEYCLOAK_LOG_DIR` | Keycloak bin directory | `$KEYCLOAK_PROVIDERS_DIR/log` | -| `KEYCLOAK_TMP_DIR` | Keycloak tmp directory | `$KEYCLOAK_PROVIDERS_DIR/tmp` | -| `KEYCLOAK_DOMAIN_TMP_DIR` | Keycloak tmp directory | `$KEYCLOAK_BASE_DIR/domain/tmp` | -| `WILDFLY_BASE_DIR` | Wildfly base directory | `/opt/bitnami/wildfly` | -| `KEYCLOAK_VOLUME_DIR` | Path to keycloak mount directory | `/bitnami/keycloak` | -| `KEYCLOAK_CONF_DIR` | Keycloak configuration directory | `$KEYCLOAK_BASE_DIR/conf` | -| `KEYCLOAK_DEFAULT_CONF_DIR` | Keycloak default configuration directory | `$KEYCLOAK_BASE_DIR/conf.default` | -| `KEYCLOAK_INITSCRIPTS_DIR` | Path to keycloak init scripts directory | `/docker-entrypoint-initdb.d` | -| `KEYCLOAK_CONF_FILE` | Name of the keycloak configuration file (relative path) | `keycloak.conf` | -| `KEYCLOAK_DEFAULT_CONF_FILE` | Name of the keycloak configuration file (relative path) | `keycloak.conf` | +| Name | Description | Value | +|-----------------------------|---------------------------------------------------------|-----------------------------------| +| `BITNAMI_VOLUME_DIR` | Directory where to mount volumes. | `/bitnami` | +| `JAVA_HOME` | Java installation directory | `/opt/bitnami/java` | +| `KEYCLOAK_BASE_DIR` | Keycloak base directory | `/opt/bitnami/keycloak` | +| `KEYCLOAK_BIN_DIR` | Keycloak bin directory | `$KEYCLOAK_BASE_DIR/bin` | +| `KEYCLOAK_PROVIDERS_DIR` | Keycloak providers (extensions) directory | `$KEYCLOAK_BASE_DIR/providers` | +| `KEYCLOAK_LOG_DIR` | Keycloak bin directory | `$KEYCLOAK_PROVIDERS_DIR/log` | +| `KEYCLOAK_TMP_DIR` | Keycloak tmp directory | `$KEYCLOAK_PROVIDERS_DIR/tmp` | +| `KEYCLOAK_DOMAIN_TMP_DIR` | Keycloak tmp directory | `$KEYCLOAK_BASE_DIR/domain/tmp` | +| `KEYCLOAK_VOLUME_DIR` | Path to keycloak mount directory | `/bitnami/keycloak` | +| `KEYCLOAK_CONF_DIR` | Keycloak configuration directory | `$KEYCLOAK_BASE_DIR/conf` | +| `KEYCLOAK_DEFAULT_CONF_DIR` | Keycloak default configuration directory | `$KEYCLOAK_BASE_DIR/conf.default` | +| `KEYCLOAK_INITSCRIPTS_DIR` | Path to keycloak init scripts directory | `/docker-entrypoint-initdb.d` | +| `KEYCLOAK_CONF_FILE` | Name of the keycloak configuration file (relative path) | `keycloak.conf` | ### Extra arguments to Keycloak startup @@ -210,14 +202,6 @@ Apart from that, the following environment variables must be set: - `KEYCLOAK_HTTPS_CERTIFICATE_FILE`: Path to the PEM certificate file (e.g. `/opt/bitnami/keycloak/certs/tls.crt`). No defaults. - `KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE`: Path to the PEM key file (e.g. `/opt/bitnami/keycloak/certs/tls.key`). No defaults. -### SPI TLS truststore - -The Bitnami Keycloak Docker image supports configuring a truststore for HTTP/TLS connection with Keycloak SPIs. - -- `KEYCLOAK_SPI_TRUSTSTORE_FILE`: Path to the Keycloak SPI truststore file (e.g. `/opt/bitnami/keycloak/certs-spi/truststore.jks`). No defaults. -- `KEYCLOAK_SPI_TRUSTSTORE_PASSWORD`: Password for decrypting the SPI truststore file. No defaults. -- `KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY`: Hostname verification policy for SPI connection over HTTPS/TLS - ### Adding custom themes In order to add new themes to Keycloak, you can mount them to the `/opt/bitnami/keycloak/themes` folder. The example below mounts a new theme. @@ -248,14 +232,14 @@ volumes: driver: local ``` -### Enabling statistics +### Enabling metrics -The Bitnami Keycloak container can activate different set of statistics (database, jgroups and http) by setting the environment variable `KEYCLOAK_ENABLE_STATISTICS=true`. +The Bitnami Keycloak container can activate different set of metrics (database, jgroups and http) by setting the environment variable `KC_METRICS_ENABLED=true`. See [the official documentation](https://www.keycloak.org/observability/configuration-metrics) for more information about these metrics. ### Enabling health endpoints -The Bitnami Keycloak container can activate several endpoints providing information about the health of Keycloak, by setting the environment variable `KEYCLOAK_ENABLE_HEALTH_ENDPOINTS=true`. -See [the official documentation](https://www.keycloak.org/server/health) for more information about these endpoints. +The Bitnami Keycloak container can activate several endpoints providing information about the health of Keycloak, by setting the environment variable `KC_HEALTH_ENABLED=true`. +See [the official documentation](https://www.keycloak.org/observability/health) for more information about these endpoints. ### Full configuration @@ -280,6 +264,20 @@ After that, your changes will be taken into account in the server's behaviour. ## Notable Changes +### 26.3.2-debian-12-r1 + +The following environment variables have been deprecated. Instead rely on the native `KC_*` equivalent environment variables: + +- `KEYCLOAK_CACHE_TYPE`, `KEYCLOAK_CACHE_STACK` and `KEYCLOAK_CACHE_CONFIG_FILE` +- `KEYCLOAK_ENABLE_STATISTICS` and `KEYCLOAK_ENABLE_HEALTH_ENDPOINTS` +- `KEYCLOAK_LOG_LEVEL` and `KEYCLOAK_LOG_OUTPUT` +- `KEYCLOAK_HOSTNAME`, `KEYCLOAK_HOSTNAME_ADMIN` and `KEYCLOAK_HOSTNAME_STRICT` +- `KEYCLOAK_PROXY_HEADERS` +- `KEYCLOAK_ADMIN_USER` and `KEYCLOAK_BOOTSTRAP_ADMIN_PASSWORD` + +The [https://github.com/aerogear/keycloak-metrics-spi](https://github.com/aerogear/keycloak-metrics-spi) provider is no longer shipped by default in the container image. +Also, support for deprecated SPI truststore was removed. + ### 19-debian-11-r4 - TLS environment variables have been renamed to match upstream.