-
Notifications
You must be signed in to change notification settings - Fork 0
/
docker-compose.yaml
64 lines (54 loc) · 2.21 KB
/
docker-compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
services:
envoy:
image: envoyproxy/envoy:v1.31.0
command: ["envoy", "-c", "/input/src/test/resources/integration-test/envoy-xfcc.yaml"]
volumes:
- ./:/input:ro
ports:
- "8443:8443"
keycloak:
image: quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}
#
# Notes:
#
# - Kecyloak 22 does not support
# --spi-x509cert-lookup-envoy-cert-path-verify='[[ "CN=envoy-client" ]]'
# The parameter must be quoted as follows::
# --spi-x509cert-lookup-envoy-cert-path-verify='[[\"CN=authorized-client\"]]'
#
# This is possibly related to https://github.com/keycloak/keycloak/pull/22585
#
# - Keycloak 22 does not support PEM format for
# --https-trust-store-file=/input/target/certs/client-ca.pem
# even though following guide indicated it should work
# https://www.keycloak.org/nightly/server/mutual-tls#_using_a_dedicated_truststore_for_mtls
#
# Keycloak 26 and newer suppport also following
# --truststore-paths=/input/target/certs/client-ca.pem
#
entrypoint: /bin/bash
command:
- -cxe
- |
/opt/keycloak/bin/kc.sh import --file /input/src/test/resources/integration-test/keycloak-realm.json
/opt/keycloak/bin/kc.sh start \
--https-certificate-file=/input/target/certs/keycloak.pem \
--https-certificate-key-file=/input/target/certs/keycloak-key.pem \
--https-trust-store-file=/input/target/certs/client-ca-truststore.p12 \
--https-trust-store-password=password \
--https-client-auth=request \
--spi-x509cert-lookup-provider=envoy \
--spi-x509cert-lookup-envoy-cert-path-verify='[[ "CN=envoy-client" ]]' \
--log-level=INFO,io.github.nordix.keycloak.services.x509:debug
environment:
- KC_BOOTSTRAP_ADMIN_USERNAME=admin
- KC_BOOTSTRAP_ADMIN_PASSWORD=admin
- KC_HOSTNAME=https://keycloak.127.0.0.1.nip.io:8443
- KC_HTTP_ENABLED=true
volumes:
- ./:/input:ro
- ${EXTENSION_JAR_PATH}:/opt/keycloak/providers/keycloak-client-cert-lookup-for-envoy.jar:ro
# Expose Keycloak's HTTPS port to allow test suite to do direct requests.
ports:
- "10080:8080"
- "10443:8443"