keycloak-quickstarts/proxy/haproxy/reencrypt/docker-compose.yaml at main · keycloak/keycloak-quickstarts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
services:
  postgres:
    image: mirror.gcr.io/postgres:18
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: keycloak
    networks:
      - backend
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U keycloak"]
      interval: 5s
      timeout: 5s
      retries: 5

  keycloak1:
    image: quay.io/keycloak/keycloak:26.6
    command: start
    environment:
      # DB
      KC_DB: postgres
      KC_DB_URL_HOST: postgres
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: keycloak
      # Metrics / Health
      KC_METRICS_ENABLED: "true"
      KC_EVENT_METRICS_USER_ENABLED: "true"
      KC_EVENT_METRICS_USER_TAGS: "realm,idp,clientId"
      KC_HEALTH_ENABLED: "true"
      # Hostname / HTTPS
      KC_PROXY_HEADERS: forwarded
      KC_HOSTNAME: "${KC_HOST}"
      KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/certs/cert.pem
      KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/certs/key.pem
      KC_HTTPS_CLIENT_AUTH: required
      KC_HTTPS_TRUST_STORE_FILE: /opt/keycloak/conf/https-truststore/haproxy-internal-cert.pem
      KC_HTTPS_MANAGEMENT_CLIENT_AUTH: none
      KC_BOOTSTRAP_ADMIN_USERNAME: admin
      KC_BOOTSTRAP_ADMIN_PASSWORD: admin
      # Enable the access log to see as requests arrive on at Keycloak
      KC_HTTP_ACCESS_LOG_ENABLED: "true"
      # Misc
      KC_SHUTDOWN_DELAY: 30s
      KC_SHUTDOWN_TIMEOUT: 30s
      KC_SPI_CACHE_EMBEDDED__DEFAULT__NODE_NAME: keycloak1
    volumes:
      - source: ./certs/keycloak1
        target: /opt/keycloak/certs
        type: bind
        read_only: true
        bind:
          selinux: z
      - source: ./certs/haproxy-internal/cert.pem
        target: /opt/keycloak/conf/https-truststore/haproxy-internal-cert.pem
        type: bind
        read_only: true
        bind:
          selinux: z

    depends_on:
      postgres:
        condition: service_healthy
    networks:
      - backend

  keycloak2:
    image: quay.io/keycloak/keycloak:26.6
    command: start
    environment:
      # DB
      KC_DB: postgres
      KC_DB_URL_HOST: postgres
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: keycloak
      # Metrics / Health
      KC_METRICS_ENABLED: "true"
      KC_EVENT_METRICS_USER_ENABLED: "true"
      KC_EVENT_METRICS_USER_TAGS: "realm,idp,clientId"
      KC_HEALTH_ENABLED: "true"
      # Hostname / HTTPS
      KC_PROXY_HEADERS: forwarded
      KC_HOSTNAME: "${KC_HOST}"
      KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/certs/cert.pem
      KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/certs/key.pem
      KC_HTTPS_CLIENT_AUTH: required
      KC_HTTPS_TRUST_STORE_FILE: /opt/keycloak/conf/https-truststore/haproxy-internal-cert.pem
      KC_HTTPS_MANAGEMENT_CLIENT_AUTH: none
      KC_BOOTSTRAP_ADMIN_USERNAME: admin
      KC_BOOTSTRAP_ADMIN_PASSWORD: admin
      # Enable the access log to see as requests arrive on at Keycloak
      KC_HTTP_ACCESS_LOG_ENABLED: "true"
      # Misc
      KC_SHUTDOWN_DELAY: 30s
      KC_SHUTDOWN_TIMEOUT: 30s
      KC_SPI_CACHE_EMBEDDED__DEFAULT__NODE_NAME: keycloak2
    volumes:
      - source: ./certs/keycloak2
        target: /opt/keycloak/certs
        type: bind
        read_only: true
        bind:
          selinux: z
      - source: ./certs/haproxy-internal/cert.pem
        target: /opt/keycloak/conf/https-truststore/haproxy-internal-cert.pem
        type: bind
        read_only: true
        bind:
          selinux: z
    depends_on:
      postgres:
        condition: service_healthy
    networks:
      - backend

  haproxy:
    image: mirror.gcr.io/haproxy:3.3
    volumes:
      - source: ./haproxy.cfg
        target: /usr/local/etc/haproxy/haproxy.cfg
        type: bind
        read_only: true
        bind:
          selinux: z
      - source: ./certs/haproxy-external/combined.pem
        target: /mnt/certs/haproxy-external.pem
        type: bind
        read_only: true
        bind:
          selinux: z
      - source: ./certs/haproxy-internal/combined.pem
        target: /mnt/certs/haproxy-internal.pem
        type: bind
        read_only: true
        bind:
          selinux: z
      - source: ./certs/keycloak1/cert.pem
        target: /mnt/certs/keycloak1-cert.pem
        type: bind
        read_only: true
        bind:
          selinux: z
      - source: ./certs/keycloak2/cert.pem
        target: /mnt/certs/keycloak2-cert.pem
        type: bind
        read_only: true
        bind:
          selinux: z
    ports:
      - "8443:8443"
      - "8404:8404"
    depends_on:
      - keycloak1
      - keycloak2
    networks:
      - frontend
      - backend

networks:
  frontend:
  backend:
    internal: true