Merge branch 'add-keycloak-to-compose-environment' into 'main'

Add keycloak to docker-compose environment See merge request gaia-x/data-infrastructure-federation-services/tsa/workspace!4

Merge branch 'add-keycloak-to-compose-environment' into 'main'
22687684 · Yordan Kinkov · 628bcfac · c2479646 · 22687684 · 22687684
Commit 22687684 authored 2 years ago by Yordan Kinkov
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ with environment variables which will be injected in its container.
 ## Prerequisites
-* Install [docker](https://docs.docker.com/engine/install/) and [docker-compose](https://docs.docker.com/compose/install/).
+* Install [docker](https://docs.docker.com/engine/install/) and [docker-compose version 1.27+](https://docs.docker.com/compose/install/).
 * [Install Go](https://golang.org/doc/install) and set the
  [`$GOPATH` variable](https://github.com/golang/go/wiki/SettingGOPATH).
@@ -126,6 +126,23 @@ the `root` token.
 > Warning: Never use Vault DEV mode in production!
+### Keycloak
+Keycloak is used for service-to-service authentication. Keycloak server runs in development mode and contains
+preconfigured `client_id` and `client_secret` for every service. It is available at `localhost:8500` on the host machine or
+at `http://keycloak:8080` inside the docker-compose network.
+Example request for JWT token acquire:
+```shell
+curl --location --request POST 'localhost:8500/realms/workspace/protocol/openid-connect/token' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'client_id=workspace' \
+--data-urlencode 'grant_type=client_credentials' \
+--data-urlencode 'client_secret=79bdTGYCKLz9wYSY61vpQF5d4CyZBpsZ'
+```
+Example JWKS URL for acquiring public keys for validating tokens: `localhost:8500/realms/workspace/protocol/openid-connect/certs`
 ### License
 [Apache 2.0 license](LICENSE)
--- a/docker-compose.yml
+++ b/docker-compose.yml
-version: '3.4'
+version: '3.8'
 services:
  nginx:
@@ -28,10 +28,16 @@ services:
    ports:
      - "8081:8080"
    depends_on:
-      - mongo
+      mongo:
-      - cache
+        condition: service_started
-      - task
+      cache:
-      - signer
+        condition: service_started
+      task:
+        condition: service_started
+      signer:
+        condition: service_started
+      keycloak:
+        condition: service_healthy
  task:
    container_name: task
@@ -45,8 +51,12 @@ services:
    ports:
      - "8082:8080"
    depends_on:
-      - mongo
+      mongo:
-      - cache
+        condition: service_started
+      cache:
+        condition: service_started
+      keycloak:
+        condition: service_healthy
  cache:
    container_name: cache
@@ -60,8 +70,12 @@ services:
    ports:
      - "8083:8080"
    depends_on:
-      - redis
+      redis:
-      - nats
+        condition: service_started
+      nats:
+        condition: service_started
+      keycloak:
+        condition: service_healthy
  infohub:
    container_name: infohub
@@ -75,9 +89,14 @@ services:
    ports:
      - "8084:8080"
    depends_on:
-      - mongo
+      mongo:
-      - policy
+        condition: service_started
-      - signer
+      policy:
+        condition: service_started
+      signer:
+        condition: service_started
+      keycloak:
+        condition: service_healthy
  signer:
    container_name: signer
@@ -92,8 +111,12 @@ services:
      - "8085:8080"
      - "2112:2112"
    depends_on:
-      - vault
+      vault:
-      - vault-init
+        condition: service_started
+      vault-init:
+        condition: service_started
+      keycloak:
+        condition: service_healthy
  didresolver:
    container_name: didresolver
@@ -181,3 +204,24 @@ services:
      - "8222:8222"
      - "6222:6222"
      - "4222:4222"
+  keycloak:
+    container_name: keycloak
+    image: quay.io/keycloak/keycloak:18.0.0
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+    command:
+      - start-dev
+      - --import-realm
+      - --health-enabled=true
+    volumes:
+      - ./keycloak/config.json:/opt/keycloak/data/import/config.json
+    healthcheck:
+      test: [ "CMD-SHELL", "curl -f localhost:8080/health || exit 1" ]
+      interval: 3s
+      timeout: 2s
+      retries: 10
+      start_period: 5s
+    ports:
+      - "8500:8080"
--- a/env/cache.env
+++ b/env/cache.env
@@ -10,6 +10,9 @@ REDIS_PASS=""
 REDIS_DB=0
 REDIS_EXPIRATION="1h"
 NATS_ADDR="nats:4222"
-AUTH_ENABLED="true"
+AUTH_ENABLED="false"
-AUTH_JWK_URL="http://jwks:8080/key"
+AUTH_JWK_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/certs"
 AUTH_REFRESH_INTERVAL="1h"
+OAUTH_CLIENT_ID="workspace"
+OAUTH_CLIENT_SECRET="79bdTGYCKLz9wYSY61vpQF5d4CyZBpsZ"
+OAUTH_TOKEN_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/token"
--- a/env/infohub.env
+++ b/env/infohub.env
@@ -11,3 +11,9 @@ CACHE_ADDR="http://cache:8080"
 POLICY_ADDR="http://policy:8080"
 SIGNER_ADDR="http://signer:8080"
 ISSUER_URI="did:web:17a1-2a00-4802-2c0-9295-59ff-6a60-b735-32ea.eu.ngrok.io:policy:policy:example:returnDID:1.0:evaluation"
+AUTH_ENABLED="false"
+AUTH_JWK_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/certs"
+AUTH_REFRESH_INTERVAL="1h"
+OAUTH_CLIENT_ID="workspace"
+OAUTH_CLIENT_SECRET="79bdTGYCKLz9wYSY61vpQF5d4CyZBpsZ"
+OAUTH_TOKEN_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/token"
--- a/env/policy.env
+++ b/env/policy.env
@@ -14,3 +14,9 @@ TASK_ADDR="http://task:8080"
 SIGNER_ADDR="http://signer:8080"
 DID_RESOLVER_ADDR="http://didresolver:8080"
 OCM_ADDR="https://gaiax.vereign.com/ocm"
+AUTH_ENABLED="false"
+AUTH_JWK_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/certs"
+AUTH_REFRESH_INTERVAL="1h"
+OAUTH_CLIENT_ID="workspace"
+OAUTH_CLIENT_SECRET="79bdTGYCKLz9wYSY61vpQF5d4CyZBpsZ"
+OAUTH_TOKEN_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/token"
--- a/env/signer.env
+++ b/env/signer.env
@@ -9,3 +9,6 @@ VAULT_TOKEN=root
 VAULT_SIGNING_KEY="key1"
 VAULT_SUPPORTED_KEYS="ed25519,ecdsa-p256,ecdsa-p384,ecdsa-p521"
 CREDENTIAL_ISSUER="did:web:17a1-2a00-4802-2c0-9295-59ff-6a60-b735-32ea.eu.ngrok.io:policy:policy:example:returnDID:1.0:evaluation"
+AUTH_ENABLED="false"
+AUTH_JWK_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/certs"
+AUTH_REFRESH_INTERVAL="1h"
\ No newline at end of file
--- a/env/task.env
+++ b/env/task.env
@@ -9,4 +9,9 @@ MONGO_USER="root"
 MONGO_PASS="root"
 POLICY_ADDR="http://policy:8080"
 CACHE_ADDR="http://cache:8080"
+AUTH_ENABLED="false"
+AUTH_JWK_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/certs"
+AUTH_REFRESH_INTERVAL="1h"
+OAUTH_CLIENT_ID="workspace"
+OAUTH_CLIENT_SECRET="79bdTGYCKLz9wYSY61vpQF5d4CyZBpsZ"
+OAUTH_TOKEN_URL="http://keycloak:8080/realms/workspace/protocol/openid-connect/token"
--- a/keycloak/config.json
+++ b/keycloak/config.json