Keycloak and Docker

* Added Keycloak to the infrastructure yaml which uses a h2 not to complicate the installation. * Updated the docker-compose docs. * Move Cloud Flow image to the infrastructure yaml. Change-Id: I2a69ca91c1638e5fd070c77ca63c8d5586887231 Signed-off-by: Vitalii Solodilov <mcdkr@yandex.ru>
2018-07-16 23:32:09 +04:00 · 2018-07-16 23:32:09 +04:00 · 214828ace2
parent 443cd6fc11
commit 214828ace2
8 changed files with 101 additions and 46 deletions
--- a/tools/docker/DOCKER_README.rst
+++ b/tools/docker/DOCKER_README.rst
@ -118,10 +118,49 @@ or PostgreSQL::
    -e RUN_TESTS=true mistral


+Keycloak integration
+--------------------
+
+If you set AUTH_ENABLE to True value in the mistral.env file then Mistral will
+enable Keycloak integration by default. Keycloak will be deployed with
+mistral/mistral credentials. You should uncomment the volume line in the
+`infrastructure.yaml` for the CloudFlow.
+
+Next step you login in the administrative console using the
+http://localhost:8080/auth/admin URL. Create a oauth client, you can
+specify only a name, for example mistral.
+
+Specify valid redirect URL: http://localhost:8000/* and turn on the
+"Implicit Flow Enabled" in the your client page. Save your changes.
+
+Add the following line to your /etc/hosts file::
+
+  127.0.0.1   keycloak
+
+Export the following environments variable for mistral cli::
+
+  export MISTRAL_AUTH_TYPE=keycloak-oidc
+  export OS_AUTH_URL=http://keycloak:8080/auth
+  export OS_TENANT_NAME=master
+  export OS_USERNAME=mistral
+  export OS_PASSWORD=mistral
+  export OS_MISTRAL_URL=http://localhost:8989/v2
+  export OPENID_CLIENT_ID=mistral
+  export OPENID_CLIENT_SECRET=
+  export MISTRALCLIENT_INSECURE=True
+
+Check your configuration::
+
+  mistral workflow-list
+
+Or open a cloud flow page in a browser::
+
+  http://localhost:8000
+
+
 Using Mistral Client
 --------------------

 The Mistral API will be accessible from the host machine on the default
 port 8989. Install `python-mistralclient` on the host machine to
-execute mistral commands.
-
+execute mistral commands.
--- a/tools/docker/Dockerfile
+++ b/tools/docker/Dockerfile
@ -36,7 +36,10 @@ ENV MISTRAL_DIR="/opt/stack/mistral" \
    RUN_TESTS="false" \
    DEBIAN_FRONTEND="noninteractive" \
    MISTRAL_SERVER="all" \
-    LOG_DEBUG="false"
+    LOG_DEBUG="false" \
+    AUTH_URL="http://keycloak:8080/auth" \
+    AUTH_ENABLE="false" \
+    AUTH_TYPE="keycloak-oidc"

 # We install dependencies separatly for a caching purpose
 COPY requirements.txt "${MISTRAL_DIR}/"
--- a/tools/docker/docker-compose/auth.json
+++ b/tools/docker/docker-compose/auth.json
@ -0,0 +1,8 @@
+{
+  "_type": "openid-connect",
+  "issuer": "http://keycloak:8080/auth/realms/master",
+  "loginUrl": "http://keycloak:8080/auth/realms/master/protocol/openid-connect/auth",
+  "logoutUrl": "http://keycloak:8080/auth/realms/master/protocol/openid-connect/logout",
+  "requireHttps": false,
+  "clientId": "mistral"
+}
--- a/tools/docker/docker-compose/infrastructure.yaml
+++ b/tools/docker/docker-compose/infrastructure.yaml
@ -43,6 +43,30 @@ services:
      - MYSQL_USER=mistral
      - MYSQL_PASSWORD=mistral

+  keycloak:
+    image: jboss/keycloak:4.1.0.Final
+    ports:
+      - "8080:8080"
+    networks:
+      - identity-provider
+    environment:
+      DB_VENDOR: h2
+      KEYCLOAK_USER: mistral
+      KEYCLOAK_PASSWORD: mistral
+
+  cloud-flow:
+    image: mcdoker18/cloud-flow:0.5.0
+    restart: always
+    networks:
+      - cloud-flow
+    ports:
+      - "8000:8000"
+    # TODO: make a Keycloak environment variables for CloudFlow
+    # volumes:
+    #   - "./auth.json:/opt/CloudFlow/dist/assets/auth.json"
+    environment:
+      - CF_MISTRAL_URL=http://mistral:8989
+
 volumes:
  postgresql:
  rabbitmq:
@ -50,4 +74,6 @@ volumes:

 networks:
  database:
-  message-broker:
+  message-broker:
+  identity-provider:
+  cloud-flow:
--- a/tools/docker/docker-compose/mistral-multi-node.yaml
+++ b/tools/docker/docker-compose/mistral-multi-node.yaml
@ -10,9 +10,12 @@ services:
    ports:
      - "8989:8989"
    networks:
-      - database
-      - message-broker
-      - mistral
+      database:
+      message-broker:
+      identity-provider:
+      cloud-flow:
+        aliases:
+         - mistral
    env_file:
     - mistral.env
 #    volumes:
@ -30,6 +33,7 @@ services:
    restart: always
    networks:
      - database
+      - identity-provider
      - message-broker
    env_file:
     - mistral.env
@ -47,6 +51,7 @@ services:
    restart: always
    networks:
      - message-broker
+      - identity-provider
    env_file:
     - mistral.env
 #    volumes:
@ -64,6 +69,7 @@ services:
    networks:
      - database
      - message-broker
+      - identity-provider
    env_file:
     - mistral.env
 #    volumes:
@ -81,26 +87,10 @@ services:
    networks:
      - database
      - message-broker
+      - identity-provider
    env_file:
     - mistral.env
 #    volumes:
 #      - "/path/to/mistral.conf:/etc/mistral/mistral.conf"
    environment:
      - MISTRAL_SERVER=notifier
-
-  cloud-flow:
-    image: mcdoker18/cloud-flow:0.5.0
-    restart: always
-    networks:
-      - mistral
-    ports:
-      - "8000:8000"
-    networks:
-      - mistral
-    environment:
-      - CF_MISTRAL_URL=http://mistral-api:8989
-
-networks:
-  database:
-  message-broker:
-  mistral:
--- a/tools/docker/docker-compose/mistral-single-node.yaml
+++ b/tools/docker/docker-compose/mistral-single-node.yaml
@ -12,28 +12,11 @@ services:
    networks:
      - database
      - message-broker
-      - mistral
+      - identity-provider
+      - cloud-flow
    env_file:
     - mistral.env
 #    volumes:
 #      - "/path/to/mistral.conf:/etc/mistral/mistral.conf"
    environment:
-      - UPGRADE_DB=true
-
-  cloud-flow:
-    image: mcdoker18/cloud-flow:0.5.0
-    restart: always
-    networks:
-      - mistral
-    ports:
-      - "8000:8000"
-    networks:
-      - mistral
-    environment:
-      - CF_MISTRAL_URL=http://mistral:8989
-
-
-networks:
-  database:
-  message-broker:
-  mistral:
+      - UPGRADE_DB=true
--- a/tools/docker/docker-compose/mistral.env
+++ b/tools/docker/docker-compose/mistral.env
@ -1,3 +1,4 @@
 MESSAGE_BROKER_URL=rabbit://mistral:mistral@rabbitmq:5672/mistral
 #DATABASE_URL=postgresql+psycopg2://mistral:mistral@postgresql:5432/mistral
-DATABASE_URL=mysql+pymysql://mistral:mistral@mysql:3306/mistral
+DATABASE_URL=mysql+pymysql://mistral:mistral@mysql:3306/mistral
+AUTH_ENABLE=false
--- a/tools/docker/start.sh
+++ b/tools/docker/start.sh
@ -10,7 +10,12 @@ if [ ! -f ${CONFIG_FILE} ]; then

    ${INI_SET} DEFAULT js_implementation py_mini_racer
    ${INI_SET} oslo_policy policy_file "${MISTRAL_DIR}/etc/policy.json"
-    ${INI_SET} pecan auth_enable false
+
+    ${INI_SET} DEFAULT auth_type ${AUTH_TYPE}
+    ${INI_SET} pecan auth_enable ${AUTH_ENABLE}
+    ${INI_SET} keycloak_oidc auth_url ${AUTH_URL}
+    ${INI_SET} keycloak_oidc insecure true
+
    ${INI_SET} DEFAULT transport_url "${MESSAGE_BROKER_URL}"
    ${INI_SET} database connection "${DATABASE_URL}"
    ${INI_SET} DEFAULT debug "${LOG_DEBUG}"