CODEWITHSUNDEEP
dockergitlab-cikeycloak
VIAE IT
VIAE IT

Reputation: 113

Using keycloak as gitlab-ci service

I am trying to run my integration tests in gitlab-ci versus a keycloak instance started via a service. gitlab-ci yaml configuration can be found over here: https://gitlab.com/viae-modules/viae-modules/-/blob/master/.gitlab-ci.yml

services:
  - docker:dind
  - name: mongo:latest
    alias: mongodb
  - name: jboss/keycloak:10.0.1
    alias: sso
    command: ["-b", "0.0.0.0"]

Now I can't connect to this instance. I added some curl commands to validate the connection, but there I see something strange happening:

going to http://sso:8080 gives the following (keycloak) response

 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
     <meta http-equiv="refresh" content="0; url=/auth/" />
     <meta name="robots" content="noindex, nofollow">
     <script type="text/javascript">
         window.location.href = "/auth/"
     </script>
 </head>
 <body>
     If you are not redirected automatically, follow this <a href='/auth'>link</a>.
 </body>
 </html>

which means that keycloak is up and running. Then, connecting to http://sso:8080/auth gives a 404...

I would expect that this was due to not binding to 0.0.0.0, but I did this in the service configuration.

I assume this has something to do with the gitlab configuration/runner as the following image is responding in a dockerized environment (i.e. not related to docker options/configurations of the base image):

FROM jboss/keycloak:10.0.1
EXPOSE 8080

COPY themes /opt/jboss/keycloak/themes

#Database
ENV DB_VENDOR=xxx
ENV DB_DATABASE=xxx
ENV DB_ADDR=xxx
ENV DB_PORT=xxx

#Admin user
ENV KEYCLOAK_USER=xxx
ENV KEYCLOAK_PASSWORD=xxx

Anyone having a clue of what I did do wrong?

Upvotes: 4

Views: 2406

Answers (2)

bjlevine
bjlevine

Reputation: 984

For any who run into this in the future, here's what I found:

I was able to make this work using a Keycloak 12.0.4 image. A couple of things:

  1. You need to set the admin user/password like so:
variable:
  KEYCLOAK_USER: some_user_name
  KEYCLOAK_PASSWORD: some_password

These will be passed down to the Keycloak container as environment variables. Without this, no admin user will be created.

  1. I don't think the healthtest used to determine when Keycloak is up tests that all services are actually available and so the default URL (e.g. http://server:8080/ will respond "OK" before all of the services have started. I found that it takes quite a while for the Keycloak server to fully boot. In my case, I was importing a realm file so it took even longer than usual. So I added a "sleep 120" in my script prior to running anything that would hit the Keycloak server. You could also imagine writing a "wait_for_it" script that hits the admin endpoint in a timed loop waiting for it to return something reasonable. I'll probably work on that next.

  2. Change the bind mask to all by adding command: ["-b 0.0.0.0"] to make it:

    services:
        - name: jboss/keycloak:11.0.0
          alias: keycloak
          command: ["-b 0.0.0.0"]

which will allow traffic from all.

Upvotes: 1

VIAE IT
VIAE IT

Reputation: 113

I was not able to fix this, but I was able to find a workaround:

I created a base image which contains GraalVM and a standalone keycloak server: https://gitlab.com/viae-modules/viae-modules/-/blob/master/modules/docker-base-images/graalvm-keycloak-dockerfile

FROM centos:7
RUN mkdir /home/viae
RUN mkdir /home/viae/keycloak
WORKDIR /home/viae

COPY config/start_keycloak.sh /home/viae/start_keycloak.sh

RUN yum install -y wget zip unzip git
RUN wget -q https://downloads.jboss.org/keycloak/10.0.1/keycloak-10.0.1.zip
RUN unzip -q keycloak-10.0.1.zip
RUN mv /home/viae/keycloak-10.0.1/* /home/viae/keycloak

RUN wget -q https://github.com/graalvm/graalvm-ce-builds/releases/download/vm-20.1.0/graalvm-ce-java11-linux-amd64-20.1.0.tar.gz
RUN tar -zxf graalvm-ce-java11-linux-amd64-20.1.0.tar.gz

ENV PATH="/home/viae/graalvm-ce-java11-20.1.0/bin:${PATH}"
ENV JAVA_HOME="/home/viae/graalvm-ce-java11-20.1.0"

RUN /home/viae/keycloak/bin/add-user-keycloak.sh -r master -u admin -p admin

I then can use this embedded keycloak in my CI scripts: https://gitlab.com/viae-modules/viae-modules/-/blob/master/.gitlab-ci.yml (Be careful: keycloak should still be started from within the script ==> provide some time to give keycloak the time to start up.

image: docker:stable

before_script:
  - export GRADLE_USER_HOME=`pwd`/.gradle
  - chmod a+rx `pwd`/gradlew

services:
  - docker:dind
  - name: mongo:latest
    alias: mongodb
...

.java-base-config:
  image: registry.gitlab.com/viae-modules/viae-modules/viae-graalvm-keycloak/viae-graalvm-keycloak:0.0.2
  ...

.execute-tests-template:
  extends: .java-base-config
  ...

test-viae-oauth2.0-validator:
  extends: .execute-tests-template
  stage: test
  script:
    - date
    - /home/viae/keycloak/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 &
    - sleep 30
    - date
    - curl http://localhost:8080
    - curl http://localhost:8080/auth
    - curl http://localhost:8080/auth/realms/master
    - curl http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
    - MICRONAUT_ENVIRONMENTS=ci ./gradlew --no-daemon :modules:viae-oauth2.0-validator:jacocoTestReport -Pmicronaut.environments=ci

Upvotes: 1

Related Questions