2023-02-13 17:46:03 +00:00
|
|
|
FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
|
2022-02-01 08:42:09 +00:00
|
|
|
|
2023-03-03 10:11:44 +00:00
|
|
|
ENV KEYCLOAK_VERSION 999.0.0-SNAPSHOT
|
2022-02-01 08:42:09 +00:00
|
|
|
ARG KEYCLOAK_DIST=https://github.com/keycloak/keycloak/releases/download/$KEYCLOAK_VERSION/keycloak-$KEYCLOAK_VERSION.tar.gz
|
|
|
|
|
Minimize the RPM content of the Quarkus container
Even though we use `ubi8-minimal` as the parent of our container, it
still has many RPMs installed that aren't necessary to run the Keycloak
server. Also, since the JDK RPM (that we install on top of
`ubi8-minimal`) is designed for general use, it pulls in more dependency
RPMs than it strictly needs to, like cups and avahi. Keycloak will never
need to access a printer itself!
Trimming down these excess RPMs will improve our CVE statistics with
automated scanners, and therefore let us perform fewer CVE rebuilds.
`ubi8-null.sh` uses the low-level `rpm` command to identify and forcibly
remove dependencies and operating system files that are not required to
boot our Quarkus-based server. This includes `microdnf` and `rpm`
itself! I have preserved bash however, so it's still possible to debug
the container from a shell.
I've created an initial set of allow/disallow lists, that seems to pass
a smoke test (server boots, admin console works). This leaves 37
packages installed, with 96 removed relative to `ubi8-minimal`. We could
go more minimal than this, or less minimal if required. Trial and error
is required.
Closes #16902
2023-02-06 23:28:30 +00:00
|
|
|
RUN dnf install -y tar gzip
|
2022-02-01 08:42:09 +00:00
|
|
|
|
|
|
|
ADD $KEYCLOAK_DIST /tmp/keycloak/
|
|
|
|
|
|
|
|
# The next step makes it uniform for local development and upstream built.
|
|
|
|
# If it is a local tar archive then it is unpacked, if from remote is just downloaded.
|
|
|
|
RUN (cd /tmp/keycloak && \
|
|
|
|
tar -xvf /tmp/keycloak/keycloak-*.tar.gz && \
|
|
|
|
rm /tmp/keycloak/keycloak-*.tar.gz) || true
|
|
|
|
|
2022-03-17 17:50:38 +00:00
|
|
|
RUN mv /tmp/keycloak/keycloak-* /opt/keycloak && mkdir -p /opt/keycloak/data
|
2022-02-10 07:01:51 +00:00
|
|
|
RUN chmod -R g+rwX /opt/keycloak
|
|
|
|
|
2023-02-13 17:46:03 +00:00
|
|
|
ADD ubi-null.sh /tmp/
|
2023-10-12 15:10:53 +00:00
|
|
|
RUN bash /tmp/ubi-null.sh java-17-openjdk-headless glibc-langpack-en findutils
|
Minimize the RPM content of the Quarkus container
Even though we use `ubi8-minimal` as the parent of our container, it
still has many RPMs installed that aren't necessary to run the Keycloak
server. Also, since the JDK RPM (that we install on top of
`ubi8-minimal`) is designed for general use, it pulls in more dependency
RPMs than it strictly needs to, like cups and avahi. Keycloak will never
need to access a printer itself!
Trimming down these excess RPMs will improve our CVE statistics with
automated scanners, and therefore let us perform fewer CVE rebuilds.
`ubi8-null.sh` uses the low-level `rpm` command to identify and forcibly
remove dependencies and operating system files that are not required to
boot our Quarkus-based server. This includes `microdnf` and `rpm`
itself! I have preserved bash however, so it's still possible to debug
the container from a shell.
I've created an initial set of allow/disallow lists, that seems to pass
a smoke test (server boots, admin console works). This leaves 37
packages installed, with 96 removed relative to `ubi8-minimal`. We could
go more minimal than this, or less minimal if required. Trial and error
is required.
Closes #16902
2023-02-06 23:28:30 +00:00
|
|
|
|
2023-02-13 17:46:03 +00:00
|
|
|
FROM registry.access.redhat.com/ubi9-micro
|
2022-04-22 12:57:39 +00:00
|
|
|
ENV LANG en_US.UTF-8
|
2022-02-01 08:42:09 +00:00
|
|
|
|
2024-02-15 12:38:41 +00:00
|
|
|
# Flag for determining app is running in container
|
|
|
|
ENV KC_RUN_IN_CONTAINER true
|
|
|
|
|
Minimize the RPM content of the Quarkus container
Even though we use `ubi8-minimal` as the parent of our container, it
still has many RPMs installed that aren't necessary to run the Keycloak
server. Also, since the JDK RPM (that we install on top of
`ubi8-minimal`) is designed for general use, it pulls in more dependency
RPMs than it strictly needs to, like cups and avahi. Keycloak will never
need to access a printer itself!
Trimming down these excess RPMs will improve our CVE statistics with
automated scanners, and therefore let us perform fewer CVE rebuilds.
`ubi8-null.sh` uses the low-level `rpm` command to identify and forcibly
remove dependencies and operating system files that are not required to
boot our Quarkus-based server. This includes `microdnf` and `rpm`
itself! I have preserved bash however, so it's still possible to debug
the container from a shell.
I've created an initial set of allow/disallow lists, that seems to pass
a smoke test (server boots, admin console works). This leaves 37
packages installed, with 96 removed relative to `ubi8-minimal`. We could
go more minimal than this, or less minimal if required. Trial and error
is required.
Closes #16902
2023-02-06 23:28:30 +00:00
|
|
|
COPY --from=ubi-micro-build /tmp/null/rootfs/ /
|
|
|
|
COPY --from=ubi-micro-build --chown=1000:0 /opt/keycloak /opt/keycloak
|
2022-02-01 08:42:09 +00:00
|
|
|
|
Minimize the RPM content of the Quarkus container
Even though we use `ubi8-minimal` as the parent of our container, it
still has many RPMs installed that aren't necessary to run the Keycloak
server. Also, since the JDK RPM (that we install on top of
`ubi8-minimal`) is designed for general use, it pulls in more dependency
RPMs than it strictly needs to, like cups and avahi. Keycloak will never
need to access a printer itself!
Trimming down these excess RPMs will improve our CVE statistics with
automated scanners, and therefore let us perform fewer CVE rebuilds.
`ubi8-null.sh` uses the low-level `rpm` command to identify and forcibly
remove dependencies and operating system files that are not required to
boot our Quarkus-based server. This includes `microdnf` and `rpm`
itself! I have preserved bash however, so it's still possible to debug
the container from a shell.
I've created an initial set of allow/disallow lists, that seems to pass
a smoke test (server boots, admin console works). This leaves 37
packages installed, with 96 removed relative to `ubi8-minimal`. We could
go more minimal than this, or less minimal if required. Trial and error
is required.
Closes #16902
2023-02-06 23:28:30 +00:00
|
|
|
RUN echo "keycloak:x:0:root" >> /etc/group && \
|
2022-02-10 07:01:51 +00:00
|
|
|
echo "keycloak:x:1000:0:keycloak user:/opt/keycloak:/sbin/nologin" >> /etc/passwd
|
2022-02-01 08:42:09 +00:00
|
|
|
|
|
|
|
USER 1000
|
|
|
|
|
|
|
|
EXPOSE 8080
|
|
|
|
EXPOSE 8443
|
2024-04-03 14:18:44 +00:00
|
|
|
EXPOSE 9000
|
2022-02-01 08:42:09 +00:00
|
|
|
|
|
|
|
ENTRYPOINT [ "/opt/keycloak/bin/kc.sh" ]
|
2024-04-25 09:48:13 +00:00
|
|
|
|
|
|
|
# common labels
|
|
|
|
ARG KEYCLOAK_VERSION
|
|
|
|
ARG KEYCLOAK_URL="https://www.keycloak.org/"
|
|
|
|
ARG KEYCLOAK_TAGS="keycloak security identity"
|
|
|
|
ARG KEYCLOAK_MAINTAINER=${KEYCLOAK_URL}
|
|
|
|
ARG KEYCLOAK_VENDOR=${KEYCLOAK_MAINTAINER}
|
|
|
|
|
|
|
|
LABEL maintainer=${KEYCLOAK_MAINTAINER} \
|
|
|
|
vendor=${KEYCLOAK_VENDOR} \
|
|
|
|
version=${KEYCLOAK_VERSION} \
|
|
|
|
url=${KEYCLOAK_URL} \
|
|
|
|
io.openshift.tags=${KEYCLOAK_TAGS} \
|
|
|
|
release="" \
|
|
|
|
vcs-ref="" \
|
|
|
|
com.redhat.build-host="" \
|
|
|
|
com.redhat.component="" \
|
|
|
|
com.redhat.license_terms=""
|
|
|
|
|
|
|
|
# server specific
|
|
|
|
ARG KEYCLOAK_SERVER_DISPLAY_NAME="Keycloak Server"
|
|
|
|
ARG KEYCLOAK_SERVER_IMAGE_NAME="keycloak"
|
|
|
|
ARG KEYCLOAK_SERVER_DESCRIPTION="${KEYCLOAK_SERVER_DISPLAY_NAME} Image"
|
|
|
|
|
|
|
|
LABEL name=${KEYCLOAK_SERVER_IMAGE_NAME} \
|
|
|
|
description=${KEYCLOAK_SERVER_DESCRIPTION} \
|
|
|
|
summary=${KEYCLOAK_SERVER_DESCRIPTION} \
|
|
|
|
io.k8s.display-name=${KEYCLOAK_SERVER_DISPLAY_NAME} \
|
|
|
|
io.k8s.description=${KEYCLOAK_SERVER_DESCRIPTION}
|
|
|
|
|
|
|
|
# oci
|
|
|
|
ARG KEYCLOAK_SOURCE="https://github.com/keycloak/keycloak"
|
|
|
|
ARG KEYCLOAK_DOCS=${KEYCLOAK_URL}documentation
|
|
|
|
|
|
|
|
LABEL org.opencontainers.image.title=${KEYCLOAK_SERVER_DISPLAY_NAME} \
|
|
|
|
org.opencontainers.image.url=${KEYCLOAK_URL} \
|
|
|
|
org.opencontainers.image.source=${KEYCLOAK_SOURCE} \
|
|
|
|
org.opencontainers.image.description=${KEYCLOAK_DESCRIPTION} \
|
|
|
|
org.opencontainers.image.documentation=${KEYCLOAK_DOCS}
|