Skip to content

Commit

Permalink
Merge pull request #158 from Progress1/keycloak
Browse files Browse the repository at this point in the history 
Keycloak - merging work of dodancs (branch keycloak) to latest version
  • Loading branch information
@milankowww
milankowww authored Sep 27, 2023
2 parents db973ef + c7977a9 commit 762714b
Show file tree
Hide file tree
Showing 13 changed files with 2,618 additions and 35 deletions.
6 changes: 6 additions & 0 deletions docker/.env
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ TZ=Europe/Bratislava

# Default passwords. CHANGE THESE FOR PRODUCTION!
POSTGRES_PASSWORD=supersecret
POSTGRES_KEYCLOAK_PASSWORD=supersecret
JWT_SECRET_KEY=supersecret
COLLECTOR_PRESENTER_PUBLISHER_API_KEY=supersecret

Expand All @@ -33,3 +34,8 @@ DB_MAX_CONNECTIONS=1000

# Ports
PRESENTER_PORT=5002

# Standalone Keycloak
KEYCLOAK_VERSION=16.1.1
KEYCLOAK_USER=admin
KEYCLOAK_PASSWORD=supersecret
6 changes: 6 additions & 0 deletions docker/Dockerfile.keycloak
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
FROM jboss/keycloak:15.0.2

COPY ./src/keycloak/realm-export.json /opt/jboss/keycloak/realm-export.json

COPY ./src/keycloak/disable-theme-cache.cli /opt/jboss/startup-scripts/disable-theme-cache.cli
COPY ./src/keycloak/theme /opt/jboss/keycloak/themes/taranis-ng
64 changes: 64 additions & 0 deletions docker/docker-compose-keycloak-serv.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
version: "3.9"

services:
keycloak_db:
image: "postgres:${POSTGRES_TAG}"
restart: unless-stopped
environment:
POSTGRES_DB: "taranis-ng-keycloak"
POSTGRES_USER: "taranis-ng-keycloak"
POSTGRES_PASSWORD: "${POSTGRES_KEYCLOAK_PASSWORD}"
command: ["postgres", "-c", "shared_buffers=${DB_SHARED_BUFFERS}", "-c", "max_connections=${DB_MAX_CONNECTIONS}"]
volumes:
- "keycloak_db_data:/var/lib/postgresql/data"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

keycloak:
image: "skcert/taranis-ng-keycloak:${TARANIS_NG_TAG}"
build:
context: ..
dockerfile: ./docker/Dockerfile.keycloak
restart: unless-stopped
depends_on:
- keycloak_db
environment:
DB_VENDOR: postgres
DB_ADDR: keycloak_db
DB_PORT: 5432
DB_DATABASE: taranis-ng-keycloak
DB_USER: taranis-ng-keycloak
DB_PASSWORD: "${POSTGRES_KEYCLOAK_PASSWORD}"
KEYCLOAK_IMPORT: "/opt/jboss/keycloak/realm-export.json"
KEYCLOAK_FRONTEND_URL: "${TARANIS_NG_HTTPS_URI}/api/v1/keycloak/auth"
KEYCLOAK_USER: "${KEYCLOAK_USER}"
KEYCLOAK_PASSWORD: "${KEYCLOAK_PASSWORD}"
KEYCLOAK_DEFAULT_THEME: "taranis-ng"
PROXY_ADDRESS_FORWARDING: "false"
JAVA_OPTS: "-Dkeycloak.profile.feature.upload_scripts=enabled"
volumes:
- "keycloak_data:/opt/jboss/keycloak/standalone/data"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"
labels:
traefik.enable: "true"
traefik.http.services.taranis-keycloak.loadbalancer.server.port: "8080"
traefik.http.middlewares.taranis-keycloak-stripprefix.stripprefix.prefixes: "/api/v1/keycloak"

traefik.http.routers.taranis-keycloak-443.entrypoints: "websecure"
traefik.http.routers.taranis-keycloak-443.rule: "PathPrefix(`/api/v1/keycloak/auth`)"
traefik.http.routers.taranis-keycloak-443.tls: "true"
traefik.http.routers.taranis-keycloak-443.tls.domains[0].main: "${TARANIS_NG_HOSTNAME}"
traefik.http.routers.taranis-keycloak-443.middlewares: "taranis-keycloak-stripprefix"
traefik.http.routers.taranis-keycloak-443.service: "taranis-keycloak"

volumes:
keycloak_db_data:
keycloak_data:

289 changes: 289 additions & 0 deletions docker/docker-compose-keycloak.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,289 @@
version: "3.9"

services:
redis:
image: "redis:${REDIS_TAG}"
restart: unless-stopped
environment:
TZ: "${TZ}"
volumes:
- "redis_conf:/usr/local/etc/redis"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

database:
image: "postgres:${POSTGRES_TAG}"
restart: unless-stopped
environment:
POSTGRES_DB: "taranis-ng"
POSTGRES_USER: "taranis-ng"
POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
TZ: "${TZ}"
PGTZ: "${TZ}"
command: ["postgres", "-c", "shared_buffers=${DB_SHARED_BUFFERS}", "-c", "max_connections=${DB_MAX_CONNECTIONS}"]
volumes:
- "database_data:/var/lib/postgresql/data"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

core:
depends_on:
- "redis"
- "database"
restart: unless-stopped
image: "skcert/taranis-ng-core:${TARANIS_NG_TAG}"
build:
context: ..
dockerfile: ./docker/Dockerfile.core
args:
HTTP_PROXY: "${HTTP_PROXY}"
HTTPS_PROXY: "${HTTPS_PROXY}"
http_proxy: "${HTTP_PROXY}"
https_proxy: "${HTTPS_PROXY}"
environment:
REDIS_URL: "redis://redis"
DB_URL: "database"
DB_DATABASE: "taranis-ng"
DB_USER: "taranis-ng"
DB_PASSWORD: "${POSTGRES_PASSWORD}"
DB_POOL_SIZE: 100
DB_POOL_RECYCLE: 300
DB_POOL_TIMEOUT: 30

JWT_SECRET_KEY: "${JWT_SECRET_KEY}"
OPENID_LOGOUT_URL: "${TARANIS_NG_HTTPS_URI}/api/v1/keycloak/auth/realms/taranis-ng/protocol/openid-connect/logout?redirect_uri=GOTO_URL"
TARANIS_NG_KEYCLOAK_INTERNAL_URL: "http://keycloak:8080"
TARANIS_NG_KEYCLOAK_REALM: "taranis-ng"
TARANIS_NG_KEYCLOAK_CLIENT_ID: "taranis-ng"
TARANIS_NG_KEYCLOAK_CLIENT_SECRET: "supersecret"
TARANIS_NG_AUTHENTICATOR: "keycloak"
KEYCLOAK_USER_MANAGEMENT: "true"
KEYCLOAK_SERVER_URL: "http://keycloak:8080"
KEYCLOAK_ADMIN_USERNAME: "admin"
KEYCLOAK_ADMIN_PASSWORD: "supersecret"
KEYCLOAK_REALM_NAME: "taranis-ng"
KEYCLOAK_CLIENT_SECRET_KEY: "supersecret"
KEYCLOAK_VERIFY: "true"
WORKERS_PER_CORE: "1"

CVE_UPDATE_FILE: "${CVE_UPDATE_FILE}"
CPE_UPDATE_FILE: "${CPE_UPDATE_FILE}"

TZ: "${TZ}"
DEBUG: "true"
DEBUG_SQL: "false"
# to allow automatic initialisation of collectors/presenters/publishers
COLLECTOR_PRESENTER_PUBLISHER_API_KEY: "${COLLECTOR_PRESENTER_PUBLISHER_API_KEY}"
labels:
traefik.enable: "true"
traefik.http.services.taranis-api.loadbalancer.server.port: "80"

traefik.http.routers.taranis-api-443.entrypoints: "websecure"
traefik.http.routers.taranis-api-443.rule: "PathPrefix(`/api/`)"
traefik.http.routers.taranis-api-443.tls: "true"
traefik.http.routers.taranis-api-443.tls.domains[0].main: "${TARANIS_NG_HOSTNAME}"
traefik.http.routers.taranis-api-443.service: "taranis-api"

traefik.http.routers.taranis-sse-443.entrypoints: "websecure"
traefik.http.routers.taranis-sse-443.rule: "PathPrefix(`/sse`)"
traefik.http.routers.taranis-sse-443.tls: "true"
traefik.http.routers.taranis-sse-443.tls.domains[0].main: "${TARANIS_NG_HOSTNAME}"
traefik.http.routers.taranis-sse-443.service: "taranis-api"

volumes:
- "core_data:/data"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

bots:
depends_on:
core:
condition: service_healthy
image: "skcert/taranis-ng-bots:${TARANIS_NG_TAG}"
build:
context: ..
dockerfile: ./docker/Dockerfile.bots
args:
HTTP_PROXY: "${HTTP_PROXY}"
HTTPS_PROXY: "${HTTPS_PROXY}"
http_proxy: "${HTTP_PROXY}"
https_proxy: "${HTTPS_PROXY}"
environment:
API_KEY: "${COLLECTOR_PRESENTER_PUBLISHER_API_KEY}"
TARANIS_NG_CORE_URL: "http://core"
TARANIS_NG_CORE_SSE: "http://core/sse"
WORKERS_PER_CORE: "1"
TZ: "${TZ}"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

collectors:
depends_on:
core:
condition: service_healthy
restart: unless-stopped
image: "skcert/taranis-ng-collectors:${TARANIS_NG_TAG}"
build:
context: ..
dockerfile: ./docker/Dockerfile.collectors
args:
HTTP_PROXY: "${HTTP_PROXY}"
HTTPS_PROXY: "${HTTPS_PROXY}"
http_proxy: "${HTTP_PROXY}"
https_proxy: "${HTTPS_PROXY}"
environment:
TARANIS_NG_CORE_URL: "http://core"
API_KEY: "${COLLECTOR_PRESENTER_PUBLISHER_API_KEY}"
WORKERS_PER_CORE: "1"
DEBUG: "true"
TZ: "${TZ}"
volumes:
- "collector_storage:/app/storage"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

presenters:
depends_on:
core:
condition: service_healthy
restart: unless-stopped
image: "skcert/taranis-ng-presenters:${TARANIS_NG_TAG}"
build:
context: ..
dockerfile: ./docker/Dockerfile.presenters
args:
HTTP_PROXY: "${HTTP_PROXY}"
HTTPS_PROXY: "${HTTPS_PROXY}"
http_proxy: "${HTTP_PROXY}"
https_proxy: "${HTTPS_PROXY}"
environment:
TARANIS_NG_CORE_URL: "http://core"
API_KEY: "${COLLECTOR_PRESENTER_PUBLISHER_API_KEY}"
WORKERS_PER_CORE: "1"
TZ: "${TZ}"
ports:
- "${PRESENTER_PORT}:80"
volumes:
- "presenters_templates:/app/templates"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

publishers:
depends_on:
core:
condition: service_healthy
restart: unless-stopped
image: "skcert/taranis-ng-publishers:${TARANIS_NG_TAG}"
build:
context: ..
dockerfile: ./docker/Dockerfile.publishers
args:
HTTP_PROXY: "${HTTP_PROXY}"
HTTPS_PROXY: "${HTTPS_PROXY}"
http_proxy: "${HTTP_PROXY}"
https_proxy: "${HTTPS_PROXY}"
environment:
TARANIS_NG_CORE_URL: "http://core"
API_KEY: "${COLLECTOR_PRESENTER_PUBLISHER_API_KEY}"
WORKERS_PER_CORE: "1"
TZ: "${TZ}"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

gui:
depends_on:
- "core"
restart: unless-stopped
image: "skcert/taranis-ng-gui:${TARANIS_NG_TAG}"
build:
context: ..
dockerfile: ./docker/Dockerfile.gui
args:
HTTP_PROXY: "${HTTP_PROXY}"
HTTPS_PROXY: "${HTTPS_PROXY}"
http_proxy: "${HTTP_PROXY}"
https_proxy: "${HTTPS_PROXY}"
# ports:
# - "8080:80"
environment:
NGINX_WORKERS: "4"
NGINX_CONNECTIONS: "16"
VUE_APP_TARANIS_NG_URL: "${TARANIS_NG_HTTPS_URI}"
VUE_APP_TARANIS_NG_CORE_API: "${TARANIS_NG_HTTPS_URI}/api/v1"
VUE_APP_TARANIS_NG_CORE_SSE: "${TARANIS_NG_HTTPS_URI}/sse"
VUE_APP_TARANIS_NG_LOCALE: en
VUE_APP_TARANIS_NG_LOGOUT_URL: "${TARANIS_NG_HTTPS_URI}/api/v1/auth/logout?gotoUrl=TARANIS_GUI_URI"
VUE_APP_TARANIS_NG_LOGIN_URL: "${TARANIS_NG_HTTPS_URI}/api/v1/keycloak/auth/realms/taranis-ng/protocol/openid-connect/auth?response_type=code&client_id=taranis-ng&redirect_uri=TARANIS_GUI_URI"
TZ: "${TZ}"
labels:
traefik.enable: "true"
traefik.http.services.taranis-gui.loadbalancer.server.port: "80"

traefik.http.middlewares.redirect-to-443.redirectscheme.scheme: "https"
traefik.http.middlewares.redirect-to-443.redirectscheme.port: "${TARANIS_NG_HTTPS_PORT}"

traefik.http.routers.taranis-gui-80.entrypoints: "web"
traefik.http.routers.taranis-gui-80.rule: "PathPrefix(`/`)"
traefik.http.routers.taranis-gui-80.middlewares: "redirect-to-443"

traefik.http.routers.taranis-gui-443.entrypoints: "websecure"
traefik.http.routers.taranis-gui-443.rule: "PathPrefix(`/`)"
traefik.http.routers.taranis-gui-443.tls: "true"
traefik.http.routers.taranis-gui-443.tls.domains[0].main: "${TARANIS_NG_HOSTNAME}"
traefik.http.routers.taranis-gui-443.service: "taranis-gui"

logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

traefik:
depends_on:
- "gui"
- "core"
restart: unless-stopped
image: "traefik:latest"
environment:
TZ: "${TZ}"
ports:
- "${TARANIS_NG_HTTP_PORT}:80"
- "${TARANIS_NG_HTTPS_PORT}:443"
- "${TRAEFIK_MANAGEMENT_PORT}:9090"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./traefik:/etc/traefik:ro"
- "./tls:/opt/certs"
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"

volumes:
redis_conf:
database_data:
core_data:
presenters_templates:
collector_storage:
5 changes: 4 additions & 1 deletion src/core/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,13 @@ TARANIS_NG_AUTHENTICATOR: "keycloak"
KEYCLOAK_REALM_NAME: "taranis-ng"
KEYCLOAK_USER_MANAGEMENT: "false"
```
You can use and modify the existing `docker-compose-keycloak.yml` example in the repository.
# **LDAP authentication**
If you prefer to authenticate users with LDAP, you need to set environment variables similarly to this:
```
TARANIS_NG_AUTHENTICATOR: "ldap"
LDAP_SERVER: "ldaps://ldap.example.com"
LDAP_BASE_DN: "ou=people,dc=example,dc=com"
```
```
Loading

0 comments on commit 762714b

Please sign in to comment.