diff --git a/.env b/.env index bf06fc6..af2043a 100644 --- a/.env +++ b/.env @@ -4,6 +4,9 @@ ALFRESCO_LICENSE_DIR=~/alfresco/license PROXY_PROTOCOL=http PROXY_HOST=localhost PROXY_PORT=8080 +IDENTITY_SERVICE_PROTOCOL=http +IDENTITY_SERVICE_HOST=auth.example.org +IDENTITY_SERVICE_PORT=8080 ACS_TAG=7.4.1.1 ATE_AIO_TAG=4.0.0 @@ -11,3 +14,4 @@ AAMQ_TAG=latest POSTGRES_TAG=13 ASIE_TAG=2.0.8.2 APS_TAG=2.4.1 +AIS_TAG=1.8.0.1 diff --git a/docker-compose.yml b/docker-compose.yml index e468507..bd69567 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -103,13 +103,36 @@ services: POSTGRES_USER: alfresco POSTGRES_PASSWORD: alfresco command: postgres -c max_connections=300 -c log_min_messages=LOG - + + identity: + image: alfresco/alfresco-identity-service:${AIS_TAG} + user: jboss + environment: + KEYCLOAK_USER: admin + KEYCLOAK_PASSWORD: admin + KEYCLOAK_HOSTNAME: ${IDENTITY_SERVICE_HOST} + KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json + KEYCLOAK_STATISTICS: enabled + networks: + default: + aliases: + - "${IDENTITY_SERVICE_HOST}" + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/auth/realms/alfresco"] + interval: 10s + timeout: 10s + # Really long startup times on Windows + retries: 18 + volumes: + - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro + proxy: build: ./nginx-ingress - image: local/nginx-ingress:acs-aps + image: local/nginx-ingress:acs-aps-aims mem_limit: 256m ports: - 8080:8080 depends_on: - platform - activiti-app + - identity diff --git a/keycloak-alfresco-realm.json b/keycloak-alfresco-realm.json new file mode 100644 index 0000000..ffd05d2 --- /dev/null +++ b/keycloak-alfresco-realm.json @@ -0,0 +1,47 @@ +{ + "realm": "alfresco", + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "roles": { + "realm": [ { + "name": "user", + "description": "User privileges" + }, { + "name": "admin", + "description": "Administrator privileges" + } ] + }, + "clients": [ + { + "clientId": "alfresco", + "name": "Alfresco Products", + "enabled": true, + "alwaysDisplayInConsole": false, + "redirectUris": [ "*" ], + "standardFlowEnabled": true, + "implicitFlowEnabled": true, + "directAccessGrantsEnabled": false, + "publicClient": true, + "protocol": "openid-connect", + "attributes": { + "login_theme": "alfresco" + } + } + ], + "requiredCredentials": [ "password" ], + "users": [ + { + "username": "admin", + "email": "admin@app.activiti.com", + "enabled": true, + "credentials" : [ + { + "type" : "password", + "value" : "admin" + } + ], + "realmRoles": [ "user", "admin" ] + } + ] +} diff --git a/nginx-ingress/entrypoint.sh b/nginx-ingress/entrypoint.sh index 6a05fcc..db2e93b 100644 --- a/nginx-ingress/entrypoint.sh +++ b/nginx-ingress/entrypoint.sh @@ -12,6 +12,10 @@ if [[ $APS_ADMIN_URL ]]; then sed -i s%http:\/\/activiti-admin:8080%"$APS_ADMIN_URL"%g /etc/nginx/nginx.conf fi +if [[ $AIMS_URL ]]; then + sed -i s%http:\/\/identity:8080%"$AIMS_URL"%g /etc/nginx/nginx.conf +fi + if [[ $ACCESS_LOG ]]; then sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf fi diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf index 1cbffbd..15be2a8 100644 --- a/nginx-ingress/nginx.conf +++ b/nginx-ingress/nginx.conf @@ -19,7 +19,10 @@ http { proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; - proxy_buffering off; +# proxy_buffering off; + proxy_buffer_size 64k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -59,5 +62,12 @@ http { # If using external proxy / load balancer (for initial redirect if no trailing slash) absolute_redirect off; } + + location /auth/ { + proxy_pass http://identity:8080; + + # If using external proxy / load balancer (for initial redirect if no trailing slash) + absolute_redirect off; + } } }