diff --git a/ansible/roles/keycloak-deploy/templates/keycloak.conf b/ansible/roles/keycloak-deploy/templates/keycloak.conf new file mode 100644 index 0000000000..fd9a511dd0 --- /dev/null +++ b/ansible/roles/keycloak-deploy/templates/keycloak.conf @@ -0,0 +1,58 @@ +# Basic settings for running in production. Change accordingly before deploying the server. + +# Database + +# The database vendor. +db=postgres + +# The username of the database user. +db-username={{keycloak_postgres_user}} + +# The password of the database user. +db-password={{keycloak_postgres_password}} + +# The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor. +db-url=jdbc:postgresql://{{keycloak_postgres_host}}:5432/{{keycloak_postgres_database}}?sslmode=require + +# Observability + +# If the server should expose healthcheck endpoints. +#health-enabled=true + +# If the server should expose metrics endpoints. +#metrics-enabled=true + +# HTTP + +# The file path to a server certificate or certificate chain in PEM format. +#https-certificate-file=${kc.home.dir}conf/server.crt.pem + +# The file path to a private key in PEM format. +#https-certificate-key-file=${kc.home.dir}conf/server.key.pem + +# The proxy address forwarding mode if the server is behind a reverse proxy. +#proxy=reencrypt + +# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy +#spi-sticky-session-encoder-infinispan-should-attach-route=false + +# Hostname for the Keycloak server. +#hostname=http://localhost:8080 + +#hostname-path=/auth + +#http-port=8081 +http-relative-path=/auth + +# Logs +log=console,file +# default log path +log-file=data/log/keycloak.log +log-level=INFO,com.arjuna:WARN,io.jaegertracing.Configuration:WARN,org.jboss.as.config:DEBUG,sun.rmi:WARN,org.keycloak:INFO +log-console-color=true +# Apart from default pattern, json pattern also available +log-console-output=default +log-file-output=default +log-console-format='%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n' +log-file-format='%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n' + diff --git a/deploy/migrate-to-keycloak21.sh b/deploy/migrate-to-keycloak21.sh new file mode 100644 index 0000000000..da438a7262 --- /dev/null +++ b/deploy/migrate-to-keycloak21.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +set -eu -o pipefail + +echo "Get the keycloak.conf template file" +curl -sS https://raw.githubusercontent.com/project-sunbird/sunbird-devops/release-7.0.0/ansible/roles/keycloak-deploy/templates/keycloak.conf --output keycloak.conf + +echo "Get the current VM IP" +ip="$(ifconfig | grep -A 1 'eth0' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" + +echo "Replace ansible variables with postgres details" +sed -i "s/{{keycloak_postgres_host}}/$PG_HOST/g" keycloak.conf +sed -i "s/{{keycloak_postgres_database}}/${PG_DB}7/g" keycloak.conf +sed -i "s/{{keycloak_postgres_user}}/$PG_USER/g" keycloak.conf +sed -i "s/{{keycloak_postgres_password}}/$PGPASSWORD/g" keycloak.conf +sed -i "s/{{ansible_default_ipv4.address}}/$ip/g" keycloak.conf +sed -i "s/8080/8081/g" keycloak.conf +sed -i "s/\"900\"/\"3600\"/g" keycloak.conf + +echo "Get vanilla keycloak package" +wget -q https://github.com/keycloak/keycloak/releases/download/21.1.2/keycloak-21.1.2.tar.gz + +echo "Extract keycloak package" +tar -xvzf keycloak-21.1.2.tar.gz + +echo "Copy keycloak.conf file to keycloak package" +cp keycloak.conf keycloak-21.1.2/conf/ + +echo "Backup the existing keycloak db" +pg_dump -Fd -j 4 -h $PG_HOST -U $PG_USER -d $PG_DB -f ${PG_DB} + +echo "Create a new db for keycloak 21" +psql -h $PG_HOST -U $PG_USER -p 5432 -d postgres -c "CREATE DATABASE ${PG_DB}21" + +echo "Restore the existing keycloak 7 db to the new database" +pg_restore -O -j 4 -h $PG_HOST -U $PG_USER -d ${PG_DB}21 ${PG_DB} + +echo "Clear the DB of duplicate values" +psql -h $PG_HOST -U $PG_USER -p 5432 -d ${PG_DB}7 -c "delete from public.COMPOSITE_ROLE a using public.COMPOSITE_ROLE b where a=b and a.ctid < b.ctid" +psql -h $PG_HOST -U $PG_USER -p 5432 -d ${PG_DB}7 -c "delete from public.REALM_EVENTS_LISTENERS a using public.REALM_EVENTS_LISTENERS b where a=b and a.ctid < b.ctid" +psql -h $PG_HOST -U $PG_USER -p 5432 -d ${PG_DB}7 -c "delete from public.REDIRECT_URIS a using public.REDIRECT_URIS b where a=b and a.ctid < b.ctid" +psql -h $PG_HOST -U $PG_USER -p 5432 -d ${PG_DB}7 -c "delete from public.WEB_ORIGINS a using public.WEB_ORIGINS b where a=b and a.ctid < b.ctid" +psql -h $PG_HOST -U $PG_USER -p 5432 -d ${PG_DB}7 -c "truncate offline_user_session" +psql -h $PG_HOST -U $PG_USER -p 5432 -d ${PG_DB}7 -c "truncate offline_client_session" +psql -h $PG_HOST -U $PG_USER -p 5432 -d ${PG_DB}7 -c "truncate jgroupsping" || true + +echo "Migrate the DB to keycloak 21" +cd keycloak-21.1.2 +bin/kc.sh start --spi-connections-jpa-legacy-migration-strategy=update -b=$ip -bprivate=$ip \ No newline at end of file