-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathDockerfile-fips
57 lines (42 loc) · 2.41 KB
/
Dockerfile-fips
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
ARG ALPINE_VERSION=3.20.1
ARG KEYCLOAK_VERSION=25.0.6
FROM alpine:$ALPINE_VERSION AS providers_jar_downloader
# Set the working directory
WORKDIR /tmp/keycloak-providers-jars
# FOLIO Keycloak plugins versions to download
ARG KCPLUG_DETECT_FOLIO_USER_VERSION=1.0.0
# Bouncy Castle JAR versions to download
ARG BC_FIPS_VERSION=1.0.2.5
ARG BCTLS_FIPS_VERSION=1.0.19
ARG BCPKIX_FIPS_VERSION=1.0.7
ARG FOLIO_MAVEN_URL=https://repository.folio.org/repository/maven-releases
ARG BC_MAVEN_URL=https://repo1.maven.org/maven2/org/bouncycastle
# Download Bouncy Castle JAR files
RUN apk upgrade --no-cache && apk --no-cache add curl \
&& curl -O ${FOLIO_MAVEN_URL}/org/folio/authentication/keycloak-detect-folio-user/${KCPLUG_DETECT_FOLIO_USER_VERSION}/keycloak-detect-folio-user-${KCPLUG_DETECT_FOLIO_USER_VERSION}.jar \
&& curl -O ${BC_MAVEN_URL}/bc-fips/${BC_FIPS_VERSION}/bc-fips-${BC_FIPS_VERSION}.jar \
&& curl -O ${BC_MAVEN_URL}/bctls-fips/${BCTLS_FIPS_VERSION}/bctls-fips-${BCTLS_FIPS_VERSION}.jar \
&& curl -O ${BC_MAVEN_URL}/bcpkix-fips/${BCPKIX_FIPS_VERSION}/bcpkix-fips-${BCPKIX_FIPS_VERSION}.jar
FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION AS builder
ENV KC_DB=postgres
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=scripts,token-exchange,admin-fine-grained-authz,fips
ENV KC_FIPS_MODE=strict
COPY --chown=keycloak:keycloak --from=providers_jar_downloader /tmp/keycloak-providers-jars/ /opt/keycloak/providers/
COPY --chown=keycloak:keycloak libs/folio-scripts.jar /opt/keycloak/providers/
COPY --chown=keycloak:keycloak conf/* /opt/keycloak/conf/
COPY --chown=keycloak:keycloak cache-ispn-jdbc.xml /opt/keycloak/conf/cache-ispn-jdbc.xml
RUN /opt/keycloak/bin/kc.sh build
FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION
COPY --from=builder --chown=keycloak:keycloak /opt/keycloak/ /opt/keycloak/
RUN mkdir /opt/keycloak/bin/folio
COPY --chown=keycloak:keycloak folio/configure-realms.sh /opt/keycloak/bin/folio/configure-realms.sh
COPY --chown=keycloak:keycloak folio/setup-admin-client.sh /opt/keycloak/bin/folio/setup-admin-client.sh
COPY --chown=keycloak:keycloak folio/start-fips.sh /opt/keycloak/bin/folio/start-fips.sh
COPY --chown=keycloak:keycloak custom-theme /opt/keycloak/themes/custom-theme
COPY --chown=keycloak:keycloak custom-theme-sso-only /opt/keycloak/themes/custom-theme-sso-only
USER root
RUN chmod -R 550 /opt/keycloak/bin/folio
USER keycloak
ENTRYPOINT ["/opt/keycloak/bin/folio/start-fips.sh"]