Keycloak构建
使用keycloak实现统一认证
默认文档使用docker命令拉起开发者模式,不适合生产部署
docker run -p 127.0.0.1:8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.5.0 start-dev
生产需要额外编译配置,这里使用docker-compose部署
目录结构
root@linuxlab01:/data/keycloak# ll -a
total 24
drwxr-xr-x 3 root root 4096 Jan 5 08:21 ./
drwxr-xr-x 16 root root 4096 Jan 3 09:56 ../
drwx------ 19 999 root 4096 Jan 5 17:32 data/
-rw-r--r-- 1 root root 1130 Jan 5 08:27 docker-compose.yml
-rw-r--r-- 1 root root 522 Jan 5 08:20 Dockerfile
-rw-r--r-- 1 root root 73 Jan 5 08:20 .env
环境变量
.env
DB_PASSWORD=your_secure_db_password
ADMIN_USER=admin
ADMIN_PASSWORD=admin
镜像构建
Dockerfile
# Stage 1: 编译源码
FROM quay.io/keycloak/keycloak:latest AS builder
# 提供指标采集
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
# 选择数据库类型
ENV KC_DB=postgres
WORKDIR /opt/keycloak
# 编译
RUN /opt/keycloak/bin/kc.sh build
# Stage 2: 构建生产环境镜像
FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/
# 指定启动入口
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
docker-compose配置
docker-compose.yml
services:
#可选,建议数据库分离部署
keycloak_db:
image: postgres:17
volumes:
- ./data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: ${DB_PASSWORD}
healthcheck:
test: ["CMD-SHELL", "pg_isready -U keycloak"]
interval: 10s
retries: 5
networks:
- keycloak_net
keycloak:
build: .
container_name: keycloak
command: start --optimized
environment:
KC_DB: postgres
#数据库配置,根据实际修改
KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: ${DB_PASSWORD}
#指定访问的域名或IP
KC_HOSTNAME: auth.example.com
#允许使用http
KC_HTTP_ENABLED: "true"
KC_PROXY: edge
KC_BOOTSTRAP_ADMIN_USERNAME: ${ADMIN_USER}
KC_BOOTSTRAP_ADMIN_PASSWORD: ${ADMIN_PASSWORD}
depends_on:
keycloak_db:
condition: service_healthy
ports:
- "8080:8080"
networks:
- keycloak_net
restart: always
networks:
keycloak_net:
driver: bridge
volumes:
postgres_data: