Add custom keycloak with healthcheck

scripts/iam/README.md

@@ -38,6 +38,17 @@ Open the administration interface at `http://localhost:8282/admin/master/console
 
 2. To provide better support for Docker environments, we have made updates to the Keycloak setup. One important change is the inclusion of persistent storage for the database using PostgreSQL. This ensures that any changes made to Keycloak configuration or data will be preserved even after restarting the Docker container.
 
+3. If you are using an M1-based Mac, you have to use [Docker Buildx](https://docs.docker.com/buildx/working-with-buildx/) instead of `docker build`. If you are building for x86-based systems use `--platform linux/amd64`, and for ARM-based systems use `--platform linux/arm64`. In the scripts, make sure to comment out `docker build`, `docker tag`, and `docker push` commands and add the following command instead once a custom image has been built, i.e. `geobeyond/keycloak:latest`. A custom `Dockerfile` is provided for the usage within the `docker-compose.custom.yml`.
+
+    ```shell
+    docker buildx build -t geobeyond/keycloak:latest --platform linux/amd64 --push -f ./keycloak/Dockerfile.custom .
+    ```
+
+    ```shell
+    # Start the custom composition
+    docker compose -f ./docker-compose.custom.yml up -d
+    ```
+
 ---
 
 ### Create a new realm

scripts/iam/docker-compose.custom.yml

@@ -0,0 +1,63 @@
+version: "3.9"
+services:
+  keycloak:
+    image: geobeyond/keycloak:22.0-custom
+    ports:
+      - 8282:8080
+    environment:
+      - CLIENT_SECRET=${CLIENT_SECRET} # predefined client secret
+      - KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN} # default user name and password of keycloak admin
+      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
+      - KC_HOSTNAME=${KC_HOSTNAME} # to be changed in prodection
+      - KC_HEALTH_ENABLED=${KC_HEALTH_ENABLED}
+      - KC_METRICS_ENABLED=${KC_METRICS_ENABLED}
+      - KC_HOSTNAME_STRICT_HTTPS=${KC_HOSTNAME_STRICT_HTTPS}
+      - KC_HOSTNAME_STRICT=${KC_HOSTNAME_STRICT}
+      - KC_DB=${KC_DB} #db
+      - KC_DB_URL_HOST=${KC_DB_URL_HOST}
+      - KC_DB_URL_DATABASE=${POSTGRES_DB}
+      - KC_DB_USERNAME=${POSTGRES_USER}
+      - KC_DB_PASSWORD=${POSTGRES_PASSWORD}
+      - KC_OVERRIDE=${KC_OVERRIDE} # skip override of data if already exists
+    command: -v start --http-enabled=true --import-realm
+    volumes:
+      - ./keycloak/imports/pygeoapi-realm.json:/opt/keycloak/data/import/pygeoapi-realm.json
+    depends_on:
+      postgres:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail --silent --write-out 'HTTP CODE : %{http_code}\n' --output /dev/null http://localhost:8080/ || exit 1"]
+      interval: 1m
+      timeout: 10s
+      retries: 3
+      start_period: 90s
+  postgres:
+    image: postgres:14.3
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=${POSTGRES_DB}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
+      interval: 15s
+      timeout: 10s
+      retries: 3
+  opa:
+    image: openpolicyagent/opa:0.54.0
+    ports:
+      - 8383:8181
+    command:
+      - "run"
+      - "--server"
+      - "--log-level=debug"
+      - "/policy/auth.rego"
+    volumes:
+      - ./policy:/policy
+    depends_on:
+      keycloak:
+        condition: service_started
+
+volumes:
+  postgres_data:

scripts/iam/keycloak/imports/Dockerfile.custom

@@ -0,0 +1,6 @@
+FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
+RUN mkdir -p /mnt/rootfs
+RUN dnf install --installroot /mnt/rootfs curl --releasever 9 --setopt install_weak_deps=false --nodocs -y; dnf --installroot /mnt/rootfs clean all
+
+FROM quay.io/keycloak/keycloak:22.0
+COPY --from=ubi-micro-build /mnt/rootfs /