Streamline the passwords

Author: abbradar

docker-compose.yml

@@ -29,11 +29,10 @@ services:
       KC_LOG_LEVEL: info
       KC_METRICS_ENABLED: "true"
       KC_HEALTH_ENABLED: "true"
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: "${KEYCLOAK_ADMIN_PASSWORD}"
 
       EXTERNAL_ORIGIN: "${EXTERNAL_ORIGIN:-http://localhost:9080}"
       ADMIN_EMAIL: "${ADMIN_EMAIL:[email protected]}"
+      ADMIN_PASSWORD: "${ADMIN_PASSWORD}"
     depends_on:
       - postgres
 

docker/Dockerfile.keycloak

@@ -1,8 +1,23 @@
+# Be sure to check https://github.com/keycloak/keycloak/blob/main/quarkus/container/Dockerfile
+# and bump the used UBI when bumping the image.
+# This is an ugly way to add jq and python3.
+
+FROM registry.access.redhat.com/ubi9 AS ubi
+
+RUN dnf install -y python3
+
 FROM keycloak/keycloak:25.0
 
+USER 0
+COPY --from=ubi /usr /tmp/usr
+RUN cp -arn /tmp/usr /
+RUN rm -rf /tmp/usr
+USER 1000
+
 COPY ./docker/keycloak-realm.json /etc/keycloak/realm.json
+COPY ./docker/keycloak-prepare-realm.py /usr/local/bin/keycloak-prepare-realm.py
 COPY ./docker/keycloak-entrypoint.sh /usr/local/bin/entrypoint.sh
 
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 
-CMD ["start", "--import-realm"]
+CMD ["start", "--import-realm"]

docker/keycloak-entrypoint.sh

@@ -13,10 +13,24 @@ if [ -z "$KC_HOSTNAME" ]; then
   fi
 fi
 
+if [ -z "$KEYCLOAK_ADMIN" ]; then
+  if [ -n "$ADMIN_EMAIL" ]; then
+    export KEYCLOAK_ADMIN="$ADMIN_EMAIL"
+  fi
+fi
+
+if [ -z "$KEYCLOAK_ADMIN_PASSWORD" ]; then
+  if [ -n "$ADMIN_PASSWORD" ]; then
+    export KEYCLOAK_ADMIN_PASSWORD="$ADMIN_PASSWORD"
+  fi
+fi
+
 mkdir -p /opt/keycloak/data/import
-sed /etc/keycloak/realm.json \
-  -e 's,{EXTERNAL_ORIGIN},'"$EXTERNAL_ORIGIN"',g' \
-  -e 's,{ADMIN_EMAIL},'"$ADMIN_EMAIL"',g' \
-  > /opt/keycloak/data/import/realm.json
+/usr/local/bin/keycloak-prepare-realm.py \
+  --external-origin "$EXTERNAL_ORIGIN" \
+  --admin-email "$ADMIN_EMAIL" \
+  --admin-password "$ADMIN_PASSWORD" \
+  </etc/keycloak/realm.json \
+  >/opt/keycloak/data/import/realm.json
 
 exec /opt/keycloak/bin/kc.sh "$@"

docker/keycloak-prepare-realm.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+
+import argparse
+import json
+import sys
+import hashlib
+import base64
+import os
+
+
+ITERATIONS = 180000
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--external-origin", type=str, required=True)
+    parser.add_argument("--admin-email", type=str, required=True)
+    parser.add_argument("--admin-password", type=str, required=True)
+    args = parser.parse_args()
+
+    realm = json.load(sys.stdin)
+    
+    # Replace admin email placeholder
+    for user in realm.get("users", []):
+        if user.get("id") == "admin":
+            user["username"] = args.admin_email
+            user["email"] = args.admin_email
+            
+            # Update password credentials
+            for credential in user.get("credentials", []):
+                if credential.get("type") == "password":
+                    # Generate a random salt
+                    salt = os.urandom(16)
+                    salt_b64 = base64.b64encode(salt).decode('utf-8')
+                    
+                    # Hash the password with the salt
+                    pwd_hash = hashlib.pbkdf2_hmac('sha256', args.admin_password.encode('utf-8'), salt, ITERATIONS)
+                    pwd_hash_b64 = base64.b64encode(pwd_hash).decode('utf-8')
+                    
+                    # Set credential data in Keycloak format
+                    credential["credentialData"] = json.dumps({"hashIterations": ITERATIONS, "algorithm": "pbkdf2-sha256"})
+                    credential["secretData"] = json.dumps({"salt": salt_b64, "value": pwd_hash_b64})
+    
+    # Replace EXTERNAL_ORIGIN placeholders in clients
+    for client in realm.get("clients", []):
+        # Update redirectUris
+        if "redirectUris" in client:
+            client["redirectUris"] = [uri.replace("{EXTERNAL_ORIGIN}", args.external_origin) 
+                                     for uri in client["redirectUris"]]
+        
+        # Update webOrigins
+        if "webOrigins" in client:
+            client["webOrigins"] = [origin.replace("{EXTERNAL_ORIGIN}", args.external_origin) 
+                                   for origin in client["webOrigins"]]
+    
+    # Output the modified realm configuration
+    json.dump(realm, sys.stdout, indent=2)
+
+
+if __name__ == "__main__":
+    main()

docker/keycloak-realm.json

@@ -88,12 +88,10 @@
           "id": "password",
           "type": "password",
           "userLabel": "My password",
-          "createdDate": 1726948946561,
           "secretData": "{\"value\":\"oRgPShutFloqamI75qmIrgwLErxpQQsBQTMzD0Rma8Q=\",\"salt\":\"1K/UNtNh0Ao7sO8iKZBpiQ==\",\"additionalParameters\":{}}",
           "credentialData": "{\"hashIterations\":5,\"algorithm\":\"argon2\",\"additionalParameters\":{\"hashLength\":[\"32\"],\"memory\":[\"7168\"],\"type\":[\"id\"],\"version\":[\"1.3\"],\"parallelism\":[\"1\"]}}"
         }
       ],
-      "requiredActions": ["UPDATE_PASSWORD"],
       "realmRoles": ["ozmadb-admin", "default-roles-ozma"]
     }
   ]

env.dev.example

@@ -1,2 +1,2 @@
 [email protected]
-KEYCLOAK_ADMIN_PASSWORD=admin
+ADMIN_PASSWORD=admin

env.production.example

@@ -1,6 +1,6 @@
 [email protected]
 # Set this to a secret password
-KEYCLOAK_ADMIN_PASSWORD=
+ADMIN_PASSWORD=
 # Replace example.com in the following two variables with your domain name
 CADDY_ADDRESS=example.com
 EXTERNAL_ORIGIN=https://example.com

render.yaml

@@ -72,10 +72,6 @@ services:
         value: 'true'
       - key: KC_HEALTH_ENABLED
         value: 'true'
-      - key: KEYCLOAK_ADMIN
-        value: admin
-      - key: KEYCLOAK_ADMIN_PASSWORD
-        generateValue: true
       - key: EXTERNAL_PROTOCOL
         value: https
       - key: EXTERNAL_HOSTPORT
@@ -85,6 +81,8 @@ services:
           envVarKey: DOMAIN
       - key: ADMIN_EMAIL
         sync: false
+      - key: ADMIN_PASSWORD
+        generateValue: true
 
   - name: ozmadb
     type: pserv