Fix/docker setup

README.md

@@ -128,9 +128,6 @@ only and should not be used in production.
 ```
 
 - run `docker compose up`
-- After Keycloak is up, open a second terminal window and run
-  `docker compose up keycloak-cli` to import a realm with all the users
-  and roles already set up.
 - To set up our CouchDB server open `http://127.0.0.1:5984/_utils/#/setup`
   and run the [Single Node Setup](https://docs.couchdb.org/en/stable/setup/single-node.html). This creates databases like **_users** and stops CouchDB from spamming our logs (Admin credentials from .env)
 - Create a database in CouchDB with the name specified in `CSAF_COUCHDB_DBNAME`

compose.yaml

@@ -4,7 +4,7 @@
 
 services:
   cms-couchdb:
-    image: couchdb:3.3
+    image: couchdb:3.4
     hostname: couchdb.csaf.internal
     #container_name: cms-couchdb
     restart: on-failure
@@ -16,13 +16,18 @@ services:
       - csaf-couchdb-data:/opt/couchdb/data
     ports:
       - "${CSAF_COUCHDB_PORT}:5984"
+    healthcheck:
+      test: ["CMD-SHELL", "curl http://127.0.0.1:5984/_up || exit 1"]
+      interval: 10s
+      timeout: 10s
+      retries: 10
     networks:
       default:
         aliases:
           - "couchdb.csaf.internal"
 
   keycloak-db:
-    image: postgres:14
+    image: postgres:17
     hostname: keycloak-db.csaf.internal
     #container_name: keycloak-db
     volumes:
@@ -35,31 +40,51 @@ services:
     restart: on-failure
     ports:
       - "${CSAF_KEYCLOAK_DATABASE_PORT}:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${CSAF_KEYCLOAK_DATABASE_USER}"]
+      interval: 10s
+      timeout: 10s
+      retries: 10
     networks:
       default:
         aliases:
           - "keycloak-db.csaf.internal"
 
   keycloak:
-    image: quay.io/keycloak/keycloak:20.0
+    image: quay.io/keycloak/keycloak:26.2
     hostname: keycloak.csaf.internal
     #container_name: keycloak
     env_file: .env
     environment:
       # https://www.keycloak.org/server/all-config
       KC_HEALTH_ENABLED: "true"
-      KC_METRICS_ENABLED: "true"
       KC_DB: postgres
+      KC_DB_SCHEMA: public
+
       KC_DB_URL_HOST: keycloak-db.csaf.internal
       KC_DB_URL_PORT: 5432
       KC_DB_URL_DATABASE: ${CSAF_KEYCLOAK_DATABASE_NAME}
+
       KC_DB_USERNAME: ${CSAF_KEYCLOAK_DATABASE_USER}
       KC_DB_PASSWORD: ${CSAF_KEYCLOAK_DATABASE_PASSWORD}
-      KC_DB_SCHEMA: public
+
       KEYCLOAK_ADMIN: ${CSAF_KEYCLOAK_ADMIN_USER}
       KEYCLOAK_ADMIN_PASSWORD: ${CSAF_KEYCLOAK_ADMIN_PASSWORD}
+
+      KEYCLOAK_EXTRA_ARGS: --import-realm
+    volumes:
+      - ./keycloak:/opt/bitnami/keycloak/data/import
+    healthcheck:
+        start_period: 120s
+        test:
+          ["CMD-SHELL", "timeout 1 bash -c 'cat < /dev/null > /dev/tcp/localhost/8080'", ]
+        interval: 10s
+        timeout: 10s
+        retries: 10
     depends_on:
-      - keycloak-db
+      keycloak-db:
+        condition: service_healthy
+        restart: true
     restart: on-failure
     ports:
       - "${CSAF_KEYCLOAK_PORT}:8080"
@@ -68,22 +93,6 @@ services:
       default:
         aliases:
           - "keycloak.csaf.internal"
-
-  # Run this manually to import the default keycloak config since 'depends_on' is currently broken.
-  keycloak-cli:
-    image: adorsys/keycloak-config-cli:latest-20.0.1
-    #container_name: keycloak-cli
-    profiles: [ "run_manually" ]
-    env_file: .env
-    environment:
-      KEYCLOAK_URL: "http://keycloak.csaf.internal:8080/"
-      KEYCLOAK_USER: ${CSAF_KEYCLOAK_ADMIN_USER}
-      KEYCLOAK_PASSWORD: ${CSAF_KEYCLOAK_ADMIN_PASSWORD}
-      IMPORT_FILES_LOCATIONS: "/config/csaf-realm.json"
-    volumes:
-      - ./keycloak:/config:z
-    depends_on:
-      - keycloak
 
   oauth2-proxy:
     image: bitnami/oauth2-proxy:7.4.0
@@ -95,7 +104,9 @@ services:
       # listening address and proxy target
       OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:4180"
       OAUTH2_PROXY_UPSTREAMS: "http://host.docker.internal:${CSAF_CMS_BACKEND_PORT}/api/v1/"
-
+
+      OAUTH2_PROXY_REVERSE_PROXY: "true"
+
       # Security related config
       OAUTH2_PROXY_COOKIE_SECURE: "false"
       OAUTH2_PROXY_COOKIE_HTTPONLY: "true"
@@ -108,9 +119,15 @@ services:
       OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "CSAF OIDC Provider"
       # You need to set your keycloak "Frontend URL", in our case "http://localhost:9000/auth/"
       # If you don't want to use autodiscovery, you have to set all urls by hand (login-url, oidc-jwks-url, redeem-url, ...)
+
+      OAUTH2_PROXY_SKIP_OIDC_DISCOVERY: "true"
       OAUTH2_PROXY_OIDC_ISSUER_URL: "http://keycloak.csaf.internal:8080/realms/${CSAF_REALM}"
+      OAUTH2_PROXY_LOGIN_URL: "http://localhost/realms/csaf/protocol/openid-connect/auth"
+      OAUTH2_PROXY_REDEEM_URL: "http://keycloak.csaf.internal:8080/realms/csaf/protocol/openid-connect/token"
+      OAUTH2_PROXY_OIDC_JWKS_URL: http://keycloak.csaf.internal:8080/realms/csaf/protocol/openid-connect/certs
       OAUTH2_PROXY_INSECURE_OIDC_SKIP_ISSUER_VERIFICATION: "true"
-      OAUTH2_PROXY_WHITELIST_DOMAINS: "localhost:4180,localhost:8080"
+
+      OAUTH2_PROXY_WHITELIST_DOMAINS: "localhost:4180,localhost:8080,localhost,locahost:80"
 
       # Client credentials
       OAUTH2_PROXY_CLIENT_ID: ${CSAF_CLIENT_ID}
@@ -131,7 +148,8 @@ services:
       - "host.docker.internal:host-gateway"
     restart: on-failure
     depends_on:
-      - keycloak
+      keycloak:
+        condition: service_healthy
     networks:
       default:
         aliases:
@@ -145,6 +163,11 @@ services:
     env_file: .env
     ports:
       - "$CSAF_VALIDATOR_PORT:8082"
+    healthcheck:
+      test: ["CMD-SHELL", "wget -O /dev/null http://127.0.0.1:8082/api/v1/tests || exit 1"]
+      interval: 10s
+      timeout: 10s
+      retries: 10 
     networks:
       default:
         aliases:
@@ -157,25 +180,39 @@ services:
     hostname: secvisogram.csaf.internal
     volumes:
       - "./docker/secvisogram/appspecific:/usr/share/nginx/html/.well-known/appspecific"
+    healthcheck:
+      test: ["CMD-SHELL", "wget -O /dev/null http://127.0.0.1 || exit 1"]
+      interval: 10s
+      timeout: 10s
+      retries: 10
     networks:
       default: 
         aliases:
           - "secvisogram.csaf.internal"        
 
 
   reverse-proxy:
-    image:  nginx:1.23-alpine
+    image:  nginx:1.27-alpine
     hostname: "reverseproxy.csaf.internal"
     restart: on-failure
     ports:
       - "80:80" 
     volumes:
       - "./docker/reverseproxy/nginx.conf:/etc/nginx/nginx.conf"
+    healthcheck:
+        test: ["CMD-SHELL", "wget -O /dev/null http://127.0.0.1 || exit 1"]
+        interval: 10s
+        timeout: 10s
+        retries: 10
     depends_on:
-      - secvisogram
-      - keycloak
-      - oauth2-proxy
-      - validator
+      secvisogram:
+        condition: service_healthy
+      keycloak: 
+        condition: service_healthy
+      oauth2-proxy:
+        condition: service_started
+      validator:
+        condition: service_healthy
 
 volumes:
   csaf-couchdb-data:

docker/secvisogram/Dockerfile

@@ -13,6 +13,6 @@ RUN apk add git; \
 # This build takes the production build from staging build
 #
 
-FROM nginx:1.23-alpine
+FROM nginx:1.27-alpine
 COPY --from=build /usr/src/secvisogram/app/dist /usr/share/nginx/html
 EXPOSE 80

keycloak/csaf-realm.json

@@ -4,6 +4,10 @@
       "adminUrl": "http://localhost",
       "bearerOnly": false,
       "clientAuthenticatorType": "client-secret",
+      "secret": {
+        "type": "password",
+        "value": "mDmZiwDL814MCTHJwySSiECRwcncIuHu"
+      },
       "clientId": "secvisogram",
       "consentRequired": false,
       "directAccessGrantsEnabled": false,