adorsys/keycloak-config-cli

BranchesTags

Repository files navigation

CIGitHub release (latest SemVer)GitHub All ReleasesDocker PullscodecovGitHub license

keycloak-config-cli is a Keycloak utility to ensure the desired configuration state for a realm based on a JSON/YAML file. The format of the JSON/YAML file based on the export realm format. Store and handle the configuration files inside git just like normal code. A Keycloak restart isn't required to apply the configuration.

The config files are based on the keycloak export files. You can use them to re-import your settings. But keep your files as small as possible. Remove all UUIDs and all stuff which is default set by keycloak.

moped.json is a full working example file you can consider. Other examples are located in the test resources.

keycloak-config-cli supports variable substitution of config files. This could be enabled by import.var-substitution.enabled=true (disabled by default).

Variables exposed by spring boot (through configtree or external configuration) can be accessed by $(property.name).

In additional, the string substitution support multiple prefixes for different approaches

Base64 Decoder:        $(base64Decoder:SGVsbG9Xb3JsZCE=)
Base64 Encoder:        $(base64Encoder:HelloWorld!)
Java Constant:         $(const:java.awt.event.KeyEvent.VK_ESCAPE)
Date:                  $(date:yyyy-MM-dd)
DNS:                   $(dns:address|apache.org)
Environment Variable:  $(env:USERNAME)
File Content:          $(file:UTF-8:src/test/resources/document.properties)
Java:                  $(java:version)
Localhost:             $(localhost:canonical-name)
Properties File:       $(properties:src/test/resources/document.properties::mykey)
Resource Bundle:       $(resourceBundle:org.example.testResourceBundleLookup:mykey)
Script:                $(script:javascript:3 + 4)
System Property:       $(sys:user.dir)
URL Decoder:           $(urlDecoder:Hello%20World%21)
URL Encoder:           $(urlEncoder:Hello World!)
URL Content (HTTP):    $(url:UTF-8:http://www.apache.org)
URL Content (HTTPS):   $(url:UTF-8:https://www.apache.org)
URL Content (File):    $(url:UTF-8:file:///$(sys:user.dir)/src/test/resources/document.properties)
XML XPath:             $(xml:src/test/resources/document.xml:/root/path/to/node)

to replace the values with java system properties or environment variables. Recursive variable replacement like $(file:UTF-8:$(env:KEYCLOAK_PASSWORD_FILE)) is enabled by default if import.var-substitution.enabled is set to true.

The variable substitution is running before the json parser gets executed. This allows json structures or complex values.

See Apache Common StringSubstitutor documentation for more information and advanced usage.

Note: Since variable substitution is a part of the keycloak-config-cli, it's done locally. This means, the environment variables need to be available where keycloak-config-cli is executed.

If import.var-substitution.prefix=${ and import.var-substitution.suffix=} (default in keycloak-config-cli 3.x) is set, then keycloak builtin variables like ${role_uma_authorization} needs to be escaped by $${role_uma_authorization}.

keycloak-config-cli supports logging in JSON format. To enable, set SPRING_PROFILES_ACTIVE=json-log.

CLI OptionENV VariableDescriptionDefault
--logging.level.rootLOGGING_LEVEL_ROOTdefine the root log levelinfo
--logging.level.keycloak-config-cliLOGGING_LEVEL_KEYCLOAKCONFIGCLIlog level of keycloak-config-cli componentsvalue of logging.level.root
--logging.level.httpLOGGING_LEVEL_HTTPlog level http requests between keycloak-config-cli and Keycloakvalue of logging.level.root
--logging.level.realm-configLOGGING_LEVEL_REALMCONFIGif set to trace, the realm config including sensitive information will be loggedvalue of logging.level.root

See: docs/FEATURES.md

Since keycloak-config-cli 4.0 will support the latest 4 releases of keycloak, if possible. There are some exceptions:

  • keycloak-config-cli will try the keep an extended support for RH-SSO
  • keycloak-config-cli will cut the support if keycloak introduces some breaking changes

keycloak-config-cli using maven to build and test keycloak-config-cli. In case maven is not installed on your system, the mvnw command will download maven for you.

Further development requirements

  • Java Development Kit (JDK)
  • Docker Desktop or an alternative replacement (e.g Rancher Desktop)

Before running mvn verify, you have to set the JAVA_HOME environment variable to prevent some test failures.

./mvnw verify

# Windows only
mvnw.cmd verify

If your are working with a Docker Desktop replacement, some of the Integrationtests can fail due to internal DNS Lookups (host.docker.internal is not reachable). In this case the host can be replaced by a property.

mvn verify -DJUNIT_LDAP_HOST=an.alternate.host.or.ip

We are using TestContainers in our integration tests. To run the integration tests a configured docker environment is required.

./mvnw verify

# Windows only
mvnw.cmd verify

Start a local keycloak on port 8080:

docker-compose down --remove-orphans && docker-compose up keycloak

before performing following command:

java -jar ./target/keycloak-config-cli.jar \
    --keycloak.url=http://localhost:8080 \
    --keycloak.ssl-verify=true \
    --keycloak.user=admin \
    --keycloak.password=admin123 \
    --import.files.locations=./contrib/example-config/moped.json

A docker images is available at DockerHub (docker.io/adorsys/keycloak-config-cli) and quay.io (quay.io/adorsys/keycloak-config-cli)

Available docker tags

TagDescription
latestlatest available release of keycloak-config-cli which is built against the latest supported Keycloak release.
latest-x.y.zlatest available release of keycloak-config-cli which is built against the Keycloak version x.y.z.
edgelatest commit on the main branch and which is built against the latest supported Keycloak release.
a.b.ckeycloak-config-cli version a.b.c which is built against the latest supported Keycloak release.
a.b.c-x.y.zkeycloak-config-cli version a.b.c which is built against the Keycloak version x.y.z.
mavenSee below

Additionally, the tag maven contains the source code and compile keycloak-config-cli at runtime. This has the advantage to keycloak-config-cli with Keycloak versions, that not official supported., e.g.:

docker run --rm -ti -v $PWD:/config/ -eKEYCLOAK_VERSION=23.0.1 -eMAVEN_CLI_OPTS="-B -ntp -q" adorsys/keycloak-config-cli:edge-build

For docker -e you have to replace dots with underscores.

docker run \
    -e KEYCLOAK_URL="http://<your keycloak host>:8080/" \
    -e KEYCLOAK_USER="<keycloak admin username>" \
    -e KEYCLOAK_PASSWORD="<keycloak admin password>" \
    -e KEYCLOAK_AVAILABILITYCHECK_ENABLED=true \
    -e KEYCLOAK_AVAILABILITYCHECK_TIMEOUT=120s \
    -e IMPORT_FILES_LOCATIONS='/config/*' \
    -v <your config path>:/config \
    adorsys/keycloak-config-cli:latest

You can build an own docker image by running

docker build -t keycloak-config-cli .

We provide a helm chart here.

Since it makes no sense to deploy keycloak-config-cli as standalone application, you could add it as dependency to your chart deployment.

Checkout helm docs about chart dependencies!

CLI OptionENV VariableDescriptionDefaultDocs
--keycloak.urlKEYCLOAK_URLKeycloak URL including web context. Format: scheme://hostname:port/web-context.-
--keycloak.userKEYCLOAK_USERlogin user nameadmin
--keycloak.passwordKEYCLOAK_PASSWORDlogin user password-
--keycloak.client-idKEYCLOAK_CLIENTIDlogin clientIdadmin-cli
--keycloak.client-secretKEYCLOAK_CLIENTSECRETlogin client secret-
--keycloak.grant-typeKEYCLOAK_GRANTTYPElogin grant_typepassword
--keycloak.login-realmKEYCLOAK_LOGINREALMlogin realmmaster
--keycloak.ssl-verifyKEYCLOAK_SSLVERIFYVerify ssl connection to keycloaktrue
--keycloak.http-proxyKEYCLOAK_HTTPPROXYConnect to Keycloak via HTTP Proxy. Format: scheme://hostname:port-
--keycloak.connect-timeoutKEYCLOAK_CONNECTTIMEOUTConnection timeout10s
--keycloak.read-timeoutKEYCLOAK_READTIMEOUTRead timeout10sconfigured as Java Duration
--keycloak.availability-check.enabledKEYCLOAK_AVAILABILITYCHECK_ENABLEDWait until Keycloak is availablefalseconfigured as Java Duration
--keycloak.availability-check.timeoutKEYCLOAK_AVAILABILITYCHECK_TIMEOUTWait timeout for keycloak availability check120s
CLI OptionENV VariableDescriptionDefaultDocs
--import.validateIMPORT_VALIDATEValidate configuration settingsfalse
--import.parallelIMPORT_PARALLELEnable parallel import of certain resourcesfalse
--import.files.locationsIMPORT_FILES_LOCATIONSLocation of config files (URL, file path, or Ant-style pattern)-IMPORT.md
--import.files.include-hidden-filesIMPORT_FILES_INCLUDE_HIDDEN_FILESIncludes files that marked as hiddenfalse
--import.files.excludesIMPORT_FILES_EXCLUDESExclude files with Ant-style pattern-
--import.cache.enabledIMPORT_CACHE_ENABLEDEnable caching of import file locationstrue
--import.cache.keyIMPORT_CACHE_KEYCache key for importing config.default
--import.remote-state.enabledIMPORT_REMOTESTATE_ENABLEDEnable remote state management. Purge only resources managed by keycloak-config-cli.trueMANAGED.md
--import.remote-state.encryption-keyIMPORT_REMOTESTATE_ENCRYPTIONKEYEnables remote state in encrypted format. If unset, state will be stored in plain-
--import.var-substitution.enabledIMPORT_VARSUBSTITUTION_ENABLEDEnable variable substitution config filesfalse
--import.var-substitution.nestedIMPORT_VARSUBSTITUTION_NESTEDExpand variables in variables.true
--import.var-substitution.undefined-is-errorIMPORT_VARSUBSTITUTION_UNDEFINEDISTERRORRaise exceptions, if variables are not defined.true
--import.var-substitution.prefixIMPORT_VARSUBSTITUTION_PREFIXConfigure the variable prefix, if import.var-substitution.enabled is true.$(
--import.var-substitution.suffixIMPORT_VARSUBSTITUTION_SUFFIXConfigure the variable suffix, if import.var-substitution.enabled is true.)
--import.behaviors.sync-user-federationIMPORT_BEHAVIORS_SYNC_USER_FEDERATIONEnable the synchronization of user federation.false
--import.behaviors.remove-default-role-from-userIMPORT_BEHAVIORS_REMOVEDEFAULTROLEFROMUSERThe default setting of this flag prevents keycloak-config-cli from removing default-roles-$REALM, even if its not defined in the import json. To make keycloak-config-cli able to remove the default-role-$REALM, import.remove-default-role-from-user must be set to true. In conclusion, you have to add the default-role-$REALM to the realm import on certain users, if you want not remove the default-role-$REALM.false
--import.behaviors.skip-attributes-for-federated-userIMPORT_BEHAVIORS_SKIP_ATTRIBUTESFORFEDERATEDUSERSet attributes to null for federated users to avoid read only conflictsfalse
--import.behaviors.checksum-with-cache-keyIMPORT_BEHAVIORS_CHECKSUM_WITH_CACHE_KEYUse cache key to store the checksum, if set to false a checksum for each import file is storedtrue
--import.behaviors.checksum-changedIMPORT_BEHAVIORS_CHECKSUM_CHANGEDDefines the behavior if the checksum of an imported file has changed. Set to fail when import should be aborted, continue reimport and update the checksum.continue
CLI OptionENV VariableDescriptionDefaultDocs
--spring.profiles.activeSPRING_PROFILES_ACTIVEenable spring profiles. comma separated-Set the Active Spring Profiles
--spring.config.importSPRING_CONFIG_IMPORTSee belowinfoConfigure properties values through files
--logging.level.rootLOGGING_LEVEL_ROOTdefine the root log levelinfoLogging
--debugDEBUGenables debug mode of spring bootfalse

See application.properties for all available settings.

For docker -e you have to remove hyphens and replace dots with underscores.

Take a look at spring relax binding or binding from Environment Variables if you need alternative spellings.

By define an environment variable SPRING_CONFIG_IMPORT=configtree:/run/secrets/, the values of properties can be provided via files instead of plain environment variable values.

Example: To configure the property keycloak.password in this case, the file should be in /run/secrets/keycloak.password.

The configuration and secret support in Docker Swarm is a perfect match for this use case.

Checkout the spring docs to get more information about the configuration trees feature in spring boot.

Building releases requires gpg signing.

Example to create and add a key to yout git config on MacOS

brew install gnupg
gpg --version
gpg --full-generate-key
# follow instructions
gpg --list-keys
gpg --list-secret-keys --keyid-format=short
# check the 8 digit code eg "ssb   xxxxxxx/E51442F5 2022-01-01 [X]"
git config --global user.signingkey E51442F5

Finally add the key to your account under Settings -> SSH and GPG keys -> New GPG key

Create release via maven release plugin:

./mvnw -Dresume=false release:prepare release:clean
git push --follow-tags

Checkout https://adorsys.com/en/products/keycloak-config-cli/ for commercial support.

About

Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.

adorsys..io/keycloak-config-cli/

Topics

export json automation oauth2 rest spring-boot keycloak continuous-integration configuration-management import jboss configuration-as-code keycloak-config-cli

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

929 stars

Watchers

15 watching

Forks

161 forks
Report repository

Releases 104

Release v6.4.0 Latest
Feb 21, 2025
+ 103 releases

Contributors 54

  • @jkroepke
  • @dependabot[bot]
  • @st3v0rr
  • @jonasvoelcker
  • @AssahBismarkabah
  • @francis-pouatcha
  • @github-actions[bot]
  • @ma1uta
  • @thomasdarimont
  • @bohmber
  • @Motouom
  • @borisskert
  • @Oh-tech
  • @antikalk
+ 40 contributors

Languages