mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: update Keycloak configuration and Docker healthcheck improvements
Build and Publish Docker Images / build-and-push (., backend/infrastructure/gateway/Dockerfile, api-gateway, api-gateway) (push) Successful in 6m48s
Details
Build and Publish Docker Images / build-and-push (., backend/services/ping/Dockerfile, ping-service, ping-service) (push) Successful in 6m40s
Details
Build and Publish Docker Images / build-and-push (., config/docker/caddy/web-app/Dockerfile, web-app, web-app) (push) Successful in 1m44s
Details
Build and Publish Docker Images / build-and-push (., config/docker/keycloak/Dockerfile, keycloak, keycloak) (push) Successful in 1m31s
Details

Browse Source 
- Enabled `directAccessGrants` for `frontend-client` in `meldestelle-realm.json` to support ROPC login flow.
- Strengthened admin credentials in realm configuration to meet password policy requirements.
- Upgraded Keycloak to `26.5.5` with updated Docker healthcheck logic:
  - Replaced `curl` with bash `/dev/tcp` for compatibility with `ubi9-micro` image.
  - Switched health endpoint from `/ready` to `/live` for single-node use.
  - Adjusted healthcheck timings (`start_period`, `timeout`, `interval`) for smoother startup.
- Removed deprecated v1 hostname parameter `KC_HOSTNAME_STRICT_HTTPS`.

Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
This commit is contained in:
Stefan Mogeritsch
2026-03-09 15:49:58 +01:00
parent 4ae11e6668
commit d6a484c347
8 changed files with 289 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dc-infra.yaml
+12 -8
View File
@@ -76,8 +76,8 @@ services:
context: .
dockerfile: config/docker/keycloak/Dockerfile
args:
KEYCLOAK_IMAGE_TAG: "${KEYCLOAK_IMAGE_TAG:-26.4}"
image: "${DOCKER_REGISTRY:-git.mo-code.at/mocode-software}/keycloak:${KEYCLOAK_IMAGE_TAG:-26.4}"
KEYCLOAK_IMAGE_TAG: "${KEYCLOAK_IMAGE_TAG:-26.5.5}"
image: "${DOCKER_REGISTRY:-git.mo-code.at/mocode-software}/keycloak:${KEYCLOAK_IMAGE_TAG:-26.5.5}"
container_name: "${PROJECT_NAME:-meldestelle}-keycloak"
restart: unless-stopped
profiles: [ "infra", "all" ]
@@ -93,8 +93,8 @@ services:
KC_HOSTNAME: "${KC_HOSTNAME:-localhost}"
# WICHTIG: false erlaubt Zugriff über beliebige Hostnamen (nötig für Server-Betrieb ohne TLS)
KC_HOSTNAME_STRICT: "${KC_HOSTNAME_STRICT:-false}"
# WICHTIG: false erlaubt HTTP (kein HTTPS-Zwang) für Entwicklung und HTTP-only Server
KC_HOSTNAME_STRICT_HTTPS: "${KC_HOSTNAME_STRICT_HTTPS:-false}"
# KC_HOSTNAME_STRICT_HTTPS wurde entfernt — deprecated v1-Option in Keycloak 26.x (hostname v2).
# HTTP-Zugriff wird ausschließlich über KC_HTTP_ENABLED gesteuert.
KC_HTTP_ENABLED: "true"
# Admin-Interface explizit auf allen Interfaces binden (0.0.0.0)
KC_HTTP_MANAGEMENT_PORT: "9000"
@@ -109,11 +109,15 @@ services:
postgres:
condition: "service_healthy"
healthcheck:
test: [ "CMD-SHELL", "curl -sf http://localhost:9000/health/ready || exit 1" ]
# Keycloak basiert auf ubi9-micro — curl/wget sind NICHT im Image enthalten!
# Lösung: Bash /dev/tcp — kein externes Tool nötig, funktioniert auf jedem bash-Image.
# Management-Port 9000: Health-Endpoints (/health/live, /health/ready) laufen hier.
# /health/live: prüft nur Prozess-Liveness — kein Warten auf JGroups-Cluster-Formation.
test: [ "CMD-SHELL", "exec 3<>/dev/tcp/localhost/9000 && printf 'GET /health/live HTTP/1.0\\r\\nHost: localhost\\r\\n\\r\\n' >&3 && cat <&3 | grep -q '\"UP\"'" ]
interval: "15s"
timeout: "5s"
retries: "10"
start_period: "60s"
timeout: "10s"
retries: 5
start_period: "90s"
volumes:
- "./config/docker/keycloak:/opt/keycloak/data/import:Z"
# start --optimized nutzt das pre-built Image (kc.sh build im Dockerfile)