[keycloak-user] out of box experiences and automation
Stian Thorgersen
sthorger at redhat.com
Fri Dec 18 03:32:22 EST 2015
On 18 December 2015 at 09:20, Hristo Stoyanov <hr.stoyanov at peruncs.com>
wrote:
> Stian,
> I have no affiliation with Ansible, but you do ... since recently :-)
>
That's true - I forgot about that
> What I do is:
> 1. I configured KC with passwords, URLs for the apps, certificates,
> Facebook tokens, etc.
> 2 I exported it into json dump files.
> 3. I repeated 1-2 until I had enough data for DEV, QA and PROD - all
> different environments . Note that some parts of the exports remain the
> same - roles, groups.
> 4. I templetized the exported json files so that Ansible can substitute
> the environment sensitive bits and deploy to DEV, QA and PROD.
>
> Same applies to the wildfly's standalone.xml - parametrize different
> versions for DEV, QA, PROD.
>
> It is royal pain to create the J2 templates, initially, but not as much as
> trying to do it with jboss-cli (which I tried too, the Infinispan KC jboss
> cli script killed me!).
>
> None of this is ideal , but expecting devops to click around HTML UIs or
> manually hack xml/json these days is not OK.
>
The plan in the long run is to move everything in keycloak-server.json to
standalone.xml so it all server config can be done in one place. Doesn't
sound like you're a big fan of JBoss CLI though. With JBoss CLI offline
mode I would think it's still a better way to modify standalone.xml than
templating. I full appreciate that it's not the easiest tool to master
(I've never been able to achieve anything with it without Googling for a
recipe first).
WDYM about Infinispan KC jboss cli script? Are you installing KC into an
existing WF with the overlay?
For realm config, clients, etc.. we are also planning on adding an Admin
CLI that lets you create those from the CLI without touching the HTML UI.
It would require a running server though as it would be calling admin rest
endpoints rather than DB directly.
> Docker by itself is too weak for this sort of deep configurations. 1.9
> adds parameters, one can use env variables, but otherwise you are left with
> shell scripting/perl, regex in your Dockerfile ...
>
> This still might sounds like an overkill, but when you add jgroups,
> cluster, network interfaces ,databases , firewall.... You start to realize
> why Red Hat acquired Ansible :-)
>
Yup, I think it's easy for us developers to forget how difficult it can be
to configure and install to a real environment.
Any suggestions on improvements we can make are more than welcome :)
>
>
> /Hristo Stoyanov
> On Dec 17, 2015 11:32 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>>
>>
>> On 17 December 2015 at 20:42, Hristo Stoyanov <hr.stoyanov at peruncs.com>
>> wrote:
>>
>>> Dong,
>>> I struggled with the same issues... The only way to crush the complexity
>>> of Wildfly and Keycloak is Ansible. I use Ansible templates and Keycloak
>>> imports to consistently rebuild my setup. Works with Docker pretty darn
>>> well too. But the key is Ansible.
>>>
>> Only way? Sounds like you work for Ansible ;)
>>
>> What exact things were you struggling with? We really do want to give
>> users a good experience with Keycloak and would like to make it easier to
>> install and configure if we can.
>>
>>
>>> /Hristo Stoyanov
>>> On Dec 17, 2015 11:26 AM, "Dong Xie" <xied75 at gmail.com> wrote:
>>>
>>>> Dear all,
>>>>
>>>>
>>>>
>>>> I wonder how do I work around needing to browse the web page and login
>>>> with admin + admin to change the password? We are deploying keycloak in an
>>>> automated flow thus no human interaction is expected.
>>>>
>>>>
>>>>
>>>> Thanks very much for your help!
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/8ffd7148/attachment.html
More information about the keycloak-user
mailing list