From 214828ace2fbba4b30e85f7a4b5f8a8359aab0fd Mon Sep 17 00:00:00 2001
From: Vitalii Solodilov <mcdkr@yandex.ru>
Date: Mon, 16 Jul 2018 23:32:09 +0400
Subject: [PATCH] Keycloak and Docker

* Added Keycloak to the infrastructure yaml which uses a
h2 not to complicate the installation.
* Updated the docker-compose docs.
* Move Cloud Flow image to the infrastructure yaml.

Change-Id: I2a69ca91c1638e5fd070c77ca63c8d5586887231
Signed-off-by: Vitalii Solodilov <mcdkr@yandex.ru>
---
 tools/docker/DOCKER_README.rst                | 43 ++++++++++++++++++-
 tools/docker/Dockerfile                       |  5 ++-
 tools/docker/docker-compose/auth.json         |  8 ++++
 .../docker/docker-compose/infrastructure.yaml | 28 +++++++++++-
 .../docker-compose/mistral-multi-node.yaml    | 30 +++++--------
 .../docker-compose/mistral-single-node.yaml   | 23 ++--------
 tools/docker/docker-compose/mistral.env       |  3 +-
 tools/docker/start.sh                         |  7 ++-
 8 files changed, 101 insertions(+), 46 deletions(-)
 create mode 100644 tools/docker/docker-compose/auth.json

diff --git a/tools/docker/DOCKER_README.rst b/tools/docker/DOCKER_README.rst
index 878217aba..6469e5b3c 100644
--- a/tools/docker/DOCKER_README.rst
+++ b/tools/docker/DOCKER_README.rst
@@ -118,10 +118,49 @@ or PostgreSQL::
     -e RUN_TESTS=true mistral
 
 
+Keycloak integration
+--------------------
+
+If you set AUTH_ENABLE to True value in the mistral.env file then Mistral will
+enable Keycloak integration by default. Keycloak will be deployed with
+mistral/mistral credentials. You should uncomment the volume line in the
+`infrastructure.yaml` for the CloudFlow.
+
+Next step you login in the administrative console using the
+http://localhost:8080/auth/admin URL. Create a oauth client, you can
+specify only a name, for example mistral.
+
+Specify valid redirect URL: http://localhost:8000/* and turn on the
+"Implicit Flow Enabled" in the your client page. Save your changes.
+
+Add the following line to your /etc/hosts file::
+
+  127.0.0.1   keycloak
+
+Export the following environments variable for mistral cli::
+
+  export MISTRAL_AUTH_TYPE=keycloak-oidc
+  export OS_AUTH_URL=http://keycloak:8080/auth
+  export OS_TENANT_NAME=master
+  export OS_USERNAME=mistral
+  export OS_PASSWORD=mistral
+  export OS_MISTRAL_URL=http://localhost:8989/v2
+  export OPENID_CLIENT_ID=mistral
+  export OPENID_CLIENT_SECRET=
+  export MISTRALCLIENT_INSECURE=True
+
+Check your configuration::
+
+  mistral workflow-list
+
+Or open a cloud flow page in a browser::
+
+  http://localhost:8000
+
+
 Using Mistral Client
 --------------------
 
 The Mistral API will be accessible from the host machine on the default
 port 8989. Install `python-mistralclient` on the host machine to
-execute mistral commands.
-
+execute mistral commands.
\ No newline at end of file
diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
index 5e73032ee..979341ba3 100644
--- a/tools/docker/Dockerfile
+++ b/tools/docker/Dockerfile
@@ -36,7 +36,10 @@ ENV MISTRAL_DIR="/opt/stack/mistral" \
     RUN_TESTS="false" \
     DEBIAN_FRONTEND="noninteractive" \
     MISTRAL_SERVER="all" \
-    LOG_DEBUG="false"
+    LOG_DEBUG="false" \
+    AUTH_URL="http://keycloak:8080/auth" \
+    AUTH_ENABLE="false" \
+    AUTH_TYPE="keycloak-oidc"
 
 # We install dependencies separatly for a caching purpose
 COPY requirements.txt "${MISTRAL_DIR}/"
diff --git a/tools/docker/docker-compose/auth.json b/tools/docker/docker-compose/auth.json
new file mode 100644
index 000000000..918ffac3e
--- /dev/null
+++ b/tools/docker/docker-compose/auth.json
@@ -0,0 +1,8 @@
+{
+  "_type": "openid-connect",
+  "issuer": "http://keycloak:8080/auth/realms/master",
+  "loginUrl": "http://keycloak:8080/auth/realms/master/protocol/openid-connect/auth",
+  "logoutUrl": "http://keycloak:8080/auth/realms/master/protocol/openid-connect/logout",
+  "requireHttps": false,
+  "clientId": "mistral"
+}
\ No newline at end of file
diff --git a/tools/docker/docker-compose/infrastructure.yaml b/tools/docker/docker-compose/infrastructure.yaml
index 31fb8f280..1e478dde8 100644
--- a/tools/docker/docker-compose/infrastructure.yaml
+++ b/tools/docker/docker-compose/infrastructure.yaml
@@ -43,6 +43,30 @@ services:
       - MYSQL_USER=mistral
       - MYSQL_PASSWORD=mistral
 
+  keycloak:
+    image: jboss/keycloak:4.1.0.Final
+    ports:
+      - "8080:8080"
+    networks:
+      - identity-provider
+    environment:
+      DB_VENDOR: h2
+      KEYCLOAK_USER: mistral
+      KEYCLOAK_PASSWORD: mistral
+
+  cloud-flow:
+    image: mcdoker18/cloud-flow:0.5.0
+    restart: always
+    networks:
+      - cloud-flow
+    ports:
+      - "8000:8000"
+    # TODO: make a Keycloak environment variables for CloudFlow
+    # volumes:
+    #   - "./auth.json:/opt/CloudFlow/dist/assets/auth.json"
+    environment:
+      - CF_MISTRAL_URL=http://mistral:8989
+
 volumes:
   postgresql:
   rabbitmq:
@@ -50,4 +74,6 @@ volumes:
 
 networks:
   database:
-  message-broker:
\ No newline at end of file
+  message-broker:
+  identity-provider:
+  cloud-flow:
\ No newline at end of file
diff --git a/tools/docker/docker-compose/mistral-multi-node.yaml b/tools/docker/docker-compose/mistral-multi-node.yaml
index 788c1dedd..55bd74fe7 100644
--- a/tools/docker/docker-compose/mistral-multi-node.yaml
+++ b/tools/docker/docker-compose/mistral-multi-node.yaml
@@ -10,9 +10,12 @@ services:
     ports:
       - "8989:8989"
     networks:
-      - database
-      - message-broker
-      - mistral
+      database:
+      message-broker:
+      identity-provider:
+      cloud-flow:
+        aliases:
+         - mistral
     env_file:
      - mistral.env
 #    volumes:
@@ -30,6 +33,7 @@ services:
     restart: always
     networks:
       - database
+      - identity-provider
       - message-broker
     env_file:
      - mistral.env
@@ -47,6 +51,7 @@ services:
     restart: always
     networks:
       - message-broker
+      - identity-provider
     env_file:
      - mistral.env
 #    volumes:
@@ -64,6 +69,7 @@ services:
     networks:
       - database
       - message-broker
+      - identity-provider
     env_file:
      - mistral.env
 #    volumes:
@@ -81,26 +87,10 @@ services:
     networks:
       - database
       - message-broker
+      - identity-provider
     env_file:
      - mistral.env
 #    volumes:
 #      - "/path/to/mistral.conf:/etc/mistral/mistral.conf"
     environment:
       - MISTRAL_SERVER=notifier
-
-  cloud-flow:
-    image: mcdoker18/cloud-flow:0.5.0
-    restart: always
-    networks:
-      - mistral
-    ports:
-      - "8000:8000"
-    networks:
-      - mistral
-    environment:
-      - CF_MISTRAL_URL=http://mistral-api:8989
-
-networks:
-  database:
-  message-broker:
-  mistral:
\ No newline at end of file
diff --git a/tools/docker/docker-compose/mistral-single-node.yaml b/tools/docker/docker-compose/mistral-single-node.yaml
index 7a6bcdb42..1e6a8ef9c 100644
--- a/tools/docker/docker-compose/mistral-single-node.yaml
+++ b/tools/docker/docker-compose/mistral-single-node.yaml
@@ -12,28 +12,11 @@ services:
     networks:
       - database
       - message-broker
-      - mistral
+      - identity-provider
+      - cloud-flow
     env_file:
      - mistral.env
 #    volumes:
 #      - "/path/to/mistral.conf:/etc/mistral/mistral.conf"
     environment:
-      - UPGRADE_DB=true
-
-  cloud-flow:
-    image: mcdoker18/cloud-flow:0.5.0
-    restart: always
-    networks:
-      - mistral
-    ports:
-      - "8000:8000"
-    networks:
-      - mistral
-    environment:
-      - CF_MISTRAL_URL=http://mistral:8989
-
-
-networks:
-  database:
-  message-broker:
-  mistral:
+      - UPGRADE_DB=true
\ No newline at end of file
diff --git a/tools/docker/docker-compose/mistral.env b/tools/docker/docker-compose/mistral.env
index 0629edd7f..e82aa732f 100644
--- a/tools/docker/docker-compose/mistral.env
+++ b/tools/docker/docker-compose/mistral.env
@@ -1,3 +1,4 @@
 MESSAGE_BROKER_URL=rabbit://mistral:mistral@rabbitmq:5672/mistral
 #DATABASE_URL=postgresql+psycopg2://mistral:mistral@postgresql:5432/mistral
-DATABASE_URL=mysql+pymysql://mistral:mistral@mysql:3306/mistral
\ No newline at end of file
+DATABASE_URL=mysql+pymysql://mistral:mistral@mysql:3306/mistral
+AUTH_ENABLE=false
\ No newline at end of file
diff --git a/tools/docker/start.sh b/tools/docker/start.sh
index d0b7652af..306e5ccdd 100755
--- a/tools/docker/start.sh
+++ b/tools/docker/start.sh
@@ -10,7 +10,12 @@ if [ ! -f ${CONFIG_FILE} ]; then
 
     ${INI_SET} DEFAULT js_implementation py_mini_racer
     ${INI_SET} oslo_policy policy_file "${MISTRAL_DIR}/etc/policy.json"
-    ${INI_SET} pecan auth_enable false
+
+    ${INI_SET} DEFAULT auth_type ${AUTH_TYPE}
+    ${INI_SET} pecan auth_enable ${AUTH_ENABLE}
+    ${INI_SET} keycloak_oidc auth_url ${AUTH_URL}
+    ${INI_SET} keycloak_oidc insecure true
+
     ${INI_SET} DEFAULT transport_url "${MESSAGE_BROKER_URL}"
     ${INI_SET} database connection "${DATABASE_URL}"
     ${INI_SET} DEFAULT debug "${LOG_DEBUG}"