chore: add TLS configs for keycloak

docs/DEVELOPING.md

@@ -34,7 +34,7 @@ pre-commit install
 LittleHorse depends upon Kafka as its backing data store. You can set up Kafka via:
 
 ```
-./local-dev/setup.sh
+./local-dev/setup.sh --kafka
 ```
 
 Note that this will also set up a Keycloak container in case you want to test LittleHorse's OAuth capabilities.

local-dev/README.md

@@ -7,7 +7,7 @@ This tools are intended to be use for development purposes.
 The LH Server depends on Kafka as a backend database. To start Kafka using docker compose, you can run:
 
 ```
-./local-dev/setup.sh
+./local-dev/setup.sh --kafka
 ```
 
 Next, you can start the LH server itself. The server can be started in a single command:
@@ -30,18 +30,12 @@ Result:
 }
 ```
 
-## Setup and Cleanup Kafka
-
-Run:
-
-```
-./local-dev/setup.sh
-```
+## Hard Cleanup
 
 You can clean up (i.e. stop Kafka and delete the data from the state directory) as follows:
 
 ```
-./local-dev/setup.sh clean
+./local-dev/setup.sh --clean
 ```
 
 ## Cleanup Data
@@ -119,7 +113,7 @@ Run server with docker and specific config:
 Run keycloak and creates clients:
 
 ```
-./local-dev/setup.sh keycloak
+./local-dev/setup.sh --keycloak --kafka
 ```
 
 Clients:
@@ -130,30 +124,6 @@ Clients:
 | worker    | 40317ab43bd34a9e93499c7ea03ad398 | For Workers to issue access tokens (Client Credentials FLow)   |
 | lhctl     | N/A                              | For lhctl cli to issue access tokens (Authorization Code Flow) |
 
-Creates certificates:
-
-```
-./local-dev/issue-certificates.sh
-```
-
-Update config:
-
-```
-LHS_LISTENERS=OAUTH:2023
-LHS_LISTENERS_PROTOCOL_MAP=OAUTH:TLS
-LHS_LISTENERS_AUTHENTICATION_MAP=OAUTH:OAUTH
-
-LHS_LISTENER_OAUTH_CERT=local-dev/certs/server/server.crt
-LHS_LISTENER_OAUTH_KEY=local-dev/certs/server/server.key
-
-LHS_OAUTH_CLIENT_ID=server
-LHS_OAUTH_CLIENT_SECRET=3bdca420cf6c48e2aa4f56d46d6327e0
-LHS_OAUTH_INTROSPECT_URL=http://localhost:8888/realms/lh/protocol/openid-connect/token/introspect
-```
-
-> Check file [oauth.config](configs/oauth.config)
-
-
 Run the server:
 
 ```
@@ -162,7 +132,7 @@ Run the server:
 
 Open Keycloak:
 
-http://localhost:8888
+http://localhost:8443
 
 - User: `admin`
 - Password: `admin`

local-dev/issue-certificates.sh

@@ -2,88 +2,82 @@
 
 set -e
 
+if ! command -v openssl &> /dev/null; then
+    echo "openssl command could not be found, install https://www.openssl.org/"
+    exit 1
+fi
+
 SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
 cd "$SCRIPT_DIR"
 
-echo "Cleaning old certs"
-echo
-
 CA_PATH=certs/ca
 CLIENT_PATH=certs/client
 SERVER_PATH=certs/server
+KEYCLOAK_PATH=certs/keycloak
 
 rm -rf certs
 mkdir -p "$CA_PATH"
 mkdir "$CLIENT_PATH"
 mkdir "$SERVER_PATH"
+mkdir "$KEYCLOAK_PATH"
 
 ########################################################
 # CA Cert
 ########################################################
 echo "Creating Root CA"
-
 openssl req -x509 -sha256 -nodes \
     -days 3650 -newkey rsa:2048 \
     -subj '/O=lh server/CN=localhost' \
     -keyout "$CA_PATH/ca.key" \
     -out "$CA_PATH/ca.crt" \
-    -addext "subjectAltName = DNS:localhost"
-
-echo
-
+    -addext "subjectAltName = DNS:localhost" > /dev/null 2>&1
 ########################################################
 # Server Certs
 ########################################################
-echo "Creating Server Private Key"
-
-# Create the Server Private Key and the Certificate Signing Request
+echo "Creating Server Certificates"
 openssl req -out "$SERVER_PATH/server.csr" -newkey rsa:2048 -nodes \
     -keyout "$SERVER_PATH/server.key" \
     -subj "/CN=localhost/O=example server" \
-    -addext "subjectAltName = DNS:localhost"
-
-echo
-echo "Signing Server Certificate"
-echo
-# Create the Certificate (needs acccess to CA Secret + Cert)
+    -addext "subjectAltName = DNS:localhost" > /dev/null 2>&1
 openssl x509 -req -sha256 -days 3650 \
     -CA "$CA_PATH/ca.crt" \
     -CAkey "$CA_PATH/ca.key" \
     -in "$SERVER_PATH/server.csr" \
     -out "$SERVER_PATH/server.crt" \
     -set_serial 0 \
-    -extfile <(printf "subjectAltName=DNS:localhost")
-
-echo
-echo
-
+    -extfile <(printf "subjectAltName=DNS:localhost") > /dev/null 2>&1
 ########################################################
 # Client Certs
 ########################################################
-
-echo "Creating client private key"
-
+echo "Creating Client Certificates"
 openssl req -newkey rsa:2048 -nodes \
     -out "$CLIENT_PATH/client.csr" \
     -keyout "$CLIENT_PATH/client.key" \
     -subj "/CN=localhost/O=client organization" \
-    -addext "subjectAltName = DNS:localhost"
-echo
-
-echo "Signing Client Certificate"
+    -addext "subjectAltName = DNS:localhost" > /dev/null 2>&1
 openssl x509 -req -sha256 -days 3650 \
     -CA "$CA_PATH/ca.crt" \
     -CAkey "$CA_PATH/ca.key" \
     -in "$CLIENT_PATH/client.csr" \
     -out "$CLIENT_PATH/client.crt" \
-    -set_serial 1
-echo
-
-MESSAGE="
-Add this to your ~/.config/littlehorse.config file
-LHC_CLIENT_CERT=$(pwd)/$CLIENT_PATH/client.crt
-LHC_CLIENT_KEY=$(pwd)/$CLIENT_PATH/client.key
-LHC_CA_CERT=$(pwd)/$CA_PATH/ca.crt
-"
-
-echo "$MESSAGE"
+    -set_serial 1 > /dev/null 2>&1
+########################################################
+# Keycloak Certs
+########################################################
+echo "Creating Keycloak Certificates"
+openssl req -out "$KEYCLOAK_PATH/keycloak.csr" -newkey rsa:2048 -nodes \
+    -keyout "$KEYCLOAK_PATH/keycloak.key" \
+    -subj "/CN=localhost/O=keycloak" \
+    -addext "subjectAltName = DNS:localhost" > /dev/null 2>&1
+openssl x509 -req -sha256 -days 3650 \
+    -CA "$CA_PATH/ca.crt" \
+    -CAkey "$CA_PATH/ca.key" \
+    -in "$KEYCLOAK_PATH/keycloak.csr" \
+    -out "$KEYCLOAK_PATH/keycloak.crt" \
+    -set_serial 2 \
+    -extfile <(printf "subjectAltName=DNS:localhost") > /dev/null 2>&1
+
+# Add this to your ~/.config/littlehorse.config file
+# LHC_CLIENT_CERT=$(pwd)/$CLIENT_PATH/client.crt
+# LHC_CLIENT_KEY=$(pwd)/$CLIENT_PATH/client.key
+# LHC_CA_CERT=$(pwd)/$CA_PATH/ca.crt"

local-dev/setup.sh

@@ -38,12 +38,20 @@ services:
   keycloak:
     ports:
       - "8888:8888"
+      - "8443:8443"
     container_name: lh-server-auth
-    image: quay.io/keycloak/keycloak:21.1.1
-    command: ["start-dev", "--http-port=8888"]
+    image: quay.io/keycloak/keycloak:23.0
+    command:
+      - start-dev
+      - --http-port=8888
+      - --https-port=8443
+      - --https-certificate-file=/certs/keycloak/keycloak.crt
+      - --https-certificate-key-file=/certs/keycloak/keycloak.key
     environment:
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: admin
+    volumes:
+      - $WORK_DIR/certs/keycloak:/certs/keycloak
 EOF
 )
 
@@ -54,6 +62,12 @@ else
 fi
 
 setup_keycloak() {
+    if ! command -v http &> /dev/null; then
+        echo "http command could not be found, install https://httpie.io/"
+        exit 1
+    fi
+
+    echo "Setting Up Keycloak"
     docker compose --file /dev/stdin \
         --project-directory "$WORK_DIR" \
         --project-name lh-server-auth-local-dev \
@@ -139,10 +153,12 @@ EOF
 
     echo "Client '${CLI_CLIENT_ID}' created"
 
-    echo "Keycloak url: http://localhost:${KEYCLOAK_PORT}"
+    echo "Keycloak: http://localhost:${KEYCLOAK_PORT}"
+    echo "Keycloak TLS: https://localhost:8443"
 }
 
 setup_kafka() {
+    echo "Setting Up Kafka"
     docker compose --file /dev/stdin \
         --project-directory "$WORK_DIR" \
         --project-name lh-server-kafka-local-dev \
@@ -171,14 +187,42 @@ EOF
     ./gradlew -q clean
 }
 
-case $command in
---clean)
+kafka=false
+keycloak=false
+clean=false
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --clean)
+      clean=true
+      shift
+      ;;
+    --kafka)
+      kafka=true
+      shift
+      ;;
+    --keycloak)
+      keycloak=true
+      shift
+      ;;
+    *)
+      echo "Unknown argument: $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [ ${clean} = true ]; then
     clean
-    ;;
-keycloak)
+    exit 0
+fi
+
+"$WORK_DIR/issue-certificates.sh"
+
+if [ ${keycloak} = true ]; then
     setup_keycloak
-    ;;
-*)
+fi
+
+if [ ${kafka} = true ]; then
     setup_kafka
-    ;;
-esac
+fi

server/README.md

@@ -24,7 +24,7 @@ Then:
 Start a local kafka cluster:
 
 ```
-../local-dev/setup.sh
+../local-dev/setup.sh --kafka
 ```
 
 Next, you can start the LH server itself. The server can be started in a single command: