Pass JSON file to Aspire keycloak container and have it initialise with realm/config on first run
hades200082 opened this issue · 8 comments
I'm looking to use Keycloak primarily for local development in a team.
I'd like to be able to configure an Aspire project such that when a new developer launches it, not only do they get a keycloak container, but that instance of keycloak is pre-configured to the requirements of the project.
This would include:
- Realm (Which the Aspire
AddRealm()currently doesn't create) - Clients & Client Scopes
- Realm roles
- Realm settings
- Authentication settings
- Email config (we always use localhost with Papercut locally)
As a bonus, it should seed some test users so we all get the same users to test with initially.
I'd see this being something like:
var keycloak = builder.AddKeycloakContainer("keycloak")
.AddRealm("MyRealm")
.WithImportedConfig("./.keycloak/"); // Path to a folder containing JSON files for keycloak to importAn alternative would be to allow a bind-mount to be created so that Keycloak's database could be stored within the project and checked into git - though this is less optimal.
Something like this is already supported, please see the example: https://github.com/NikiforovAll/keycloak-authorization-services-dotnet/blob/main/samples/GettingStartedAndAspire/AppHost/Program.cs#L6-L7
Although, I'm not sure if it covers all your needs
Thanks @NikiforovAll, that helps some.
I can't find where to export users - is there a way of doing this in the admin UI?
Also, the realm export seems to mask the client secrets for clients which means they can't be imported to set up identical again. Is there a way to do a full export of a realm in a way that can be restored?
Sure, please take a look at https://www.keycloak.org/server/importExport
Again, thanks @NikiforovAll. I note that the instructions state "Your Keycloak server instance must not be started when invoking this command". How do you achieve this when running in Aspire/Docker?
@NikiforovAll My use case is that I have a team of developers and I want to be able to have those developers check out the project, run the AppHost and be able to start working on the application without needing to spend time either learning Keycloak's intricacies or requiring every new developer to the team to set it up themselves.
This is super important for the team's ability to work independently (and even offline) in an efficient and productive way.
If I'm not able to export the config from the docker instance that Aspire spins up it's pointless the Aspire package having an import option and the whole thing becomes useless to me.
It contains the instruction I use to import user from Keycloak instance started in dev mode.
/opt/keycloak/bin/kc.sh export --dir /opt/keycloak/data/import --realm Test
@NikiforovAll The import isn't the problem.
I've switched over to the official Aspire-provided Aspire.Hosting.Keycloak package now which also has the option to import.
The issue is that you can't export from the containerised instance of Keycloak... so I spend my time building my app with Aspire, making changes to my Keycloak realms, adding test users, etc. only to find that other developers on my team don't get the changes.
I've managed to partially solve this by having Keycloak available to run on my local machine and symlinking the database directory with the bind-mount for the containerised version so I can now do the exports using the local version... however I have a suggestion.
My suggestion: When Keycloak is running in dev mode AND an import directory is provided, have a UI option to do full realm and user exports that will write to that import directory.
This would make it much easier to work with in Aspire (or any containerised setup for development) and would allow us to keep our keycloak changes in sync via git within the dev team.