Sprint on profiles and add Keycloak

README.md

@@ -95,15 +95,16 @@ $ brew install k6
 
 $ docker compose \
     -f docker-compose.yml \
+    -f docker-compose.keycloak.yml \
     -f docker-compose.tracing.yml \
     -f docker-compose.logging.yml \
     -f docker-compose.monitoring.yml \
     up -d --wait
 
 $ K6_WEB_DASHBOARD=true K6_WEB_DASHBOARD_EXPORT=report.html \
   k6 run \
-    -e USERNAME=ronin@romanow-alex.ru \
-    -e PASSWORD=Qwerty123 \
+    -e USERNAME=program@mail.ru \
+    -e PASSWORD=test \
     -e CLIENT_ID=pXrawhpoDM63b82A7fkiLvRIH81wgmH9 \
     -e CLIENT_SECRET=LzQSxUOE2dmAUdgstWke4ngXUeZNLVczvSid7ZVV8HTegCRbOxchQtJ_23EuZ9_V \
     k6.auth.js

common-service/build.gradle

@@ -16,22 +16,23 @@ dependencies {
     api "org.springframework.boot:spring-boot-starter-validation"
     api "org.springframework.boot:spring-boot-starter-logging"
     api "org.springframework.cloud:spring-cloud-starter-circuitbreaker-reactor-resilience4j"
+    api "org.springframework.boot:spring-boot-starter-oauth2-client"
     api "org.springframework.security:spring-security-oauth2-resource-server"
     api "org.springframework.security:spring-security-oauth2-jose"
     api "org.springframework:spring-webflux"
 
-    api "net.logstash.logback:logstash-logback-encoder:$logstashEncoderVersion"
     api "io.micrometer:micrometer-tracing-bridge-otel"
     api "io.opentelemetry:opentelemetry-exporter-otlp"
     api "io.projectreactor.netty:reactor-netty-http"
     api "io.micrometer:micrometer-registry-prometheus"
-
     api "com.auth0:java-jwt:$jwtVersion"
-
     api "org.postgresql:postgresql"
     api "org.flywaydb:flyway-database-postgresql"
     api "io.github.resilience4j:resilience4j-micrometer"
     api "org.zalando:logbook-core:$logbookVersion"
+    api "org.codehaus.janino:janino"
+    api "org.codehaus.janino:commons-compiler"
+    api "net.logstash.logback:logstash-logback-encoder:$logstashEncoderVersion"
 
     api "org.springdoc:springdoc-openapi-starter-common:$openApiVersion"
     api "org.springdoc:springdoc-openapi-starter-webmvc-ui:$openApiVersion"

common-service/src/main/kotlin/ru/romanow/inst/services/common/config/SecurityConfiguration.kt

@@ -4,6 +4,7 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointR
 import org.springframework.boot.actuate.health.HealthEndpoint
 import org.springframework.boot.actuate.metrics.export.prometheus.PrometheusScrapeEndpoint
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.core.annotation.Order
@@ -14,6 +15,7 @@ import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
 import org.springframework.security.crypto.password.PasswordEncoder
+import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
 import org.springframework.security.web.SecurityFilterChain
 import ru.romanow.inst.services.common.properties.ActuatorSecurityProperties
@@ -30,20 +32,22 @@ class SecurityConfiguration {
     @Bean
     @Order(FIRST)
     @ConditionalOnProperty("oauth2.security.enabled", havingValue = "true", matchIfMissing = true)
-    fun tokenSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
+    fun securityFilterChain(http: HttpSecurity, properties: OAuth2ClientProperties): SecurityFilterChain {
+        val sources = PROVIDERS.filter { it in properties.provider }.map { properties.provider[it]!!.issuerUri }
         return http
             .securityMatcher("/api/v1/**")
             .authorizeHttpRequests {
                 it.anyRequest().authenticated()
             }
             .oauth2ResourceServer {
-                it.jwt {}
+                it.authenticationManagerResolver(JwtIssuerAuthenticationManagerResolver.fromTrustedIssuers(sources))
             }
             .build()
     }
 
     @Bean
     @Order(SECOND)
+    @ConditionalOnProperty("oauth2.security.enabled", havingValue = "true", matchIfMissing = true)
     fun managementSecurityFilterChain(http: HttpSecurity, properties: ActuatorSecurityProperties): SecurityFilterChain {
         return http
             .securityMatcher(
@@ -74,7 +78,7 @@ class SecurityConfiguration {
     @Bean
     @Order(THIRD)
     @ConditionalOnProperty("oauth2.security.enabled", havingValue = "true", matchIfMissing = true)
-    fun permitAllSecurityFilterChain(http: HttpSecurity, properties: ActuatorSecurityProperties): SecurityFilterChain {
+    fun permitAllSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
         return http
             .securityMatcher("/**")
             .authorizeHttpRequests { it.anyRequest().permitAll() }
@@ -95,5 +99,6 @@ class SecurityConfiguration {
         private const val FIRST = 1
         private const val SECOND = 2
         private const val THIRD = 3
+        private val PROVIDERS = listOf("auth0", "keycloak")
     }
 }

common-service/src/main/resources/application-common.yml

@@ -5,17 +5,19 @@ spring:
   cloud:
     discovery:
       client.health-indicator.enabled: false
+  main:
+    allow-bean-definition-overriding: true
 
 oauth2:
   security:
-    enabled: ${OAUTH2_SECURITY_ENABLED:true}
+    enabled: ${OAUTH2_SECURITY_ENABLED:false}
 
 management:
   otlp:
     tracing:
       endpoint: ${COLLECTOR_ENDPOINT:http://localhost:4318/v1/traces}
   tracing:
-    enabled: ${TRACING_ENABLED:true}
+    enabled: ${TRACING_ENABLED:false}
     sampling:
       probability: 1.0
   endpoint:
@@ -49,7 +51,7 @@ springdoc:
     path: /api-docs
 
 circuit-breaker:
-  enabled: ${CIRCUIT_BREAKER_ENABLED:true}
+  enabled: ${CIRCUIT_BREAKER_ENABLED:false}
   default-timeout: ${CIRCUIT_BREAKER_TIMEOUT:30s}
 
 logging:

common-service/src/main/resources/logback-spring.xml

@@ -6,31 +6,35 @@
     <springProperty scope="context" name="APPLICATION_NAME" source="spring.application.name"/>
 
     <springProfile name="docker">
-        <appender name="FLUENT-BIT" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
-            <destination>fluent-bit:5170</destination>
-            <encoder class="net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder">
-                <providers>
-                    <pattern>
-                        <pattern>
-                            {
-                                "timestamp": "@timestamp",
-                                "level": "%level",
-                                "application": "${APPLICATION_NAME:-}",
-                                "trace": "%X{traceId:-}",
-                                "span": "%X{spanId:-}",
-                                "pid": "${PID:-}",
-                                "thread": "%thread",
-                                "class": "%logger{40}",
-                                "message": "%message"
-                            }
-                        </pattern>
-                    </pattern>
-                </providers>
-            </encoder>
-        </appender>
-        <root level="info">
-            <appender-ref ref="FLUENT-BIT"/>
-        </root>
+        <if condition="${FLUENT_BIT_LOGGING_ENABLED:-false}">
+            <then>
+                <appender name="FLUENT-BIT" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
+                    <destination>fluent-bit:5170</destination>
+                    <encoder class="net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder">
+                        <providers>
+                            <pattern>
+                                <pattern>
+                                    {
+                                        "timestamp": "@timestamp",
+                                        "level": "%level",
+                                        "application": "${APPLICATION_NAME:-}",
+                                        "trace": "%X{traceId:-}",
+                                        "span": "%X{spanId:-}",
+                                        "pid": "${PID:-}",
+                                        "thread": "%thread",
+                                        "class": "%logger{40}",
+                                        "message": "%message"
+                                    }
+                                </pattern>
+                            </pattern>
+                        </providers>
+                    </encoder>
+                </appender>
+                <root level="info">
+                    <appender-ref ref="FLUENT-BIT"/>
+                </root>
+            </then>
+        </if>
     </springProfile>
 
     <springProfile name="k8s">

docker-compose.keycloak.yml

@@ -0,0 +1,32 @@
+services:
+  keycloak:
+    image: "bitnami/keycloak:26"
+    container_name: keycloak
+    environment:
+      KEYCLOAK_HTTP_PORT: 8100
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KEYCLOAK_DATABASE_VENDOR: postgresql
+      KEYCLOAK_DATABASE_HOST: postgres
+      KEYCLOAK_DATABASE_PORT: 5432
+      KEYCLOAK_DATABASE_NAME: keycloak
+      KEYCLOAK_DATABASE_USER: program
+      KEYCLOAK_DATABASE_PASSWORD: "test"
+      KEYCLOAK_ENABLE_HEALTH_ENDPOINTS: true
+      KEYCLOAK_EXTRA_ARGS: "-Dkeycloak.profile.feature.scripts=enabled"
+    ports:
+      - "8100:8100"
+    healthcheck:
+      test: [ "CMD", "curl", "--silent", "--fail", "http://localhost:9000/health/ready" ]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+    volumes:
+      - keycloak:/bitnami/keycloak
+      - ./docker/keycloak/:/docker-entrypoint-initdb.d/
+    depends_on:
+      postgres:
+        condition: service_healthy
+
+volumes:
+  keycloak:

docker-compose.monitoring.yml

@@ -14,7 +14,7 @@ services:
       - "9090:9090"
     volumes:
       - ./docker/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
-      - prometheus-data:/prometheus
+      - prometheus:/prometheus
 
   cadvisor:
     image: gcr.io/cadvisor/cadvisor:v0.49.1
@@ -68,12 +68,12 @@ services:
     ports:
       - "3000:3000"
     volumes:
-      - grafana-data:/var/lib/grafana
+      - grafana:/var/lib/grafana
       - ./docker/grafana/:/etc/grafana/provisioning/
     depends_on:
       prometheus:
         condition: service_healthy
 
 volumes:
-  prometheus-data:
-  grafana-data:
+  prometheus:
+  grafana:

docker-compose.yml

@@ -1,3 +1,10 @@
+x-common-envs: &common-envs
+  environment:
+    SPRING_PROFILES_ACTIVE: docker,auth0,keycloak
+    OAUTH2_SECURITY_ENABLED: true
+    KEYCLOAK_ISSUER_URI: http://keycloak:8100/realms/master
+    TRACING_ENABLED: false
+
 services:
   postgres:
     image: postgres:15
@@ -14,15 +21,15 @@ services:
     ports:
       - "5432:5432"
     volumes:
-      - db-data:/var/lib/postgresql/data
+      - postgres:/var/lib/postgresql/data
       - ./docker/postgres/:/docker-entrypoint-initdb.d/
 
   store-service:
     build: ./store-service
-    image: ${REPOSITORY_NAME}/store-service:v3.1
+    image: ${REPOSITORY_NAME}/store-service:v3.2
     container_name: store
-    environment:
-      SPRING_PROFILES_ACTIVE: docker
+    restart: on-failure
+    <<: *common-envs
     healthcheck:
       test: [ "CMD", "curl", "--silent", "--fail", "http://localhost:8480/manage/health" ]
       interval: 10s
@@ -33,13 +40,15 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
+      keycloak:
+        condition: service_healthy
 
   order-service:
     build: ./order-service
-    image: ${REPOSITORY_NAME}/order-service:v3.1
+    image: ${REPOSITORY_NAME}/order-service:v3.2
     container_name: orders
-    environment:
-      SPRING_PROFILES_ACTIVE: docker
+    restart: on-failure
+    <<: *common-envs
     healthcheck:
       test: [ "CMD", "curl", "--silent", "--fail", "http://localhost:8380/manage/health" ]
       interval: 10s
@@ -50,13 +59,15 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
+      keycloak:
+        condition: service_healthy
 
   warehouse-service:
     build: ./warehouse-service
-    image: ${REPOSITORY_NAME}/warehouse-service:v3.1
+    image: ${REPOSITORY_NAME}/warehouse-service:v3.2
     container_name: warehouse
-    environment:
-      SPRING_PROFILES_ACTIVE: docker
+    restart: on-failure
+    <<: *common-envs
     healthcheck:
       test: [ "CMD", "curl", "--silent", "--fail", "http://localhost:8280/manage/health" ]
       interval: 10s
@@ -67,13 +78,15 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
+      keycloak:
+        condition: service_healthy
 
   warranty-service:
     build: ./warranty-service
-    image: ${REPOSITORY_NAME}/warranty-service:v3.1
+    image: ${REPOSITORY_NAME}/warranty-service:v3.2
     container_name: warranty
-    environment:
-      SPRING_PROFILES_ACTIVE: docker
+    restart: on-failure
+    <<: *common-envs
     healthcheck:
       test: [ "CMD", "curl", "--silent", "--fail", "http://localhost:8180/manage/health" ]
       interval: 10s
@@ -84,6 +97,8 @@ services:
     depends_on:
       postgres:
         condition: service_healthy
+      keycloak:
+        condition: service_healthy
 
 volumes:
-  db-data:
+  postgres:

docker/keycloak/init-realm.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+"$KEYCLOAK_BIN_DIR"/kc.sh import --file "$KEYCLOAK_INITSCRIPTS_DIR"/realm.json