Merge "Update keycloak demo, documentation for keycloak 18"

doc/source/examples/keycloak/docker-compose.yaml

@@ -7,21 +7,19 @@ version: '2.1'
 
 services:
   keycloak:
-    image: docker.io/jboss/keycloak
+    image: quay.io/keycloak/keycloak:18.0
     environment:
-      - KEYCLOAK_USER=admin
-      - KEYCLOAK_PASSWORD=kcadmin
+      - KEYCLOAK_ADMIN=admin
+      - KEYCLOAK_ADMIN_PASSWORD=kcadmin
       - DB_VENDOR=h2
-      - KEYCLOAK_IMPORT=/var/keycloak_import/zuul-demo-data.json
-      - JAVA_OPTS_APPEND="-Djboss.socket.binding.port-offset=2"
+      - KC_HTTP_PORT=8082
     ports:
       - "8082:8082"
     volumes:
-      - "./keycloak/:/var/keycloak_import/:z"
-    entrypoint: |
-      /bin/sh -c '\
-      /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0'
-    command: []
+      - "./keycloak/:/opt/keycloak/data/import/:z"
+    command:
+      - start-dev
+      - --import-realm
     networks:
       - zuul
 

doc/source/examples/keycloak/etc_zuul/zuul.conf

@@ -14,7 +14,7 @@ tenant_config=/etc/zuul/main.yaml
 default=true
 driver=OpenIDConnect
 realm=zuul-demo
-issuer_id=http://keycloak:8082/auth/realms/zuul-demo
+issuer_id=http://keycloak:8082/realms/zuul-demo
 client_id=zuul
 
 [connection "gerrit"]

doc/source/howtos/openid-with-keycloak.rst

@@ -73,6 +73,19 @@ Finally, go back to the clients list and pick the ``zuul`` client again. Click
 on ``Client Scopes``, and add the ``zuul_aud`` scope to the ``Assigned Default
 Client Scopes``.
 
+Configuring JWT signing algorithms
+..................................
+
+.. note::
+
+  Skip this step if you are using a keycloak version prior to 18.0.
+
+Due to current limitations with the pyJWT library, Zuul does not support every default
+signing algorithm used by Keycloak.
+
+Go to `my_realm->Settings->Keys`, then choose `rsa-enc-generated` (this should be mapped
+to "RSA-OAEP") if available. Then set `enabled` to false and save your changes.
+
 (Optional) Set up a social identity provider
 ............................................
 

doc/source/tutorials/keycloak.rst

@@ -28,6 +28,15 @@ to `/etc/hosts`.  Make sure you have a line that looks like this:
 
    127.0.0.1 localhost keycloak
 
+If you are using podman, you need to add the following option in $HOME/.config/containers/containers.conf:
+
+.. code-block::
+
+   [containers]
+   no_hosts=true
+
+This way your /etc/hosts settings will not interfere with podman's networking.
+
 Restart Zuul Containers
 -----------------------
 
@@ -37,14 +46,14 @@ that we can update Zuul's configuration to add authentication.
 .. code-block:: shell
 
    cd zuul/doc/source/examples
-   sudo -E docker-compose -p zuul-tutorial down
+   sudo -E docker-compose-compose -p zuul-tutorial down
 
 Restart the containers with a new Zuul configuration.
 
 .. code-block:: shell
 
    cd zuul/doc/source/examples
-   ZUUL_TUTORIAL_CONFIG="./keycloak/etc_zuul/" sudo -E docker-compose -p zuul-tutorial up -d
+   ZUUL_TUTORIAL_CONFIG="./keycloak/etc_zuul/" sudo -E docker-compose-compose -p zuul-tutorial up -d
 
 This tells docker-compose to use these Zuul `config files
 <https://opendev.org/zuul/zuul/src/branch/master/doc/source/examples/keycloak>`_.
@@ -58,7 +67,7 @@ with this command:
 .. code-block:: shell
 
    cd zuul/doc/source/examples/keycloak
-   sudo -E docker-compose -p zuul-tutorial-keycloak up -d
+   sudo -E docker-compose-compose -p zuul-tutorial-keycloak up -d
 
 Once Keycloak is running, you can visit the web interface at
 http://localhost:8082/