Export/Import of realm data (JSON) #10229

dasniko · 2022-02-15T15:50:36Z

dasniko
Feb 15, 2022

Hi,

I just saw, that the chapter about exporting and importing realm data in the docs is gone. Why?
There are the export and import commands available for kc.sh, but there's no documentation, besides the CLI help.
Are the docs planned to be updated?

And:
In the legacy Docker container, it was possible to auto-import a realm JSON file on container startup. I don't see a possibility currently on how to do this with the new container.
Will there be such a feature/option in future?

Thanks, Niko

omasseau · 2022-02-15T17:34:43Z

omasseau
Feb 15, 2022

I second this ;)
Having the auto-import of the realm on the container startup is critical.

0 replies

ML-ZoneReaper · 2022-02-15T20:33:05Z

ML-ZoneReaper
Feb 15, 2022

@dasniko @omasseau there is no such possibility in Keycloak 17.0.0

related issue #10216

0 replies

sschmiedleitner · 2022-02-18T12:30:32Z

sschmiedleitner
Feb 18, 2022

This is a crutual feature when providing a software package for a customer. Please migrate this from the old wildfly distribution.

0 replies

jwsy · 2022-03-11T16:48:37Z

jwsy
Mar 11, 2022

Specifically, I'd like to know the replacement for these startup configs

-Dkeycloak.migration.action=import \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=/opt/jboss/keycloak/default_realm.json \
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING

0 replies

pedroigor · 2022-03-15T21:37:05Z

pedroigor
Mar 15, 2022
Collaborator

@dasniko and all, could you please check #10754?

1 reply

dasniko Mar 19, 2022
Author

done, works for me

jwsy · 2022-03-19T01:30:43Z

jwsy
Mar 19, 2022

Here's an example service from a docker-compose that loads an import successfully.

  keycloak:
    image: quay.io/keycloak/keycloak:17.0.0
    environment:
      - KEYCLOAK_LOGLEVEL=DEBUG
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KEYCLOAK_IMPORT=/tmp/keycloak/config/default_realm.json
    entrypoint: /tmp/keycloak/config/docker-compose-entrypoint.sh --hostname host.docker.internal:8080
    ports:
      - "8080:8080"
    volumes:
      - ./keycloak:/tmp/keycloak/config

EDIT: added the below, thanks @MetroMarv for catching this!
The above references the entrypoint script found here #10216 (comment)

This set up has a keycloak/config/ dir with the docker-compose-entrypoint.sh script and the JSON export that was created with KC version 15/16 default_realm.json

#!/bin/bash

IMPORT_FLAG_FILE=/opt/keycloak/imported.flag

if [[ -z "${KEYCLOAK_IMPORT}" ]]; then
  echo "Skipping Import (KEYCLOAK_IMPORT not used)"
else
  if test -f "$IMPORT_FLAG_FILE"; then
      echo "Skipping Import (already imported)"
  else
      echo "Import initial config: $KEYCLOAK_IMPORT)"
      /opt/keycloak/bin/kc.sh import --file "$KEYCLOAK_IMPORT"
      touch "$IMPORT_FLAG_FILE"
  fi
fi

echo "Starting Keycloak ... "
/opt/keycloak/bin/kc.sh "$@"

3 replies

MetroMarv Mar 20, 2022

Hey @jwsy,
could you quickly explain how you docker-compose-entrypoint.sh looks or where you got it from?

jwsy Mar 20, 2022

Whoops, forgot to include it in my post. I got it from another issue and will update my earlier post #10216 (comment)

MetroMarv Mar 20, 2022

Actually now made the import work too with the following script:

#!/bin/sh

/opt/keycloak/bin/kc.sh start-dev \
  -Dkeycloak.migration.action=import \
  -Dkeycloak.migration.provider=dir \
  -Dkeycloak.migration.dir=<Your directory to import> \
  -Dkeycloak.migration.strategy=<Your Strategy>

/opt/keycloak/bin/kc.sh start-dev

The script is based on the insights of bug ticket #10322.

semangard · 2022-03-22T19:44:20Z

semangard
Mar 22, 2022

@jwsy I tried your tips and got the following error:

keycloak17     | 2022-03-22 19:34:54,259 WARN  [io.agroal.pool] (agroal-11) Datasource '<default>': No suitable driver found for jdbc:postgresql://postgres:5432/keycloak
keycloak17     | 2022-03-22 19:34:54,328 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
keycloak17     | 2022-03-22 19:34:54,456 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
keycloak17     | 2022-03-22 19:34:54,456 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
keycloak17     | 2022-03-22 19:34:54,457 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No suitable driver found for jdbc:postgresql://postgres:5432/keycloak
keycloak17     | 2022-03-22 19:34:54,457 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

It looks like it does not work when a DB is used because the DB driver is not "initialized"

2 replies

jwsy Mar 22, 2022

What did your docker-compose look like? The KC service in my toy example used the default file-based DB and you likely need to specify that info

ferenc-solyom Mar 24, 2022

@jwsy I tried your tips and got the following error:

keycloak17     | 2022-03-22 19:34:54,259 WARN  [io.agroal.pool] (agroal-11) Datasource '<default>': No suitable driver found for jdbc:postgresql://postgres:5432/keycloak
keycloak17     | 2022-03-22 19:34:54,328 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
keycloak17     | 2022-03-22 19:34:54,456 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
keycloak17     | 2022-03-22 19:34:54,456 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
keycloak17     | 2022-03-22 19:34:54,457 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No suitable driver found for jdbc:postgresql://postgres:5432/keycloak
keycloak17     | 2022-03-22 19:34:54,457 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

It looks like it does not work when a DB is used because the DB driver is not "initialized"

Same issue for me with Mariadb
2022-03-24 11:24:03,326 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2022-03-24 11:24:03,327 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
2022-03-24 11:24:03,333 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No suitable driver found for jdbc:mariadb://keycloak-d
b/keycloak_database

semangard · 2022-03-23T13:20:20Z

semangard
Mar 23, 2022

@jwsy : here it is:

version: '3.8'

#### DOCS ####
# https://github.com/eabykov/keycloak-compose/blob/main/docker-compose.yml
# https://blog.codecentric.de/en/2021/12/keycloak-keycloak-x/
##############

services:
  
  postgres:
    container_name: keycloak17-db
    image: postgres:13.2-alpine
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    volumes:
    - keycloak17_postgres_data:/var/lib/postgresql/data
    networks:
    - network-development
    ports:
     - "5432:5432"

  keycloak:
    container_name: keycloak17
    image: quay.io/keycloak/keycloak:17.0.0
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      
      ## https://www.keycloak.org/server/db
      ## https://www.keycloak.org/server/all-config#_database
      KC_DB: postgres
      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"  # jdbc:postgresql://host:port/database
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password
      
      ## https://www.keycloak.org/server/hostname
      KC_HOSTNAME: localhost # mandatory because we are using the production mode (launch with 'start' and not 'start-dev') better to be as closed as possible to the production
      # KC_HOSTNAME_ADMIN: localhost
      # KC_HOSTNAME_STRICT_BACKCHANNEL: true
      KC_HTTP_RELATIVE_PATH: "/auth" # mandatory to keep same URL compared to previous versions of KC
      
      ## https://www.keycloak.org/server/enabletls
      ## https://www.keycloak.org/server/all-config#_httptls
      KC_HTTP_ENABLED: "true"
      # KC_HOSTNAME_STRICT_HTTPS: "false"
      KC_HTTPS_PROTOCOLS: "TLSv1.3,TLSv1.2"
      #KC_HTTPS_CIPER_SUITES: ### TODO
      KC_HTTPS_CERTIFICATE_FILE: "/etc/x509/https/tls.crt"
      KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/https/tls.key"
      # X509_CA_BUNDLE: /etc/x509/https/rootCA.crt /etc/x509/https/hugrootCA.crt # use space to add multiple root CA if needed 
          ### DEPRECATED => TODO: use instead --https-trust-store-file=/path/to/file --https.trust-store.password=<value> 
          
      ## https://www.keycloak.org/server/all-config#_feature
      ## https://www.keycloak.org/server/features
      KC_FEATURES: admin-fine-grained-authz,token-exchange,upload-scripts
      
      JAVA_TOOL_OPTIONS: -Dsun.security.krb5.debug=true -Dsun.security.spenego.degug=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8790 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dquarkus-log-max-startup-records=10000
      JAVA_OPTS: -server -Xms512m -Xmx2048m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true # JAVA_OPTS_APPEND does not work
           
      ## https://www.keycloak.org/server/all-config#_cluster
      ## https://www.keycloak.org/server/caching
      ## https://github.com/keycloak/keycloak/issues/10780
      ## https://github.com/keycloak/keycloak/issues/10875
      # JGROUPS_DISCOVERY_PROTOCOL: JDBC_PING   ### DEPRECATED : replaced by KC_CACHE_STACK
      # JGROUPS_DISCOVERY_PROPERTIES: datasource_jndi_name=java:jboss/datasources/KeycloakDS,info_writer_sleep_time=500,remove_old_coords_on_view_change=true,remove_all_data_on_view_change=true  ### DEPRECATED : => TODO: find a solution
      # CACHE_OWNERS_COUNT: 1  ### DEPRECATED => useless now ?
      # CACHE_OWNERS_AUTH_SESSIONS_COUNT: 1 ### DEPRECATED => useless now ?
      KC_CACHE: ispn
      KC_CACHE_STACK: tcp
      
      ## https://www.keycloak.org/server/logging
      ## https://www.keycloak.org/server/all-config#_logging
      KC_LOG_LEVEL: INFO     
      
      ## https://www.keycloak.org/server/all-config#_metrics
      KC_METRICS_ENABLED: true # https://localhost/auth/metrics
      # KEYCLOAK_STATISTICS: all ### DEPRECATED: no solution yet

      # DEBUG: true
      # DEBUG_PORT: "*:8787"
      
      # DISABLE UI CACHE
      # https://github.com/keycloak/keycloak/issues/10863
      SPI_THEME_CACHE_THEMES: false
      SPI_THEME_CACHE_TEMPLATES: false
      SPI_THEME_STATIC_MAX_AGE: -1
      
      KEYCLOAK_IMPORT: /tmp/keycloak/config/realm.json # depends on the line uncommented just below  ### TODO : will be available with KC 17.0.1
      
      ## CUSTOM for HUG listener
      USER_EVENT_TO_SEND: CREATE,UPDATE,DELETE,LOGIN
      KEYCLOAK_SERVICE_URL: http://keycloak-service:10001/
    ###########################
    ## WARNING :  --auto-build has to be used for dev purpose, for perf concern (quick start-up) ==> build your own custom image
    # a) CUSTOM entrypoint to enable realm import : https://github.com/keycloak/keycloak/discussions/10229   ==> Does NOT WORK with a DB: driver is not yet initialized
    entrypoint: ["/tmp/keycloak/config/docker-compose-entrypoint.sh", "start", "--auto-build"]
    # b) STANDARD enrtrypoint
    # entrypoint: ["/opt/keycloak/bin/kc.sh", "start", "--auto-build"]
    volumes:
    ###########################
    # Import test realm
    - ./scripts:/tmp/keycloak/config
    - ./realms/realm.json:/tmp/keycloak/config/realm.json:ro
    ###########################
    # HUG themes and extensions
    - ../../theme/hug-base:/opt/keycloak/themes/hug-base
    - ../../theme/hug-hug:/opt/keycloak/themes/hug-hug
    - ../../theme/pedamines-base:/opt/keycloak/themes/pedamines-base # TODO: to be remamed as external-base
    # HUG extensions
    - ../../target/hug-keycloak-jar-with-dependencies.jar:/opt/keycloak/providers/hug-keycloak.jar:ro
    # HUG passwords blacklists
    - ../../blacklists/french_passwords_top20000.txt:/opt/data/password-blacklists/french_passwords_top20000.txt:ro
    - ../../blacklists/hug_pwd_blacklist_2021.txt:/opt/data/password-blacklists/hug_pwd_blacklist_2021.txt:ro
    # External extensions
    - ../../extensions/metrics/keycloak-metrics-spi-2.5.3.jar:/opt/keycloak/providers/keycloak-metrics-spi-2.5.3.jar:ro
    - ../../extensions/france-connect/keycloak-franceconnect-4.1.0.jar:/opt/keycloak/providers/keycloak-franceconnect-4.1.0.jar:ro
    # Custom configurations with CLI 
    # - ../../cli/themes-cache-disable.cli:/opt/startup-scripts/themes-cache-disable.cli ### DEPRECATED => TODO: find a solution
    # - ../../cli/logs-manage.cli:/opt/startup-scripts/logs-manage.cli ### DEPRECATED => TODO: find a solution to send logs to logstash
    # - ../../cli/logs-http-debug.cli:/opt/startup-scripts/logs-http-debug.cli ### DEPRECATED => TODO: find a solution (optional)
    ################
    # Self-signed certificates to activate HTTPS for tests
    - ./certs/server/server.tls.crt:/etc/x509/https/tls.crt:ro
    - ./certs/server/server.tls.key:/etc/x509/https/tls.key:ro
    # CA certificates to enable user auth with certificates
    - ./certs/ca.crt:/etc/x509/https/rootCA.crt:ro # auto-signed CA cert
    - ./certs/hugca.crt:/etc/x509/https/hugrootCA.crt:ro # HUG CA cert
    ################
    ports:
    - "8080:8080" # KC HTTP  : http://localhost:8080/
    - "443:8443"  # KC HTTPS : https://localhost/ (you must accept also warnings triggered by navigators)
    - "8787:8787" # KC debug port
    - "8790:8790" # KC JMX port
    deploy:
      replicas: 1
    depends_on:
    - postgres
    networks:
    - network-development

networks:
  network-development:

volumes:
  keycloak17_postgres_data:
    external: true # because the volume was clone from keycloak 13 DB (in order to test separately the migration)
    # driver: local

1 reply

jwsy Mar 23, 2022

Looks like you're having this issue: #10722

I don't know, looks like you're doing everything right and setting the env KC_DB=postgres, perhaps you need to add the runtime db config to this line in the entrypoint script?

/opt/keycloak/bin/kc.sh import --file "$KEYCLOAK_IMPORT"
to
/opt/keycloak/bin/kc.sh import --file "$KEYCLOAK_IMPORT --db=postgres

semangard · 2022-03-24T07:04:45Z

semangard
Mar 24, 2022

@jwsy : not possible:

keycloak17     | Unknown option: '--db=postgres'
keycloak17     | Try 'kc.sh import --help' for more information on the available options.

0 replies

MikeShiner · 2022-03-25T14:48:51Z

MikeShiner
Mar 25, 2022

I really want to get this working too. I've copied over the realm.json and docker-compose.sh into my image and changed the entrypoint to: ENTRYPOINT ["bash", "/tmp/keycloak/config/entry.sh"].

Logs do state:

Import initial config: /tmp/keycloak/realm.json)
...
2022-03-25 14:39:11,664 WARN  [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread: keycloak-default) HHH000342: Could not obtain connection to query metadata: org.postgresql.util.PSQLException: Connection to localhost:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
...
Starting Keycloak ...

But when I log into keycloak, my realm is not there. I'm guessing it cannot connect to my database, and the imported realm is lost when it starts the second instance.

The last line in the entrypoint is /opt/keycloak/bin/kc.sh start "$@" which uses args from my Kubernetes deployment:

          args:
            [
              '--db-url=jdbc:postgresql://postgres.core.svc.cluster.local:5432/keycloak',
              '--db-username=postgres',
              '--db-password=password',
              '--hostname-strict=false',
              '--hostname=myhostname.com',
            ]

Is there any way to use these args for kc.sh import to use my database? I don't think I can convert these args into environment variables.

Any guidance would be amazing.

0 replies

mbecker · 2022-04-05T19:11:21Z

mbecker
Apr 5, 2022

Hi all,

thanks for your scripts and files. I've managed to import an exported realm at the initial startup with the help of @jwsy and @semangard :-)

The important thing is to include the jdbc postgres driver in the .Dockerfile to build a customer Keycloak Docker image.

Disclaimer:

The .Dockerfile and docker-compose yaml files are not cleaned (configurations like env are in both files)
Users are not imported (to be honest, I don't know if this is the case for older Keycloak version)

Docker Compose:

version: '3.4'

#### DOCS ####
# https://github.com/eabykov/keycloak-compose/blob/main/docker-compose.yml
# https://blog.codecentric.de/en/2021/12/keycloak-keycloak-x/
# https://github.com/keycloak/keycloak/discussions/10229#discussioncomment-2422564
##############

services:
  
  postgres:
    container_name: keycloak17-db
    image: postgres:13.2-alpine
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    volumes:
    - ./data/postgres17:/var/lib/postgresql/data
    networks:
    - keycloak17
    ports:
     - "5432:5432"

  keycloak:
    container_name: keycloak17
    image: keycloak-dev:17.0.0 #quay.io/keycloak/keycloak:17.0.0
    build: # "context" and "dockerfile" fields have to be under "build"
      context: ./dev
      network: host
      dockerfile: .Dockerfile
      cache_from:
        - quay.io/keycloak/keycloak:17.0.0
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      
      ## https://www.keycloak.org/server/db
      ## https://www.keycloak.org/server/all-config#_database
      KC_DB: postgres
      KC_DB_URL: "jdbc:postgresql://postgres:5432/keycloak"  # jdbc:postgresql://host:port/database
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password
      
      ## https://www.keycloak.org/server/hostname
      KC_HOSTNAME: penguin.linux.test # mandatory because we are using the production mode (launch with 'start' and not 'start-dev') better to be as closed as possible to the production
      # KC_HOSTNAME_ADMIN: localhost
      # KC_HOSTNAME_STRICT_BACKCHANNEL: true
      # KC_HTTP_RELATIVE_PATH: "/auth" # mandatory to keep same URL compared to previous versions of KC
      
      ## https://www.keycloak.org/server/enabletls
      ## https://www.keycloak.org/server/all-config#_httptls
      KC_HTTP_ENABLED: "true"
      # KC_HOSTNAME_STRICT_HTTPS: "false"
      KC_HTTPS_PROTOCOLS: "TLSv1.3,TLSv1.2"
      #KC_HTTPS_CIPER_SUITES: ### TODO
      KC_HTTPS_CERTIFICATE_FILE: "/etc/x509/https/tls.crt"
      KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/https/tls.key"
      # X509_CA_BUNDLE: /etc/x509/https/rootCA.crt /etc/x509/https/hugrootCA.crt # use space to add multiple root CA if needed 
          ### DEPRECATED => TODO: use instead --https-trust-store-file=/path/to/file --https.trust-store.password=<value> 
          
      ## https://www.keycloak.org/server/all-config#_feature
      ## https://www.keycloak.org/server/features
      KC_FEATURES: authorization,account-api,admin-fine-grained-authz,impersonation,scripts,token-exchange,upload-scripts,web-authn,client-policies,ciba,map-storage,par,declarative-user-profile,dynamic-scopes,preview
      
      JAVA_TOOL_OPTIONS: -Dsun.security.krb5.debug=true -Dsun.security.spenego.degug=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8790 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dquarkus-log-max-startup-records=10000
      JAVA_OPTS: -server -Xms512m -Xmx2048m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true # JAVA_OPTS_APPEND does not work
           
      ## https://www.keycloak.org/server/all-config#_cluster
      ## https://www.keycloak.org/server/caching
      ## https://github.com/keycloak/keycloak/issues/10780
      ## https://github.com/keycloak/keycloak/issues/10875
      # JGROUPS_DISCOVERY_PROTOCOL: JDBC_PING   ### DEPRECATED : replaced by KC_CACHE_STACK
      # JGROUPS_DISCOVERY_PROPERTIES: datasource_jndi_name=java:jboss/datasources/KeycloakDS,info_writer_sleep_time=500,remove_old_coords_on_view_change=true,remove_all_data_on_view_change=true  ### DEPRECATED : => TODO: find a solution
      # CACHE_OWNERS_COUNT: 1  ### DEPRECATED => useless now ?
      # CACHE_OWNERS_AUTH_SESSIONS_COUNT: 1 ### DEPRECATED => useless now ?
      KC_CACHE: ispn
      KC_CACHE_STACK: tcp
      
      ## https://www.keycloak.org/server/logging
      ## https://www.keycloak.org/server/all-config#_logging
      KC_LOG_LEVEL: INFO     
      
      ## https://www.keycloak.org/server/all-config#_metrics
      KC_METRICS_ENABLED: "true" # https://localhost/auth/metrics
      # KEYCLOAK_STATISTICS: all ### DEPRECATED: no solution yet

      # DEBUG: true
      # DEBUG_PORT: "*:8787"
      
      # DISABLE UI CACHE
      # https://github.com/keycloak/keycloak/issues/10863
      SPI_THEME_CACHE_THEMES: "false"
      SPI_THEME_CACHE_TEMPLATES: "false"
      SPI_THEME_STATIC_MAX_AGE: -1
      
      KEYCLOAK_IMPORT: /tmp/keycloak/config/realm.json # depends on the line uncommented just below  ### TODO : will be available with KC 17.0.1
      
      ## CUSTOM for HUG listener
      #USER_EVENT_TO_SEND: CREATE,UPDATE,DELETE,LOGIN
      #KEYCLOAK_SERVICE_URL: http://keycloak-service:10001/
    ###########################
    ## WARNING :  --auto-build has to be used for dev purpose, for perf concern (quick start-up) ==> build your own custom image
    # a) CUSTOM entrypoint to enable realm import : https://github.com/keycloak/keycloak/discussions/10229   ==> Does NOT WORK with a DB: driver is not yet initialized
    entrypoint: ["/tmp/keycloak/config/docker-compose-entrypoint.sh", "start", "--auto-build"]
    # b) STANDARD enrtrypoint
    # entrypoint: ["/opt/keycloak/bin/kc.sh", "start", "--auto-build"]
    volumes:
    ###########################
    # Import test realm
    - ./scripts:/tmp/keycloak/config
    - ./export/realm-export.json:/tmp/keycloak/config/realm.json:ro
    ################
    # Self-signed certificates to activate HTTPS for tests
    - ./certs/penguin.linux.test+1.pem:/etc/x509/https/tls.crt:ro
    - ./certs/penguin.linux.test+1-key.pem:/etc/x509/https/tls.key:ro
    # CA certificates to enable user auth with certificates
    #- ./certs/ca.crt:/etc/x509/https/rootCA.crt:ro # auto-signed CA cert
    #- ./certs/hugca.crt:/etc/x509/https/hugrootCA.crt:ro # HUG CA cert
    ################
    ports:
    - "8080:8080" # KC HTTP  : http://localhost:8080/
    - "443:8443"  # KC HTTPS : https://localhost/ (you must accept also warnings triggered by navigators)
    - "8787:8787" # KC debug port
    - "8790:8790" # KC JMX port
    deploy:
      replicas: 1
    depends_on:
    - postgres
    networks:
    - keycloak17

networks:
  keycloak17:

.Dockerfile (in my use case the .Dockerfile is in the folder "./dev"):

FROM quay.io/keycloak/keycloak:17.0.0 as builder

ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=authorization,account-api,admin-fine-grained-authz,impersonation,scripts,token-exchange,upload-scripts,web-authn,client-policies,ciba,map-storage,par,declarative-user-profile,dynamic-scopes,preview
ENV KC_DB=postgres
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:17.0.0

COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
WORKDIR /opt/keycloak
# for demonstration purposes only,please make sure to use proper certificates in production instead
# RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:2Fpenguin.linux.test,IP:127.0.0.1" -keystore conf/server.keystore

# ENV KEYCLOAK_ADMIN=admin
# ENV KEYCLOAK_ADMIN_PASSWORD=admin
# change these values to point to a running postgres instance
# ENV KC_DB_URL=jdbc:postgresql://postgres/keycloak
# ENV KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak
# ENV KC_DB_USERNAME=keycloak
# ENV KC_DB_PASSWORD=password
# ENV KC_HOSTNAME=localhost:8443
# ENV KC_HOSTNAME_STRICT=false
# ENV KC_HOSTNAME_STRICT_HTTPS=false
# ENV KC_PROXY_ADDRESS_FORWARDING=true
# ENV KC_HTTP_ENABLED=true

ENTRYPOINT ["/opt/keycloak/bin/kc.sh","start"]

For me, all resources like roles, clients, and authorization javascript policies are imported.

0 replies

gargee987 · 2022-06-03T09:16:53Z

gargee987
Jun 3, 2022

Hello,

Can we take export of all Realms from keycloak in h2 db in version 6.0 using bin/standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=

and directly use this output json file to import to Keycloak configured to use Postgress RDS in version 16.1.1.

Is the Keycloak export/import compatible across various Keycloak versions.

2 replies

gargee987 Jun 7, 2022

kindly let me know . this site is not allowing me to open a new discussion for this

gargee987 Jun 7, 2022

We are taking Keycloak export from the inbuilt H2 database using
keycloak-6.0.0/bin/standalone.sh -Dkeycloak.migration.action=export -Djboss.socket.binding.port-offset=1 -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/opt/jboss/data-keycloak-cicd2-export.json

After keycloak (16.1) version is configued to point to New Postgress RDS. After that I try to migrate the previous json file to new Keycloak 16.1

keycloak-16.1.1/bin/standalone.sh -c=standalone-ha.xml -Dkeycloak.migration.action=import -Djboss.socket.binding.port-offset=10 -Dkeycloak.migration.provider=singleFile -Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.migration.file=/opt/jboss/data_keycloak.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING

My question is is it compatible or not. We are not upgrading the original keycloak in h2, however we are directly migrating to 16.1 version and also making it point to Postgress. After that I am triggering the import.

Export/Import of realm data (JSON) #10229

Uh oh!

Replies: 12 comments · 9 replies

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

pedroigor Mar 15, 2022 Collaborator

Uh oh!

dasniko Mar 19, 2022 Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Replies: 12 comments 9 replies

pedroigor
Mar 15, 2022
Collaborator

dasniko Mar 19, 2022
Author