c5c703c31f
Closes #46603 Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
6 KiB
Test with various databases
MySQL
The simplest way to test with MySQL is to use the official MySQL docker image.
Start MySQL:
docker run --name mysql -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e MYSQL_ROOT_PASSWORD=keycloak -d mysql
Run tests:
mvn install -Dkeycloak.connectionsJpa.url=jdbc:mysql://`docker inspect --format '{{ .NetworkSettings.IPAddress }}' mysql`/keycloak -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak
Stop MySQl:
docker rm -f mysql
PostgreSQL
The simplest way to test with PostgreSQL is to use the official PostgreSQL docker image.
Start PostgreSQL:
docker run --name postgres -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=keycloak -e POSTGRES_ROOT_PASSWORD=keycloak -d postgres
Run tests:
mvn install -Dkeycloak.connectionsJpa.url=jdbc:postgresql://`docker inspect --format '{{ .NetworkSettings.IPAddress }}' postgres`:5432/keycloak -Dkeycloak.connectionsJpa.driver=org.postgresql.Driver -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak
Stop PostgreSQL:
docker rm -f postgres
MariaDB
The simplest way to test with MariaDB is to use the official MariaDB docker image.
Start MariaDB:
docker run --name mariadb -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -d mariadb:10.1
Run tests:
mvn install -Dkeycloak.connectionsJpa.url=jdbc:mariadb://`docker inspect --format '{{ .NetworkSettings.IPAddress }}' mariadb`/keycloak -Dkeycloak.connectionsJpa.driver=org.mariadb.jdbc.Driver -Dkeycloak.connectionsJpa.user=keycloak -Dkeycloak.connectionsJpa.password=keycloak
Stop MySQl:
docker rm -f mariadb
TiDB
The simplest way to test with TiDB is to use the official TiDB docker image.
Start TiDB:
docker run --name tidb -p 4000:4000 -d pingcap/tidb:v8.5.2
Run tests:
mvn install -Dkeycloak.connectionsJpa.url=jdbc:mysql://`docker inspect --format '{{ .NetworkSettings.IPAddress }}' tidb`:4000/test -Dkeycloak.connectionsJpa.driver=com.mysql.jdbc.Driver -Dkeycloak.connectionsJpa.user=root -Dkeycloak.connectionsJpa.password=
Stop TiDB:
docker rm -f tidb
Enabling SSL
Generate certificate
To enable TLS connection, a private key and certificate to be provided to the database.
Let's create a directory named certs to store the files we need.
mkdir certs ; cd certs
openssl req -x509 -newkey rsa:4096 -keyout database-key.pem -out database-cert.pem -sha256 -days 3650 -nodes -subj "/CN=localhost
Private key permissions
The primary key must belong to the user running in the container and only that user should be able to access. PostgreSQL, MariaDB, and MySQL both use user with id 999 (at the time of writing).
chmod 0600 database-key.pem
chown 999:999 database-key.pem
Starting the database container
Mount the certs directory in the container and configure the database as shown below.
The file database-cert.pem can be added to Keycloak truststore to perform the hostname verification.
By default, the JDBC drivers do not perform the hostname verification.
PostgreSQL
docker run -d --name postgres --network host --volume '${PWD}:/mnt/certs:ro' -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=keycloak -e POSTGRES_DB=keycloak postgres:17 postgres -c ssl=on -c ssl_cert_file=/mnt/certs/database-cert.pem -c ssl_key_file=/mnt/certs/database-key.pem
MariaDB
docker run -d --name maridb --network host --volume '${PWD}:/mnt/certs:ro' -e MARIADB_ROOT_PASSWORD=keycloak -e MARIADB_USER=keycloak -e MARIADB_PASSWORD=keycloak -e MARIADB_DATABASE=keycloak mariadb:11 --ssl-cert=/mnt/certs/database-cert.pem --ssl-key=/mnt/certs/database-key.pem --require-secure-transport
The option --require-secure-transport ensures only TLS connections are accepted by the server.
MySQL
docker run -d --name mysql --network host --volume '${PWD}:/mnt/certs:ro' -e MYSQL_ROOT_PASSWORD=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e MYSQL_DATABASE=keycloak mysql:9 --ssl-cert=/mnt/certs/database-cert.pem --ssl-key=/mnt/certs/database-key.pem --require-secure-transport
The option --require-secure-transport ensures only TLS connections are accepted by the server.
Using built-in profiles to run database tests using docker containers
The project provides specific profiles to run database tests using containers. Below is a just a sample of implemented profiles. In order to get a full list, please invoke (mvn help:all-profiles -pl testsuite/integration-arquillian | grep -- db-):
db-mysqldb-postgres
As an example, to run tests using a MySQL docker container on Undertow auth-server:
mvn -f testsuite/integration-arquillian clean verify -Pdb-mysql
If you want to run tests using a pre-configured Keycloak distribution (instead of Undertow):
mvn -f testsuite/integration-arquillian clean verify -Pdb-mysql,jpa,auth-server-quarkus
Note that you must always activate the jpa profile when using auth-server-quarkus.
If the mvn command fails for any reason, it may also fail to remove the container which must be then removed manually.
For Oracle databases, the images are not publicly available due to licensing restrictions.
Build the Docker image per instructions at
https://github.com/oracle/docker-images/tree/main/OracleDatabase.
Update the property docker.database.image if you used a different
name or tag for the image.
Note that Docker containers may occupy some space even after termination, and
especially with databases that might be easily a gigabyte. It is thus
advisable to run docker system prune occasionally to reclaim that space.