lionsdev/unionflow-mobile-apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add production Dockerfiles and Keycloak realm configuration

Browse Source 
- Add Dockerfile.prod for unionflow-server (backend) with production settings
- Add Dockerfile.prod for unionflow-client (frontend) with production settings
- Add unionflow-realm-production.json with SUPER_ADMIN role and unionflow-client
- Configure for deployment on https://unionflow.lions.dev

Database: unionflow on postgresql.postgresql.svc.cluster.local
Keycloak: https://security.lions.dev/realms/unionflow
Backend: Port 8085, https://api.lions.dev/unionflow
Frontend: Port 8086, https://unionflow.lions.dev
This commit is contained in:
dahoud
2025-12-07 14:46:11 +00:00
parent 35ddcb1d2d
commit 00d3906fd2
3 changed files with 367 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
unionflow-client-quarkus-primefaces-freya/Dockerfile.prod Normal file
View File

@@ -0,0 +1,91 @@
####
# Dockerfile de production pour UnionFlow Client (Frontend)
# Multi-stage build optimisé avec sécurité renforcée
####
## Stage 1 : Build avec Maven
FROM maven:3.9.6-eclipse-temurin-17 AS builder
WORKDIR /app
# Copier les fichiers de configuration Maven
COPY pom.xml .
COPY ../unionflow-server-api/pom.xml ../unionflow-server-api/
# Télécharger les dépendances (cache Docker)
RUN mvn dependency:go-offline -B -pl unionflow-client-quarkus-primefaces-freya -am
# Copier le code source
COPY src ./src
# Build de l'application avec profil production
RUN mvn clean package -DskipTests -B -Dquarkus.profile=prod -pl unionflow-client-quarkus-primefaces-freya
## Stage 2 : Image de production optimisée et sécurisée
FROM registry.access.redhat.com/ubi8/openjdk-17:1.18
ENV LANGUAGE='fr_FR:fr'
# Variables d'environnement de production
ENV QUARKUS_PROFILE=prod
ENV QUARKUS_HTTP_PORT=8086
ENV QUARKUS_HTTP_HOST=0.0.0.0
# Configuration Keycloak/OIDC (production)
ENV QUARKUS_OIDC_AUTH_SERVER_URL=https://security.lions.dev/realms/unionflow
ENV QUARKUS_OIDC_CLIENT_ID=unionflow-client
ENV QUARKUS_OIDC_ENABLED=true
ENV QUARKUS_OIDC_TLS_VERIFICATION=required
ENV KEYCLOAK_CLIENT_SECRET=changeme
# Configuration API Backend
ENV UNIONFLOW_BACKEND_URL=https://api.lions.dev/unionflow
# Configuration CORS
ENV QUARKUS_HTTP_CORS_ORIGINS=https://unionflow.lions.dev,https://security.lions.dev
ENV QUARKUS_HTTP_CORS_ALLOW_CREDENTIALS=true
# Configuration Session
ENV SESSION_TIMEOUT=1800
ENV REMEMBER_ME_DURATION=604800
# Installer curl pour les health checks
USER root
RUN microdnf install -y curl && \
microdnf clean all && \
rm -rf /var/cache/yum
# Créer les répertoires et permissions pour utilisateur non-root
RUN mkdir -p /deployments /app/logs && \
chown -R 185:185 /deployments /app/logs
# Passer à l'utilisateur non-root pour la sécurité
USER 185
# Copier l'application depuis le builder (format fast-jar Quarkus)
COPY --from=builder --chown=185 /app/target/quarkus-app/ /deployments/
# Exposer le port
EXPOSE 8086
# Variables JVM optimisées pour production avec sécurité
ENV JAVA_OPTS="-Xmx768m -Xms256m \
-XX:+UseG1GC \
-XX:MaxGCPauseMillis=200 \
-XX:+UseStringDeduplication \
-XX:+ParallelRefProcEnabled \
-XX:+HeapDumpOnOutOfMemoryError \
-XX:HeapDumpPath=/app/logs/heapdump.hprof \
-Djava.security.egd=file:/dev/./urandom \
-Djava.awt.headless=true \
-Dfile.encoding=UTF-8 \
-Djava.util.logging.manager=org.jboss.logmanager.LogManager \
-Dquarkus.profile=${QUARKUS_PROFILE}"
# Health check avec endpoints Quarkus
HEALTHCHECK --interval=30s --timeout=10s --start-period=90s --retries=3 \
CMD curl -f http://localhost:8086/q/health/ready || exit 1
# Point d'entrée avec profil production (format fast-jar)
ENTRYPOINT ["sh", "-c", "exec java $JAVA_OPTS -jar /deployments/quarkus-run.jar"]

185
unionflow-realm-production.json Normal file
View File

@@ -0,0 +1,185 @@
{
"realm": "unionflow",
"displayName": "UnionFlow",
"displayNameHtml": "<div class=\"kc-logo-text\"><span>UnionFlow</span></div>",
"enabled": true,
"sslRequired": "external",
"registrationAllowed": false,
"registrationEmailAsUsername": true,
"rememberMe": true,
"verifyEmail": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": true,
"permanentLockout": false,
"maxFailureWaitSeconds": 900,
"minimumQuickLoginWaitSeconds": 60,
"waitIncrementSeconds": 60,
"quickLoginCheckMilliSeconds": 1000,
"maxDeltaTimeSeconds": 43200,
"failureFactor": 5,
"defaultRoles": ["offline_access", "uma_authorization", "default-roles-unionflow"],
"requiredCredentials": ["password"],
"otpPolicyType": "totp",
"otpPolicyAlgorithm": "HmacSHA1",
"otpPolicyInitialCounter": 0,
"otpPolicyDigits": 6,
"otpPolicyLookAheadWindow": 1,
"otpPolicyPeriod": 30,
"supportedLocales": ["fr", "en"],
"defaultLocale": "fr",
"internationalizationEnabled": true,
"clients": [
{
"clientId": "unionflow-server",
"name": "UnionFlow Server API",
"description": "Client pour l'API serveur UnionFlow (Backend)",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "unionflow-server-secret-2025",
"serviceAccountsEnabled": true,
"directAccessGrantsEnabled": true,
"publicClient": false,
"redirectUris": ["https://api.lions.dev/unionflow/*"],
"webOrigins": ["https://api.lions.dev", "https://unionflow.lions.dev", "https://security.lions.dev"],
"protocol": "openid-connect",
"fullScopeAllowed": true,
"defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
"optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
},
{
"clientId": "unionflow-client",
"name": "UnionFlow Web Client",
"description": "Client pour l'application web UnionFlow (Frontend)",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "unionflow-client-secret-2025",
"publicClient": false,
"directAccessGrantsEnabled": true,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"redirectUris": [
"https://unionflow.lions.dev/*",
"https://unionflow.lions.dev/auth/callback"
],
"webOrigins": ["https://unionflow.lions.dev", "https://api.lions.dev", "https://security.lions.dev"],
"protocol": "openid-connect",
"fullScopeAllowed": true,
"defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
"optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
}
],
"roles": {
"realm": [
{
"name": "SUPER_ADMIN",
"description": "Super Administrateur avec tous les droits sur toutes les organisations",
"composite": false,
"clientRole": false,
"containerId": "unionflow"
},
{
"name": "ADMIN",
"description": "Administrateur d'organisation avec tous les droits sur son organisation",
"composite": false,
"clientRole": false,
"containerId": "unionflow"
},
{
"name": "PRESIDENT",
"description": "Président de l'organisation avec droits de gestion complète",
"composite": false,
"clientRole": false,
"containerId": "unionflow"
},
{
"name": "SECRETAIRE",
"description": "Secrétaire avec droits de gestion des membres et événements",
"composite": false,
"clientRole": false,
"containerId": "unionflow"
},
{
"name": "TRESORIER",
"description": "Trésorier avec droits de gestion financière",
"composite": false,
"clientRole": false,
"containerId": "unionflow"
},
{
"name": "GESTIONNAIRE_MEMBRE",
"description": "Gestionnaire des membres avec droits de CRUD sur les membres",
"composite": false,
"clientRole": false,
"containerId": "unionflow"
},
{
"name": "ORGANISATEUR_EVENEMENT",
"description": "Organisateur d'événements avec droits de gestion des événements",
"composite": false,
"clientRole": false,
"containerId": "unionflow"
},
{
"name": "MEMBRE",
"description": "Membre standard avec droits de consultation",
"composite": false,
"clientRole": false,
"containerId": "unionflow"
}
]
},
"users": [
{
"username": "superadmin",
"enabled": true,
"emailVerified": true,
"firstName": "Super",
"lastName": "Administrateur",
"email": "gbanedahoud@gmail.com",
"credentials": [
{
"type": "password",
"value": "SuperAdmin2025!",
"temporary": false
}
],
"realmRoles": ["SUPER_ADMIN", "ADMIN", "PRESIDENT", "MEMBRE"],
"clientRoles": {}
}
],
"groups": [
{
"name": "SuperAdministration",
"path": "/SuperAdministration",
"realmRoles": ["SUPER_ADMIN"],
"subGroups": []
},
{
"name": "Administration",
"path": "/Administration",
"realmRoles": ["ADMIN"],
"subGroups": []
},
{
"name": "Bureau",
"path": "/Bureau",
"realmRoles": ["PRESIDENT", "SECRETAIRE", "TRESORIER"],
"subGroups": []
},
{
"name": "Gestionnaires",
"path": "/Gestionnaires",
"realmRoles": ["GESTIONNAIRE_MEMBRE", "ORGANISATEUR_EVENEMENT"],
"subGroups": []
},
{
"name": "Membres",
"path": "/Membres",
"realmRoles": ["MEMBRE"],
"subGroups": []
}
]
}

91
unionflow-server-impl-quarkus/Dockerfile.prod Normal file
View File

@@ -0,0 +1,91 @@
####
# Dockerfile de production pour UnionFlow Server (Backend)
# Multi-stage build optimisé avec sécurité renforcée
####
## Stage 1 : Build avec Maven
FROM maven:3.9.6-eclipse-temurin-17 AS builder
WORKDIR /app
# Copier les fichiers de configuration Maven
COPY pom.xml .
COPY ../unionflow-server-api/pom.xml ../unionflow-server-api/
# Télécharger les dépendances (cache Docker)
RUN mvn dependency:go-offline -B -pl unionflow-server-impl-quarkus -am
# Copier le code source
COPY src ./src
# Construire l'application avec profil production
RUN mvn clean package -DskipTests -B -Dquarkus.profile=prod -pl unionflow-server-impl-quarkus
## Stage 2 : Image de production optimisée
FROM registry.access.redhat.com/ubi8/openjdk-17:1.18
ENV LANGUAGE='en_US:en'
# Configuration des variables d'environnement pour production
ENV QUARKUS_PROFILE=prod
ENV QUARKUS_HTTP_PORT=8085
ENV QUARKUS_HTTP_HOST=0.0.0.0
# Configuration Base de données (à surcharger via variables d'environnement)
ENV DB_URL=jdbc:postgresql://postgresql:5432/unionflow
ENV DB_USERNAME=unionflow
ENV DB_PASSWORD=changeme
# Configuration Keycloak/OIDC (production)
ENV QUARKUS_OIDC_AUTH_SERVER_URL=https://security.lions.dev/realms/unionflow
ENV QUARKUS_OIDC_CLIENT_ID=unionflow-server
ENV KEYCLOAK_CLIENT_SECRET=changeme
ENV QUARKUS_OIDC_TLS_VERIFICATION=required
# Configuration CORS pour production
ENV CORS_ORIGINS=https://unionflow.lions.dev,https://security.lions.dev
ENV QUARKUS_HTTP_CORS_ORIGINS=${CORS_ORIGINS}
# Configuration Wave Money (optionnel)
ENV WAVE_API_KEY=
ENV WAVE_API_SECRET=
ENV WAVE_API_BASE_URL=https://api.wave.com/v1
ENV WAVE_ENVIRONMENT=production
ENV WAVE_WEBHOOK_SECRET=
# Installer curl pour les health checks
USER root
RUN microdnf install curl -y && microdnf clean all
RUN mkdir -p /app/logs && chown -R 185:185 /app/logs
USER 185
# Copier l'application depuis le builder
COPY --from=builder --chown=185 /app/target/quarkus-app/lib/ /deployments/lib/
COPY --from=builder --chown=185 /app/target/quarkus-app/*.jar /deployments/
COPY --from=builder --chown=185 /app/target/quarkus-app/app/ /deployments/app/
COPY --from=builder --chown=185 /app/target/quarkus-app/quarkus/ /deployments/quarkus/
# Exposer le port
EXPOSE 8085
# Variables JVM optimisées pour production avec sécurité
ENV JAVA_OPTS="-Xmx1g -Xms512m \
-XX:+UseG1GC \
-XX:MaxGCPauseMillis=200 \
-XX:+UseStringDeduplication \
-XX:+ParallelRefProcEnabled \
-XX:+HeapDumpOnOutOfMemoryError \
-XX:HeapDumpPath=/app/logs/heapdump.hprof \
-Djava.security.egd=file:/dev/./urandom \
-Djava.awt.headless=true \
-Dfile.encoding=UTF-8 \
-Djava.util.logging.manager=org.jboss.logmanager.LogManager \
-Dquarkus.profile=${QUARKUS_PROFILE}"
# Point d'entrée avec profil production
ENTRYPOINT ["sh", "-c", "exec java $JAVA_OPTS -jar /deployments/quarkus-run.jar"]
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
CMD curl -f http://localhost:8085/q/health/ready || exit 1