initial commit

keycloak/tools/autorun.sh

@@ -0,0 +1,19 @@
+#!/bin/bash -e
+cd /opt/jboss/keycloak
+
+ENTRYPOINT_DIR=/opt/jboss/startup-scripts
+
+if [[ -d "$ENTRYPOINT_DIR" ]]; then
+  # First run cli autoruns
+  for f in "$ENTRYPOINT_DIR"/*; do
+    if [[ "$f" == *.cli ]]; then
+      echo "Executing cli script: $f"
+      bin/jboss-cli.sh --file="$f"
+    elif [[ -x "$f" ]]; then
+      echo "Executing: $f"
+      "$f"
+    else
+      echo "Ignoring file in $ENTRYPOINT_DIR (not *.cli or executable): $f"
+    fi
+  done
+fi

keycloak/tools/build-keycloak.sh

@@ -0,0 +1,105 @@
+#!/bin/bash -e
+
+###########################
+# Build/download Keycloak #
+###########################
+
+if [ "$GIT_REPO" != "" ]; then
+    if [ "$GIT_BRANCH" == "" ]; then
+        GIT_BRANCH="master"
+    fi
+
+    # Install Git
+    microdnf install -y git
+
+    # Install Maven
+    cd /opt/jboss 
+    curl -s https://apache.uib.no/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz | tar xz
+    mv apache-maven-3.5.4 /opt/jboss/maven
+    export M2_HOME=/opt/jboss/maven
+
+    # Clone repository
+    git clone --depth 1 https://github.com/$GIT_REPO.git -b $GIT_BRANCH /opt/jboss/keycloak-source
+
+    # Build
+    cd /opt/jboss/keycloak-source
+
+    MASTER_HEAD=`git log -n1 --format="%H"`
+    echo "Keycloak from [build]: $GIT_REPO/$GIT_BRANCH/commit/$MASTER_HEAD"
+
+    $M2_HOME/bin/mvn -Pdistribution -pl distribution/server-dist -am -Dmaven.test.skip clean install
+    
+    cd /opt/jboss
+
+    tar xfz /opt/jboss/keycloak-source/distribution/server-dist/target/keycloak-*.tar.gz
+
+    # Remove temporary files
+    rm -rf /opt/jboss/maven
+    rm -rf /opt/jboss/keycloak-source
+    rm -rf $HOME/.m2/repository
+    
+    mv /opt/jboss/keycloak-* /opt/jboss/keycloak
+else
+    echo "Keycloak from [download]: $KEYCLOAK_DIST"
+
+    cd /opt/jboss/
+    curl -L $KEYCLOAK_DIST | tar zx
+    mv /opt/jboss/keycloak-* /opt/jboss/keycloak
+fi
+
+#####################
+# Create DB modules #
+#####################
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
+curl -O https://repo1.maven.org/maven2/mysql/mysql-connector-java/$JDBC_MYSQL_VERSION/mysql-connector-java-$JDBC_MYSQL_VERSION.jar
+cp /opt/jboss/tools/databases/mysql/module.xml .
+sed "s/JDBC_MYSQL_VERSION/$JDBC_MYSQL_VERSION/" /opt/jboss/tools/databases/mysql/module.xml > module.xml
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
+curl -L https://repo1.maven.org/maven2/org/postgresql/postgresql/$JDBC_POSTGRES_VERSION/postgresql-$JDBC_POSTGRES_VERSION.jar > postgres-jdbc.jar
+cp /opt/jboss/tools/databases/postgres/module.xml .
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
+curl -L https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/$JDBC_MARIADB_VERSION/mariadb-java-client-$JDBC_MARIADB_VERSION.jar > mariadb-jdbc.jar
+cp /opt/jboss/tools/databases/mariadb/module.xml .
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
+cp /opt/jboss/tools/databases/oracle/module.xml .
+
+mkdir -p /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
+cd /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
+curl -L https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/$JDBC_MSSQL_VERSION/mssql-jdbc-$JDBC_MSSQL_VERSION.jar > mssql-jdbc.jar
+cp /opt/jboss/tools/databases/mssql/module.xml .
+
+######################
+# Configure Keycloak #
+######################
+
+cd /opt/jboss/keycloak
+
+bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-configuration.cli
+rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
+
+bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-ha-configuration.cli
+rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
+
+###########
+# Garbage #
+###########
+
+rm -rf /opt/jboss/keycloak/standalone/tmp/auth
+rm -rf /opt/jboss/keycloak/domain/tmp/auth
+
+###################
+# Set permissions #
+###################
+
+echo "jboss:x:1000:root" >> /etc/group
+echo "jboss:x:1000:1000:JBoss user:/opt/jboss:/sbin/nologin" >> /etc/passwd
+chown -R jboss:jboss /opt/jboss
+chmod -R g+rwX /opt/jboss

keycloak/tools/cli/databases/mariadb/change-database.cli

@@ -0,0 +1,9 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mariadb://${env.DB_ADDR:mariadb}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mariadb)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=mariadb:add(driver-name=mariadb, driver-module-name=org.mariadb.jdbc, driver-xa-datasource-class-name=org.mariadb.jdbc.MySQLDataSource)

keycloak/tools/cli/databases/mariadb/standalone-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mariadb/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/mariadb/standalone-ha-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mariadb/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/mssql/change-database.cli

@@ -0,0 +1,11 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url="jdbc:sqlserver://${env.DB_ADDR:mssql}:${env.DB_PORT:1433};databaseName=${env.DB_DATABASE:keycloak};sendStringParametersAsUnicode=false;integratedSecurity=false;user=${env.DB_USER:keycloak};password=${env.DB_PASSWORD:password};${env.JDBC_PARAMS:}", driver-name=sqlserver)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=sqlserver:add(driver-name=sqlserver,driver-module-name=com.microsoft.sqlserver.jdbc,driver-xa-datasource-class-name=com.microsoft.sqlserver.jdbc.SQLServerXADataSource)
+
+/subsystem=keycloak-server/spi=connectionsJpa/provider=default:write-attribute(name=properties.schema,value=${env.DB_SCHEMA:dbo})

keycloak/tools/cli/databases/mssql/standalone-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mssql/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/mssql/standalone-ha-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mssql/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/mysql/change-database.cli

@@ -0,0 +1,9 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mysql://${env.DB_ADDR:mysql}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mysql)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql, driver-module-name=com.mysql.jdbc, driver-xa-datasource-class-name=com.mysql.cj.jdbc.MysqlXADataSource)

keycloak/tools/cli/databases/mysql/standalone-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mysql/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/mysql/standalone-ha-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/mysql/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/oracle/change-database.cli

@@ -0,0 +1,9 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:oracle:thin:@${env.DB_ADDR:oracle}:${env.DB_PORT:1521}:${env.DB_DATABASE:XE}${env.JDBC_PARAMS:}, driver-name=oracle)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:SYSTEM})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:oracle})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1 FROM dual")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=oracle:add(driver-name=oracle, driver-module-name=com.oracle.jdbc, driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource)

keycloak/tools/cli/databases/oracle/standalone-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/oracle/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/oracle/standalone-ha-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/oracle/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/postgres/change-database.cli

@@ -0,0 +1,11 @@
+/subsystem=datasources/data-source=KeycloakDS: remove()
+/subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:postgresql://${env.DB_ADDR:postgres}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=postgresql)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
+/subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
+/subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
+
+/subsystem=keycloak-server/spi=connectionsJpa/provider=default:write-attribute(name=properties.schema,value=${env.DB_SCHEMA:public})

keycloak/tools/cli/databases/postgres/standalone-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/postgres/change-database.cli
+stop-embedded-server

keycloak/tools/cli/databases/postgres/standalone-ha-configuration.cli

@@ -0,0 +1,3 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/databases/postgres/change-database.cli
+stop-embedded-server

keycloak/tools/cli/files-plaintext-vault.cli

@@ -0,0 +1,6 @@
+embed-server --server-config=$configuration_file --std-out=discard
+echo ** Adding vault spi **
+/subsystem=keycloak-server/spi=vault/:add
+/subsystem=keycloak-server/spi=vault/provider=files-plaintext/:add(enabled=true,properties={dir => $plaintext_vault_provider_dir})
+stop-embedded-server
+

keycloak/tools/cli/hostname.cli

@@ -0,0 +1,2 @@
+/subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider, value="${keycloak.hostname.provider:default}")
+/subsystem=keycloak-server/spi=hostname/provider=fixed/:add(properties={hostname => "${keycloak.hostname.fixed.hostname:localhost}",httpPort => "${keycloak.hostname.fixed.httpPort:-1}",httpsPort => "${keycloak.hostname.fixed.httpsPort:-1}",alwaysHttps => "${keycloak.hostname.fixed.alwaysHttps:false}"},enabled=true)

keycloak/tools/cli/infinispan/cache-owners.cli

@@ -0,0 +1,11 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_AUTH_SESSIONS_COUNT:1})
+run-batch
+stop-embedded-server

keycloak/tools/cli/jgroups/discovery/default.cli

@@ -0,0 +1,11 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=jgroups/stack=udp/protocol=PING:remove()
+/subsystem=jgroups/stack=udp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)
+
+/subsystem=jgroups/stack=tcp/protocol=MPING:remove()
+/subsystem=jgroups/stack=tcp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)
+
+/subsystem=jgroups/channel=ee:write-attribute(name="stack", value=$keycloak_jgroups_transport_stack)
+run-batch
+stop-embedded-server

keycloak/tools/cli/loglevel.cli

@@ -0,0 +1,9 @@
+/subsystem=logging/logger=org.keycloak:add
+/subsystem=logging/logger=org.keycloak:write-attribute(name=level,value=${env.KEYCLOAK_LOGLEVEL:INFO})
+
+/subsystem=logging/root-logger=ROOT:change-root-log-level(level=${env.ROOT_LOGLEVEL:INFO})
+
+/subsystem=logging/root-logger=ROOT:remove-handler(name="FILE")
+/subsystem=logging/periodic-rotating-file-handler=FILE:remove
+
+/subsystem=logging/console-handler=CONSOLE:undefine-attribute(name=level)

keycloak/tools/cli/metrics/db.cli

@@ -0,0 +1,5 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=datasources/data-source=KeycloakDS:write-attribute(name=statistics-enabled, value=true)
+run-batch
+stop-embedded-server

keycloak/tools/cli/metrics/http.cli

@@ -0,0 +1,5 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=undertow:write-attribute(name=statistics-enabled,value=true)
+run-batch
+stop-embedded-server

keycloak/tools/cli/metrics/jgroups.cli

@@ -0,0 +1,5 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+batch
+/subsystem=jgroups/channel=ee:write-attribute(name=statistics-enabled, value=true)
+run-batch
+stop-embedded-server

keycloak/tools/cli/proxy.cli

@@ -0,0 +1,2 @@
+/subsystem=undertow/server=default-server/http-listener=default: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})
+/subsystem=undertow/server=default-server/https-listener=https: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})

keycloak/tools/cli/standalone-configuration.cli

@@ -0,0 +1,6 @@
+embed-server --server-config=standalone.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/loglevel.cli
+run-batch --file=/opt/jboss/tools/cli/proxy.cli
+run-batch --file=/opt/jboss/tools/cli/hostname.cli
+run-batch --file=/opt/jboss/tools/cli/theme.cli
+stop-embedded-server

keycloak/tools/cli/standalone-ha-configuration.cli

@@ -0,0 +1,6 @@
+embed-server --server-config=standalone-ha.xml --std-out=echo
+run-batch --file=/opt/jboss/tools/cli/loglevel.cli
+run-batch --file=/opt/jboss/tools/cli/proxy.cli
+run-batch --file=/opt/jboss/tools/cli/hostname.cli
+run-batch --file=/opt/jboss/tools/cli/theme.cli
+stop-embedded-server

keycloak/tools/cli/theme.cli

@@ -0,0 +1,2 @@
+/subsystem=keycloak-server/theme=defaults:write-attribute(name=welcomeTheme,value=${env.KEYCLOAK_WELCOME_THEME:keycloak})
+/subsystem=keycloak-server/theme=defaults:write-attribute(name=default,value=${env.KEYCLOAK_DEFAULT_THEME:keycloak})

keycloak/tools/cli/x509-keystore.cli

@@ -0,0 +1,9 @@
+embed-server --server-config=$configuration_file --std-out=discard
+/subsystem=elytron/key-store=kcKeyStore:add(path=$keycloak_tls_keystore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/key-manager=kcKeyManager:add(key-store=kcKeyStore,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/server-ssl-context=kcSSLContext:add(key-manager=kcKeyManager)
+batch
+/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
+/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=kcSSLContext)
+run-batch
+stop-embedded-server

keycloak/tools/cli/x509-truststore.cli

@@ -0,0 +1,25 @@
+embed-server --server-config=$configuration_file --std-out=discard
+/subsystem=elytron/key-store=kcTrustStore:add(path=$keycloak_tls_truststore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_truststore_password})
+/subsystem=elytron/trust-manager=kcTrustManager:add(key-store=kcTrustStore)
+if (outcome != success) of /subsystem=elytron/server-ssl-context=kcSSLContext:read-resource
+    # Since WF requires a Key Manager for creating /subsystem=elytron/server-ssl-context, there's nothing we can do at this point.
+    # We can not automatically generate a self-signed key (Elytron doesn't support this, see https://docs.wildfly.org/13/WildFly_Elytron_Security.html#configure-ssltls),
+    # and we don't have anything else at hand.
+    # However, there is no big harm here - the Trust Store is more needed by Keycloak Truststore SPI.
+    echo "WARNING! There is no Key Manager (No Key Store specified). Skipping HTTPS Listener configuration..."
+else
+    # The SSL Context has been added by keystore, not much to do - just append trust store and we are done.
+	/subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=trust-manager, value=kcTrustManager)
+    /subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=want-client-auth, value=true)
+end-if
+
+if (outcome != success) of /subsystem=keycloak-server/spi=truststore:read-resource
+    /subsystem=keycloak-server/spi=truststore/:add
+end-if
+/subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true,properties={ \
+    file => $keycloak_tls_truststore_file, \
+    password => $keycloak_tls_truststore_password, \
+    hostname-verification-policy => "WILDCARD", \
+disabled => "false"})
+
+stop-embedded-server

keycloak/tools/databases/change-database.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+DB_VENDOR=$1
+
+cd /opt/jboss/keycloak
+
+bin/jboss-cli.sh --file=/opt/jboss/tools/cli/databases/$DB_VENDOR/standalone-configuration.cli
+rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
+
+bin/jboss-cli.sh --file=/opt/jboss/tools/cli/databases/$DB_VENDOR/standalone-ha-configuration.cli
+rm -rf standalone/configuration/standalone_xml_history/current/*

keycloak/tools/databases/mariadb/module.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2010, Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags. See the copyright.txt file in the
+  ~ distribution for a full listing of individual contributors.
+  ~
+  ~ This is free software; you can redistribute it and/or modify it
+  ~ under the terms of the GNU Lesser General Public License as
+  ~ published by the Free Software Foundation; either version 2.1 of
+  ~ the License, or (at your option) any later version.
+  ~
+  ~ This software is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  ~ Lesser General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Lesser General Public
+  ~ License along with this software; if not, write to the Free
+  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  -->
+<module xmlns="urn:jboss:module:1.0" name="org.mariadb.jdbc">
+   <resources>
+      <resource-root path="mariadb-jdbc.jar"/>
+   </resources>
+   <dependencies>
+      <module name="javax.api"/>
+      <module name="javax.transaction.api"/>
+   </dependencies>
+</module>

keycloak/tools/databases/mssql/module.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module xmlns="urn:jboss:module:1.3" name="com.microsoft.sqlserver.jdbc">
+
+<resources>
+    <resource-root path="mssql-jdbc.jar"/>
+</resources>
+<dependencies>
+    <module name="javax.api"/>
+    <module name="javax.transaction.api"/>
+    <module name="javax.xml.bind.api"/>
+    <module name="javax.servlet.api" optional="true"/>
+</dependencies>
+</module>

keycloak/tools/databases/mysql/module.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2010, Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags. See the copyright.txt file in the
+  ~ distribution for a full listing of individual contributors.
+  ~
+  ~ This is free software; you can redistribute it and/or modify it
+  ~ under the terms of the GNU Lesser General Public License as
+  ~ published by the Free Software Foundation; either version 2.1 of
+  ~ the License, or (at your option) any later version.
+  ~
+  ~ This software is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  ~ Lesser General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Lesser General Public
+  ~ License along with this software; if not, write to the Free
+  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  -->
+<module xmlns="urn:jboss:module:1.0" name="com.mysql.jdbc">
+  <resources>
+    <resource-root path="mysql-connector-java-JDBC_MYSQL_VERSION.jar"/>
+  </resources>
+  <dependencies>
+    <module name="javax.api"/>
+    <module name="javax.transaction.api"/>
+  </dependencies>
+</module>

keycloak/tools/databases/oracle/module.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2010, Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags. See the copyright.txt file in the
+  ~ distribution for a full listing of individual contributors.
+  ~
+  ~ This is free software; you can redistribute it and/or modify it
+  ~ under the terms of the GNU Lesser General Public License as
+  ~ published by the Free Software Foundation; either version 2.1 of
+  ~ the License, or (at your option) any later version.
+  ~
+  ~ This software is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  ~ Lesser General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Lesser General Public
+  ~ License along with this software; if not, write to the Free
+  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  -->
+<module xmlns="urn:jboss:module:1.0" name="com.oracle.jdbc">
+  <resources>
+    <resource-root path="driver/ojdbc.jar"/>
+  </resources>
+  <dependencies>
+    <module name="javax.api"/>
+    <module name="javax.transaction.api"/>
+  </dependencies>
+</module>

keycloak/tools/databases/postgres/module.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2010, Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags. See the copyright.txt file in the
+  ~ distribution for a full listing of individual contributors.
+  ~
+  ~ This is free software; you can redistribute it and/or modify it
+  ~ under the terms of the GNU Lesser General Public License as
+  ~ published by the Free Software Foundation; either version 2.1 of
+  ~ the License, or (at your option) any later version.
+  ~
+  ~ This software is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  ~ Lesser General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Lesser General Public
+  ~ License along with this software; if not, write to the Free
+  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  -->
+<module xmlns="urn:jboss:module:1.0" name="org.postgresql.jdbc">
+   <resources>
+      <resource-root path="postgres-jdbc.jar"/>
+   </resources>
+   <dependencies>
+      <module name="javax.api"/>
+      <module name="javax.transaction.api"/>
+   </dependencies>
+</module>

keycloak/tools/docker-entrypoint.sh

@@ -0,0 +1,234 @@
+#!/bin/bash
+set -eou pipefail
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+    local var="$1"
+    local fileVar="${var}_FILE"
+    local def="${2:-}"
+    if [[ ${!var:-} && ${!fileVar:-} ]]; then
+        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+        exit 1
+    fi
+    local val="$def"
+    if [[ ${!var:-} ]]; then
+        val="${!var}"
+    elif [[ ${!fileVar:-} ]]; then
+        val="$(< "${!fileVar}")"
+    fi
+
+    if [[ -n $val ]]; then
+        export "$var"="$val"
+    fi
+
+    unset "$fileVar"
+}
+
+SYS_PROPS=""
+
+##################
+# Add admin user #
+##################
+
+file_env 'KEYCLOAK_USER'
+file_env 'KEYCLOAK_PASSWORD'
+
+if [[ -n ${KEYCLOAK_USER:-} && -n ${KEYCLOAK_PASSWORD:-} ]]; then
+    /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "$KEYCLOAK_USER" --password "$KEYCLOAK_PASSWORD"
+fi
+
+############
+# Hostname #
+############
+
+if [[ -n ${KEYCLOAK_FRONTEND_URL:-} ]]; then
+    SYS_PROPS+="-Dkeycloak.frontendUrl=$KEYCLOAK_FRONTEND_URL"
+fi
+
+if [[ -n ${KEYCLOAK_HOSTNAME:-} ]]; then
+    SYS_PROPS+=" -Dkeycloak.hostname.provider=fixed -Dkeycloak.hostname.fixed.hostname=$KEYCLOAK_HOSTNAME"
+
+    if [[ -n ${KEYCLOAK_HTTP_PORT:-} ]]; then
+        SYS_PROPS+=" -Dkeycloak.hostname.fixed.httpPort=$KEYCLOAK_HTTP_PORT"
+    fi
+
+    if [[ -n ${KEYCLOAK_HTTPS_PORT:-} ]]; then
+        SYS_PROPS+=" -Dkeycloak.hostname.fixed.httpsPort=$KEYCLOAK_HTTPS_PORT"
+    fi
+
+    if [[ -n ${KEYCLOAK_ALWAYS_HTTPS:-} ]]; then
+            SYS_PROPS+=" -Dkeycloak.hostname.fixed.alwaysHttps=$KEYCLOAK_ALWAYS_HTTPS"
+    fi
+fi
+
+################
+# Realm import #
+################
+
+if [[ -n ${KEYCLOAK_IMPORT:-} ]]; then
+    SYS_PROPS+=" -Dkeycloak.import=$KEYCLOAK_IMPORT"
+fi
+
+########################
+# JGroups bind options #
+########################
+
+if [[ -z ${BIND:-} ]]; then
+    BIND=$(hostname --all-ip-addresses)
+fi
+if [[ -z ${BIND_OPTS:-} ]]; then
+    for BIND_IP in $BIND
+    do
+        BIND_OPTS+=" -Djboss.bind.address=$BIND_IP -Djboss.bind.address.private=$BIND_IP "
+    done
+fi
+SYS_PROPS+=" $BIND_OPTS"
+
+#########################################
+# Expose management console for metrics #
+#########################################
+
+if [[ -n ${KEYCLOAK_STATISTICS:-} ]] ; then
+    SYS_PROPS+=" -Djboss.bind.address.management=0.0.0.0"
+fi
+
+#################
+# Configuration #
+#################
+
+# If the server configuration parameter is not present, append the HA profile.
+if echo "$@" | grep -E -v -- '-c |-c=|--server-config |--server-config='; then
+    SYS_PROPS+=" -c=standalone-ha.xml"
+fi
+
+############
+# DB setup #
+############
+
+file_env 'DB_USER'
+file_env 'DB_PASSWORD'
+# Lower case DB_VENDOR
+if [[ -n ${DB_VENDOR:-} ]]; then
+  DB_VENDOR=$(echo "$DB_VENDOR" | tr "[:upper:]" "[:lower:]")
+fi
+
+# Detect DB vendor from default host names
+if [[ -z ${DB_VENDOR:-} ]]; then
+    if (getent hosts postgres &>/dev/null); then
+        export DB_VENDOR="postgres"
+    elif (getent hosts mysql &>/dev/null); then
+        export DB_VENDOR="mysql"
+    elif (getent hosts mariadb &>/dev/null); then
+        export DB_VENDOR="mariadb"
+    elif (getent hosts oracle &>/dev/null); then
+        export DB_VENDOR="oracle"
+    elif (getent hosts mssql &>/dev/null); then
+        export DB_VENDOR="mssql"
+    fi
+fi
+
+# Detect DB vendor from legacy `*_ADDR` environment variables
+if [[ -z ${DB_VENDOR:-} ]]; then
+    if (printenv | grep '^POSTGRES_ADDR=' &>/dev/null); then
+        export DB_VENDOR="postgres"
+    elif (printenv | grep '^MYSQL_ADDR=' &>/dev/null); then
+        export DB_VENDOR="mysql"
+    elif (printenv | grep '^MARIADB_ADDR=' &>/dev/null); then
+        export DB_VENDOR="mariadb"
+    elif (printenv | grep '^ORACLE_ADDR=' &>/dev/null); then
+        export DB_VENDOR="oracle"
+    elif (printenv | grep '^MSSQL_ADDR=' &>/dev/null); then
+        export DB_VENDOR="mssql"
+    fi
+fi
+
+# Default to H2 if DB type not detected
+if [[ -z ${DB_VENDOR:-} ]]; then
+    export DB_VENDOR="h2"
+fi
+
+# if the DB_VENDOR is postgres then append port to the DB_ADDR
+function append_port_db_addr() {
+  local db_host_regex='^[a-zA-Z0-9]([a-zA-Z0-9]|-|.)*:[0-9]{4,5}$'
+  IFS=',' read -ra addresses <<< "$DB_ADDR"
+  DB_ADDR=""
+  for i in "${addresses[@]}"; do
+    if [[ $i =~ $db_host_regex ]]; then
+        DB_ADDR+=$i;
+     else
+        DB_ADDR+="${i}:${DB_PORT}";
+     fi
+        DB_ADDR+=","
+  done
+  DB_ADDR=$(echo $DB_ADDR | sed 's/.$//') # remove the last comma
+}
+# Set DB name
+case "$DB_VENDOR" in
+    postgres)
+        DB_NAME="PostgreSQL"
+        if [[ -z ${DB_PORT:-} ]] ; then
+          DB_PORT="5432"
+        fi
+        append_port_db_addr
+        ;;
+    mysql)
+        DB_NAME="MySQL";;
+    mariadb)
+        DB_NAME="MariaDB";;
+    oracle)
+        DB_NAME="Oracle";;
+    h2)
+        DB_NAME="Embedded H2";;
+    mssql)
+        DB_NAME="Microsoft SQL Server";;
+    *)
+        echo "Unknown DB vendor $DB_VENDOR"
+        exit 1
+esac
+
+# Append '?' in the beggining of the string if JDBC_PARAMS value isn't empty
+JDBC_PARAMS=$(echo "${JDBC_PARAMS:-}" | sed '/^$/! s/^/?/')
+export JDBC_PARAMS
+
+# Convert deprecated DB specific variables
+function set_legacy_vars() {
+  local suffixes=(ADDR DATABASE USER PASSWORD PORT)
+  for suffix in "${suffixes[@]}"; do
+    local varname="$1_$suffix"
+    if [[ -n ${!varname:-} ]]; then
+      echo WARNING: "$varname" variable name is DEPRECATED replace with DB_"$suffix"
+      export DB_"$suffix=${!varname}"
+    fi
+  done
+}
+set_legacy_vars "$(echo "$DB_VENDOR" | tr "[:upper:]" "[:lower:]")"
+
+# Configure DB
+
+echo "========================================================================="
+echo ""
+echo "  Using $DB_NAME database"
+echo ""
+echo "========================================================================="
+echo ""
+
+if [ "$DB_VENDOR" != "h2" ]; then
+    /bin/sh /opt/jboss/tools/databases/change-database.sh $DB_VENDOR
+fi
+
+/opt/jboss/tools/x509.sh
+/opt/jboss/tools/jgroups.sh
+/opt/jboss/tools/infinispan.sh
+/opt/jboss/tools/statistics.sh
+/opt/jboss/tools/autorun.sh
+/opt/jboss/tools/vault.sh
+
+##################
+# Start Keycloak #
+##################
+
+exec /opt/jboss/keycloak/bin/standalone.sh $SYS_PROPS $@
+exit $?

keycloak/tools/infinispan.sh

@@ -0,0 +1,14 @@
+# How many owners / replicas should our distributed caches have. If <2 any node that is removed from the cluster will cause a data-loss!
+# As it is only sensible to replicate AuthenticationSessions for certain cases, their replication factor can be configured independently
+
+if [ -n "$CACHE_OWNERS_COUNT" ]; then
+    echo "Setting cache owners to $CACHE_OWNERS_COUNT replicas"
+
+    # Check and log the replication factor of AuthenticationSessions, otherwise this is set to 1 by default
+    if [ -n "$CACHE_OWNERS_AUTH_SESSIONS_COUNT" ]; then
+        echo "Enabling replication of AuthenticationSessions with ${CACHE_OWNERS_AUTH_SESSIONS_COUNT} replicas"
+    else
+        echo "AuthenticationSessions will NOT be replicated, set CACHE_OWNERS_AUTH_SESSIONS_COUNT to configure this"
+    fi
+$JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/infinispan/cache-owners.cli" >& /dev/null
+fi

keycloak/tools/jgroups.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# If JGROUPS_DISCOVERY_PROPERTIES is set, it must be in the following format: PROP1=FOO,PROP2=BAR
+# If JGROUPS_DISCOVERY_PROPERTIES_DIRECT is set, it must be in the following format: {PROP1=>FOO,PROP2=>BAR}
+# It's a configuration error to set both of these variables
+
+if [ -n "$JGROUPS_DISCOVERY_PROTOCOL" ]; then
+    if [ -n "$JGROUPS_DISCOVERY_PROPERTIES" ] && [ -n "$JGROUPS_DISCOVERY_PROPERTIES_DIRECT" ]; then
+       echo >&2 "error: both JGROUPS_DISCOVERY_PROPERTIES and JGROUPS_DISCOVERY_PROPERTIES_DIRECT are set (but are exclusive)"
+       exit 1
+    fi
+
+    if [ -n "$JGROUPS_DISCOVERY_PROPERTIES_DIRECT" ]; then
+       JGROUPS_DISCOVERY_PROPERTIES_PARSED="$JGROUPS_DISCOVERY_PROPERTIES_DIRECT"
+    else
+       JGROUPS_DISCOVERY_PROPERTIES_PARSED=`echo $JGROUPS_DISCOVERY_PROPERTIES | sed "s/=/=>/g"`
+       JGROUPS_DISCOVERY_PROPERTIES_PARSED="{$JGROUPS_DISCOVERY_PROPERTIES_PARSED}"
+    fi
+
+    echo "Setting JGroups discovery to $JGROUPS_DISCOVERY_PROTOCOL with properties $JGROUPS_DISCOVERY_PROPERTIES_PARSED"
+    echo "set keycloak_jgroups_discovery_protocol=${JGROUPS_DISCOVERY_PROTOCOL}" >> "$JBOSS_HOME/bin/.jbossclirc"
+    echo "set keycloak_jgroups_discovery_protocol_properties=${JGROUPS_DISCOVERY_PROPERTIES_PARSED}" >> "$JBOSS_HOME/bin/.jbossclirc"
+    echo "set keycloak_jgroups_transport_stack=${JGROUPS_TRANSPORT_STACK:-tcp}" >> "$JBOSS_HOME/bin/.jbossclirc"
+    # If there's a specific CLI file for given protocol - execute it. If not, we should be good with the default one.
+    if [ -f "/opt/jboss/tools/cli/jgroups/discovery/$JGROUPS_DISCOVERY_PROTOCOL.cli" ]; then
+       $JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/jgroups/discovery/$JGROUPS_DISCOVERY_PROTOCOL.cli" >& /dev/null
+    else
+       $JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/jgroups/discovery/default.cli" >& /dev/null
+    fi
+fi

keycloak/tools/statistics.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ -n "$KEYCLOAK_STATISTICS" ]; then
+   IFS=',' read -ra metrics <<< "$KEYCLOAK_STATISTICS"
+   for file in /opt/jboss/tools/cli/metrics/*.cli; do
+      name=${file##*/}
+      base=${name%.cli}
+      if [[  $KEYCLOAK_STATISTICS == *"$base"* ]] || [[  $KEYCLOAK_STATISTICS == *"all"* ]];  then
+         $JBOSS_HOME/bin/jboss-cli.sh --file="$file" >& /dev/null
+      fi
+   done
+fi

keycloak/tools/vault.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ -d "$JBOSS_HOME/secrets" ]; then
+    echo "set plaintext_vault_provider_dir=${JBOSS_HOME}/secrets" >> "$JBOSS_HOME/bin/.jbossclirc"
+
+    echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/files-plaintext-vault.cli
+    sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+
+    echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/files-plaintext-vault.cli
+    sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+fi

keycloak/tools/x509.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+
+function autogenerate_keystores() {
+  # Keystore infix notation as used in templates to keystore name mapping
+  declare -A KEYSTORES=( ["https"]="HTTPS" )
+
+  local KEYSTORES_STORAGE="${JBOSS_HOME}/standalone/configuration/keystores"
+  if [ ! -d "${KEYSTORES_STORAGE}" ]; then
+    mkdir -p "${KEYSTORES_STORAGE}"
+  fi
+
+  # Auto-generate the HTTPS keystore if volumes for OpenShift's
+  # serving x509 certificate secrets service were properly mounted
+  for KEYSTORE_TYPE in "${!KEYSTORES[@]}"; do
+
+    local X509_KEYSTORE_DIR="/etc/x509/${KEYSTORE_TYPE}"
+    local X509_CRT="tls.crt"
+    local X509_KEY="tls.key"
+    local NAME="keycloak-${KEYSTORE_TYPE}-key"
+    local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
+    local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks"
+    local PKCS12_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.pk12"
+
+    if [ -f "${X509_KEYSTORE_DIR}/${X509_KEY}" ] && [ -f "${X509_KEYSTORE_DIR}/${X509_CRT}" ]; then
+
+      echo "Creating ${KEYSTORES[$KEYSTORE_TYPE]} keystore via OpenShift's service serving x509 certificate secrets.."
+
+      openssl pkcs12 -export \
+      -name "${NAME}" \
+      -inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
+      -in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
+      -out "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
+      -password pass:"${PASSWORD}" >& /dev/null
+
+      keytool -importkeystore -noprompt \
+      -srcalias "${NAME}" -destalias "${NAME}" \
+      -srckeystore "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
+      -srcstoretype pkcs12 \
+      -destkeystore "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" \
+      -storepass "${PASSWORD}" -srcstorepass "${PASSWORD}" >& /dev/null
+
+      if [ -f "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" ]; then
+        echo "${KEYSTORES[$KEYSTORE_TYPE]} keystore successfully created at: ${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}"
+      fi
+
+      echo "set keycloak_tls_keystore_password=${PASSWORD}" >> "$JBOSS_HOME/bin/.jbossclirc"
+      echo "set keycloak_tls_keystore_file=${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" >> "$JBOSS_HOME/bin/.jbossclirc"
+      echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+      $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-keystore.cli >& /dev/null
+      sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+      echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+      $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-keystore.cli >& /dev/null
+      sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+    fi
+
+  done
+
+  # Auto-generate the Keycloak truststore if X509_CA_BUNDLE was provided
+  local -r X509_CRT_DELIMITER="/-----BEGIN CERTIFICATE-----/"
+  local JKS_TRUSTSTORE_FILE="truststore.jks"
+  local JKS_TRUSTSTORE_PATH="${KEYSTORES_STORAGE}/${JKS_TRUSTSTORE_FILE}"
+  local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
+  local TEMPORARY_CERTIFICATE="temporary_ca.crt"
+  if [ -n "${X509_CA_BUNDLE}" ]; then
+    pushd /tmp >& /dev/null
+    echo "Creating Keycloak truststore.."
+    # We use cat here, so that users could specify multiple CA Bundles using space or even wildcard:
+    # X509_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/*.crt
+    # Note, that there is no quotes here, that's intentional. Once can use spaces in the $X509_CA_BUNDLE like this:
+    # X509_CA_BUNDLE=/ca.crt /ca2.crt
+    cat ${X509_CA_BUNDLE} > ${TEMPORARY_CERTIFICATE}
+    csplit -s -z -f crt- "${TEMPORARY_CERTIFICATE}" "${X509_CRT_DELIMITER}" '{*}'
+    for CERT_FILE in crt-*; do
+      keytool -import -noprompt -keystore "${JKS_TRUSTSTORE_PATH}" -file "${CERT_FILE}" \
+      -storepass "${PASSWORD}" -alias "service-${CERT_FILE}" >& /dev/null
+    done
+
+    if [ -f "${JKS_TRUSTSTORE_PATH}" ]; then
+      echo "Keycloak truststore successfully created at: ${JKS_TRUSTSTORE_PATH}"
+    fi
+
+    # Import existing system CA certificates into the newly generated truststore
+    local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))"/../lib/security/cacerts")
+    if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > /dev/null; then
+      echo "Importing certificates from system's Java CA certificate bundle into Keycloak truststore.."
+      keytool -importkeystore -noprompt \
+      -srckeystore "${SYSTEM_CACERTS}" \
+      -destkeystore "${JKS_TRUSTSTORE_PATH}" \
+      -srcstoretype jks -deststoretype jks \
+      -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
+      if [ "$?" -eq "0" ]; then
+        echo "Successfully imported certificates from system's Java CA certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
+      else
+        echo "Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!"
+      fi
+    fi
+
+    echo "set keycloak_tls_truststore_password=${PASSWORD}" >> "$JBOSS_HOME/bin/.jbossclirc"
+    echo "set keycloak_tls_truststore_file=${KEYSTORES_STORAGE}/${JKS_TRUSTSTORE_FILE}" >> "$JBOSS_HOME/bin/.jbossclirc"
+    echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-truststore.cli >& /dev/null
+    sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+    echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
+    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-truststore.cli >& /dev/null
+    sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
+
+    popd >& /dev/null
+  fi
+}
+
+autogenerate_keystores