initial commit

2025-01-10 18:43:29 +00:00 · 2020-07-29 16:01:00 +02:00 · 2020-07-29 16:01:00 +02:00 · 21c2ec0f00
commit 21c2ec0f00
59 changed files with 1683 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,93 @@
 image: docker:stable-git
 services:
  - docker:stable-dind
 variables:
  DOCKER_DRIVER: overlay2
  DOCKER_CLI_EXPERIMENTAL: enabled
  DOCKER_BUILDKIT: 1
 dev-pgadmin4:
  stage: build
  tags:
   - docker
  script:
    - make pgadmin4-nopush
  only:
    variables:
      - $CI_COMMIT_REF_PROTECTED == "false"
 pgadmin4:
  stage: build
  tags:
   - docker
  script:
    - make pgadmin4
  only:
    variables:
      - $CI_COMMIT_REF_PROTECTED == "true"
 dev-mc:
  stage: build
  tags:
   - docker
  script:
    - make mc-nopush
  only:
    variables:
      - $CI_COMMIT_REF_PROTECTED == "false"
 mc:
  stage: build
  tags:
   - docker
  script:
    - make mc
  only:
    variables:
      - $CI_COMMIT_REF_PROTECTED == "true"
 dev-keycloak:
  stage: build
  tags:
   - docker
  script:
    - make keycloak-nopush
  only:
    variables:
      - $CI_COMMIT_REF_PROTECTED == "false"
 keycloak:
  stage: build
  tags:
   - docker
  script:
    - make keycloak
  only:
    variables:
      - $CI_COMMIT_REF_PROTECTED == "true"
 .docker_init: &docker_init |
  if ! docker info &>/dev/null; then
    if [ -z "${DOCKER_HOST}" -a "${KUBERNETES_PORT}" ]; then
      export DOCKER_HOST='tcp://localhost:2375'
    fi
  fi
  docker run --rm --privileged docker/binfmt:a7996909642ee92942dcd6cff44b9b95f08dad64
  ls -al /proc/sys/fs/binfmt_misc/
  if [ "${CI_COMMIT_REF_PROTECTED}" == "true" ]; then 
    echo "Log on Docker Hub"
    echo "${DOCKER_HUB_KEY}" | docker login -u "alemairebe" --password-stdin
  fi
  mkdir -p /root/.docker/cli-plugins
  wget https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-amd64
  mv buildx-v0.4.1.linux-amd64 /root/.docker/cli-plugins/docker-buildx
  chmod +x /root/.docker/cli-plugins/docker-buildx
 before_script:
  - *docker_init
  - apk add --update make 
  - docker buildx create --use --platform linux/amd64,linux/arm64,linux/arm,linux/ppc64le
  - docker buildx ls
--- a/7
+++ b/7
@ -0,0 +1,7 @@
 .DEFAULT: all
 .PHONY: mc keycloak pgadmin4
 all: mc keycloak pgadmin4
 include */Makefile
--- a/debian.version
+++ b/debian.version
@ -0,0 +1 @@
 DEBIAN_VERSION=stable-20200607-slim
--- a/keycloak/Dockerfile
+++ b/keycloak/Dockerfile
@ -0,0 +1,38 @@
 FROM debian:stable-20200720-slim
 ADD https://curl.haxx.se/ca/cacert.pem /etc/ssl/certs/cacert.pem
 ENV CURL_CA_BUNDLE=/etc/ssl/certs/cacert.pem
 ARG KEYCLOAK_VERSION
 ENV KEYCLOAK_VERSION $KEYCLOAK_VERSION
 ENV JDBC_POSTGRES_VERSION 42.2.9
 ENV JDBC_MYSQL_VERSION 8.0.20
 ENV JDBC_MARIADB_VERSION 2.6.1
 ENV JDBC_MSSQL_VERSION 8.2.2.jre11
 ENV LAUNCH_JBOSS_IN_BACKGROUND 1
 ENV PROXY_ADDRESS_FORWARDING false
 ENV JBOSS_HOME /opt/jboss/keycloak
 ENV LANG en_US.UTF-8
 ARG GIT_REPO
 ARG GIT_BRANCH
 ARG KEYCLOAK_DIST=https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/keycloak-$KEYCLOAK_VERSION.tar.gz
 RUN mkdir -p /usr/share/man/man1 \
  && export DEBIAN_FRONTEND=noninteractive \
  && apt update -qq \
  && apt install -qqy openjdk-11-jre-headless openssl curl \
  && apt-get clean \
  && rm -rf /var/lib/apt
 ADD tools /opt/jboss/tools
 RUN /opt/jboss/tools/build-keycloak.sh
 USER 1000
 EXPOSE 8080
 EXPOSE 8443
 ENTRYPOINT [ "/opt/jboss/tools/docker-entrypoint.sh" ]
 CMD ["-b", "0.0.0.0"]
--- a/keycloak/Makefile
+++ b/keycloak/Makefile
@ -0,0 +1,13 @@
 include keycloak/keycloak.version
 keycloak-nopush:
 	docker buildx build --platform linux/amd64 --load \
 	    --build-arg KEYCLOAK_VERSION=$(KEYCLOAK_VERSION) \
 	    --tag alemairebe/keycloak:$(KEYCLOAK_VERSION) keycloak
 keycloak:
 	docker buildx build --platform linux/amd64,linux/arm64,linux/arm --push \
 	    --build-arg KEYCLOAK_VERSION=$(KEYCLOAK_VERSION) \
 	    --cache-from=type=registry,ref=alemairebe/keycloak \
 	    --cache-to=type=registry,ref=alemairebe/keycloak \
 	    --tag alemairebe/keycloak:$(KEYCLOAK_VERSION) keycloak
--- a/keycloak/README.md
+++ b/keycloak/README.md
@ -0,0 +1,480 @@
 # Keycloak Docker image
 Keycloak Server Docker image.
 ## Usage
 To boot in standalone mode
    docker run jboss/keycloak
 ## Build alemaire
    KEYCLOAK_VERSION=10.0.2
    docker buildx build --platform linux/amd64,linux/arm64,linux/ppc64le --push --build-arg KEYCLOAK_VERSION=$KEYCLOAK_VERSION --tag alemairebe/keycloak:$KEYCLOAK_VERSION .
 ## Expose on localhost
 To be able to open Keycloak on localhost map port 8080 locally
    docker run -p 8080:8080 jboss/keycloak
 ## Creating admin account
 By default there is no admin user created so you won't be able to login to the admin console. To create an admin account
 you need to use environment variables to pass in an initial username and password. This is done by running:
    docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> jboss/keycloak
 You can also create an account on an already running container by running:
    docker exec <CONTAINER> /opt/jboss/keycloak/bin/add-user-keycloak.sh -u <USERNAME> -p <PASSWORD>
 Then restarting the container:
    docker restart <CONTAINER>
 ### Providing the username and password via files
 By appending `_FILE` to the two environment variables used above (`KEYCLOAK_USER_FILE` and `KEYCLOAK_PASSWORD_FILE`),
 the information can be provided via files instead of plain environment variable values.
 The configuration and secret support in Docker Swarm is a perfect match for this use case. 
 ## Importing a realm
 To create an admin account and import a previously exported realm run:
    docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> \
        -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak
 ## Exporting a realm
 If you want to export a realm that you have created/updated, on an instance of Keycloak running within a docker container. You'll need to ensure the container running Keycloak has a volume mapped. 
 For example you can start Keycloak via docker with: 
 	docker run -d -p 8180:8080 -e KEYCLOAK_USER=admin -e \
 	KEYCLOAK_PASSWORD=admin -v $(pwd):/tmp --name kc \
 	jboss/keycloak
 You can then get the export from this instance by running (notice we use `-Djboss.socket.binding.port-offset=100` so that the export runs on a different port than Keycloak itself):
 	docker exec -it kc /opt/jboss/keycloak/bin/standalone.sh \
 	-Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export \
 	-Dkeycloak.migration.provider=singleFile \
 	-Dkeycloak.migration.realmName=my_realm \
 	-Dkeycloak.migration.usersExportStrategy=REALM_FILE \
 	-Dkeycloak.migration.file=/tmp/my_realm.json
 There is more detail on the options you can user for export functionality on Keycloak's main documentation site at: [Export and Import](https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import)
 ## Database
 This image supports using H2, MySQL, PostgreSQL, MariaDB, Oracle or Microsoft SQL Server as the database.
 You can specify the DB vendor directly with the `DB_VENDOR` environment variable. Supported values are:
 - `h2` for the embedded H2 database,
 - `postgres` for the Postgres database,
 - `mysql` for the MySql database.
 - `mariadb` for the MariaDB database.
 - `oracle` for the Oracle database.
 - `mssql` for the Microsoft SQL Server database.
 If `DB_VENDOR` value is not specified the image will try to detect the DB vendor based on the following logic:
 - Is the default host name for the DB set using `getent hosts` (`postgres`, `mysql`, `mariadb`, `oracle`, `mssql`). This works if you are
 using a user defined network and the default names as specified below.
 - Is there a DB specific `_ADDR` environment variable set (`POSTGRES_ADDR`, `MYSQL_ADDR`, `MARIADB_ADDR`, `ORACLE_ADDR`). **Deprecated**
 If the DB can't be detected it will default to the embedded H2 database.
 ### Environment variables
 Generic variable names can be used to configure any Database type, defaults may vary depending on the Database.
 - `DB_ADDR`: Specify hostname of the database (optional). For postgres only, you can provide a list of hostnames separated by
 comma to failover alternative host. The hostname can be the host only or pair of host and port, as example host1,host2 or 
 host1:5421,host2:5436 or host1,host2:5000. And keycloak will append DB_PORT (if specify) to the hosts without port, 
 otherwise it will append the default port 5432, again to the address without port only.
 - `DB_PORT`: Specify port of the database (optional, default is DB vendor default port)
 - `DB_DATABASE`: Specify name of the database to use (optional, default is `keycloak`).
 - `DB_SCHEMA`: Specify name of the schema to use for DB that support schemas (optional, default is public on Postgres).
 - `DB_USER`: Specify user to use to authenticate to the database (optional, default is ``).
 - `DB_USER_FILE`: Specify user to authenticate to the database via file input (alternative to `DB_USER`).
 - `DB_PASSWORD`: Specify user's password to use to authenticate to the database (optional, default is ``).
 - `DB_PASSWORD_FILE`: Specify user's password to use to authenticate to the database via file input (alternative to `DB_PASSWORD`).
 ### MySQL Example
 #### Create a user defined network
    docker network create keycloak-network
 #### Start a MySQL instance
 First start a MySQL instance using the MySQL docker image:
    docker run --name mysql -d --net keycloak-network -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=password -e MYSQL_ROOT_PASSWORD=root_password mysql
 #### Start a Keycloak instance
 Start a Keycloak instance and connect to the MySQL instance:
    docker run --name keycloak --net keycloak-network jboss/keycloak
 If you used a different name for the MySQL instance to `mysql` you need to specify the `DB_ADDR` environment variable.
 ### PostgreSQL Example
 #### Create a user defined network
    docker network create keycloak-network
 #### Start a PostgreSQL instance
 First start a PostgreSQL instance using the PostgreSQL docker image:
    docker run -d --name postgres --net keycloak-network -e POSTGRES_DB=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password postgres
 #### Start a Keycloak instance
 Start a Keycloak instance and connect to the PostgreSQL instance:
    docker run --name keycloak --net keycloak-network jboss/keycloak -e DB_USER=keycloak -e DB_PASSWORD=password
 If you used a different name for the PostgreSQL instance to `postgres` you need to specify the `DB_ADDR` environment variable.
 ### MariaDB Example
 #### Create a user defined network
    docker network create keycloak-network
 #### Start a MariaDB instance
 First start a MariaDB instance using the MariaDB docker image:
    docker run -d --name mariadb --net keycloak-network -e MYSQL_ROOT_PASSWORD=password -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=password mariadb
 #### Start a Keycloak instance
 Start a Keycloak instance and connect to the MariaDB instance:
    docker run --name keycloak --net keycloak-network jboss/keycloak
 If you used a different name for the MariaDB instance to `mariadb` you need to specify the `DB_ADDR` environment variable.
 ### Oracle Example
 Using Keycloak with an Oracle database requires a JDBC driver to be provided to the Docker image.
 #### Download Oracle JDBC driver
 1. Download the required [JDBC driver](https://www.oracle.com/technetwork/database/application-development/jdbc/downloads) for your version of Oracle.
 2. **Important:** rename the file to `ojdbc.jar`
 #### Create a user defined network
    docker network create keycloak-network
 #### Start an Oracle instance
 If you already have an Oracle database running this step can be skipped, otherwise here we will start a new Docker container using the [carloscastillo/rgt-oracle-xe-11g](https://hub.docker.com/r/carloscastillo/rgt-oracle-xe-11g) image on Docker Hub:
    docker run -d --name oracle --net keycloak-network -p 1521:1521 carloscastillo/rgt-oracle-xe-11g
 #### Start a Keycloak instance
 Start a Keycloak instance and connect to the Oracle instance:
    docker run -d --name keycloak --net keycloak-network -p 8080:8080 -v /path/to/jdbc/driver:/opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main/driver jboss/keycloak
 One of the key pieces here is that we are mounting a volume from the location of the JDBC driver, so ensure that the path is correct. The mounted volume should contain the file named `ojdbc.jar`.
 Alternately, the JDBC file can be copied into the container using the `docker cp` command:
    docker cp ojdbc.jar jboss/keycloak:/opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main/driver/ojdbc.jar
 If you used a name for the Oracle instance other than `oracle` you need to specify the `DB_ADDR` environment variable.
 **Default environment settings:**
 - `DB_ADDR`: `oracle`
 - `DB_PORT`: `1521`
 - `DB_DATABASE`: `XE`
 - `DB_USER`: `SYSTEM`
 - `DB_PASSWORD`: `oracle`
 ### Microsoft SQL Server Example
 #### Create a user define network
    docker network create keycloak-network
 #### Start a Microsoft SQL Server instance
 First start a Microsoft SQL Server instance using the Microsoft SQL Server docker image:
    docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=Password!23' -d --name mssql --net keycloak-network mcr.microsoft.com/mssql/server
 Unlike some of the other supported databases, like PostgreSQL, MySQL or MariaDB, SQL Server
 does not support creating the initial database through an environment variable.
 Consequently, the database must be created for Keycloak some other way. In
 principle, this can be done by creating an image that runs until it can create
 the database.
    docker run -d --name mssql-scripts --net keycloak-network mcr.microsoft.com/mssql-tools /bin/bash -c 'until /opt/mssql-tools/bin/sqlcmd -S mssql -U sa -P "Password!23" -Q "create database Keycloak"; do sleep 5; done'
 This image will repeatedly attempt to create the database and terminate once the
 database is in place.
 #### Start a Keycloak instance
 Start a Keycloak instance and connect to the Microsoft SQL Server instance:
    docker run --name keycloak --net keycloak-network -p 8080:8080 -e DB_VENDOR=mssql -e DB_USER=sa -e DB_PASSWORD=Password!23 -e DB_ADDR=mssql -e DB_DATABASE=Keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak
 If you used a different name for the Microsoft SQL Server instance to `mssql` you need to specify the `DB_ADDR` environment variable.
 Please see `docker-compose-examples/keycloak-mssql.yml` for a full example.
 ### Specify JDBC parameters
 When connecting Keycloak instance to the database, you can specify the JDBC parameters. Details on JDBC parameters can be
 found here:
 * [PostgreSQL](https://jdbc.postgresql.org/documentation/head/connect.html)
 * [MySQL](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html)
 * [MariaDB](https://mariadb.com/kb/en/library/about-mariadb-connector-j/#optional-url-parameters)
 * [Oracle](https://docs.oracle.com/en/database/oracle/oracle-database/18/jjdbc/data-sources-and-URLs.html)
 * [Microsoft SQL Server](https://docs.microsoft.com/en-us/sql/connect/jdbc/building-the-connection-url?view=sql-server-2017)
 #### Example
    docker run --name keycloak -e DB_VENDOR=postgres -e JDBC_PARAMS='connectTimeout=30' jboss/keycloak
 ## Adding a custom theme
 To add a custom theme extend the Keycloak image add the theme to the `/opt/jboss/keycloak/themes` directory.
 To set the welcome theme, use the following environment value :
 * `KEYCLOAK_WELCOME_THEME`: Specify the theme to use for welcome page (must be non empty and must match an existing theme name)
 To set your custom theme as the default global theme, use the following environment value :
 * `KEYCLOAK_DEFAULT_THEME`: Specify the theme to use as the default global theme (must match an existing theme name, if empty will use keycloak)
 ## Adding a custom provider
 To add a custom provider extend the Keycloak image and add the provider to the `/opt/jboss/keycloak/standalone/deployments/`
 directory.
 ## Running custom scripts on startup
 **Warning**: Custom scripts have no guarantees. The directory layout within the image may change at any time.
 To run custom scripts on container startup place a file in the `/opt/jboss/startup-scripts` directory.
 Two types of scripts are supported:
 * WildFly `.cli` [scripts](https://docs.jboss.org/author/display/WFLY/Command+Line+Interface). In most of the cases, the scripts should operate in [offline mode](https://wildfly.org/news/tags/CLI/) (using `embed-server` instruction). It's also worth to mention, that by default, keycloak uses `standalone-ha.xml` configuration (unless other server configuration is specified).
 * Any executable (`chmod +x`) script
 Scripts are ran in alphabetical order.
 ### Adding custom script using Dockerfile
 A custom script can be added by creating your own `Dockerfile`:
 ```
 FROM keycloak
 COPY custom-scripts/ /opt/jboss/startup-scripts/
 ```
 ### Adding custom script using volumes
 A single custom script can be added as a volume: `docker run -v /some/dir/my-script.cli:/opt/jboss/startup-scripts/my-script.cli`
 Or you can volume the entire directory to supply a directory of scripts.
 Note that when combining the approach of extending the image and `volume`ing the entire directory, the volume will override
 all scripts shipped in the image.
 ## Clustering
 Replacing the default discovery protocols (`PING` for the UDP stack and `MPING` for the TCP one) can be achieved by defining
 some additional environment variables:
 - `JGROUPS_DISCOVERY_PROTOCOL` - name of the discovery protocol, e.g. dns.DNS_PING
 - `JGROUPS_DISCOVERY_PROPERTIES` - an optional parameter with the discovery protocol properties in the following format:
 `PROP1=FOO,PROP2=BAR`
 - `JGROUPS_DISCOVERY_PROPERTIES_DIRECT` - an optional parameter with the discovery protocol properties in jboss CLI format:
 `{PROP1=>FOO,PROP2=>BAR}`
 - `JGROUPS_TRANSPORT_STACK` - an optional name of the transport stack to use `udp` or `tcp` are possible values. Default: `tcp` 
 **Warning**: It's an error to set both JGROUPS_DISCOVERY_PROPERTIES and JGROUPS_DISCOVERY_PROPERTIES_DIRECT. No more than one of them may be set.
 The bootstrap script will detect the variables and adjust the `standalone-ha.xml` configuration based on them.
 ### PING example
 The `PING` discovery protocol is used by default in `udp` stack (which is used by default in `standalone-ha.xml`).
 Since the Keycloak image runs in clustered mode by default, all you need to do is to run it:
    docker run jboss/keycloak
 If you two instances of it locally, you will notice that they form a cluster.
 ### OpenShift example with dns.DNS_PING
 Clustering for OpenShift can be achieved by using either `dns.DNS_PING` and a governing service or `kubernetes.KUBE_PING`.
 The latter requires `view` permissions which are not granted by default, so we suggest using `dns.DNS_PING`.
 #### Using the template
 The full example has been put into the `openshift-examples` directory. Just run one of the two templates. Here's an example:
    oc new-app -p NAMESPACE=`oc project -q` -f keycloak-https.json
 #### What happen under the hood?
 Both OpenShift templates use `dns.DNS_PING` under the hood. Here's an equivalent docker-based command that OpenShift
 is invoking:
    docker run \
    -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING -e \
    JGROUPS_DISCOVERY_PROPERTIES=dns_query=keycloak.myproject.svc.cluster.local \
    jboss/keycloak
 In this example the `dns.DNS_PING` that queries `A` records from the DNS Server with the following query
 `keycloak.myproject.svc.cluster.local`.
 ### Adding custom discovery protocols
 The default mechanism for adding discovery protocols should cover most of the cases. However, sometimes
 you need to add more protocols at the same time, or adjust other protocols. In such cases you will need
 your own cli file placed in `/opt/jboss/tools/cli/jgroups/discovery`. The `JGROUPS_DISCOVERY_PROTOCOL` need to
 match your cli file, for example:
    JGROUPS_DISCOVERY_PROTOCOL=custom_protocol
    /opt/jboss/tools/cli/jgroups/discovery/custom_protocol.cli
 This can be easily achieved by extending the Keycloak image and adding just one file.
 Of course, we highly encourage you to contribute your custom scripts back to the community image!
 ### Replication and Fail-Over
 By default Keycloak does NOT replicate caches like sessions, authenticationSessions, offlineSessions, loginFailures and a few others (See Eviction and Expiration for more details), which are configured as distributed caches when using a clustered setup. Entries are not replicated to every single node, but instead one or more nodes is chosen as an owner of that data. If a node is not the owner of a specific cache entry it queries the cluster to obtain it. What this means for failover is that if all the nodes that own a piece of data go down, that data is lost forever. By default, Keycloak only specifies one owner for data. So if that one node goes down that data is lost. This usually means that users will be logged out and will have to login again. For more on this subject see [Keycloak Documentation](https://www.keycloak.org/docs/latest/server_installation/#_replication)
 #### Specify destributed-cache owners
 * `CACHE_OWNERS_COUNT`: Specify the number of distributed-cache owners (default is 1)
 AuthenticationSessions will not be replicated by setting CACHE_OWNERS_COUNT>1 as this is usually not required/intended (https://www.keycloak.org/docs/latest/server_installation/#cache)
 To enable replication of AuthenticationSessions as well use:
 * `CACHE_OWNERS_AUTH_SESSIONS_COUNT`: Specify the number of replicas for AuthenticationSessions
 ## Vault
 ### Setup Kubernetes / OpenShift files plaintext vault
 Keycloak supports vault implementation for [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/). To use files plaintext vault in Docker container mount secret files to `$JBOSS_HOME/secrets` directory. This can be used to consume secrets from Kubernetes / OpenShift cluster. 
 ## Misc
 ### Specify frontend base URL
 To set a fixed base URL for frontend requests use the following environment value (this is highly recommended in production):
 * `KEYCLOAK_FRONTEND_URL`: Specify base URL for Keycloak (optional, default is retrieved from request)
 ### Specify log level
 There are two environment variables available to control the log level for Keycloak:
 * `KEYCLOAK_LOGLEVEL`: Specify log level for Keycloak (optional, default is `INFO`)
 * `ROOT_LOGLEVEL`: Specify log level for underlying container (optional, default is `INFO`)
 Supported log levels are `ALL`, `DEBUG`, `ERROR`, `FATAL`, `INFO`, `OFF`, `TRACE` and `WARN`.
 Log level can also be changed at runtime, for example (assuming docker exec access):
    ./keycloak/bin/jboss-cli.sh --connect --command='/subsystem=logging/console-handler=CONSOLE:change-log-level(level=DEBUG)'
    ./keycloak/bin/jboss-cli.sh --connect --command='/subsystem=logging/root-logger=ROOT:change-root-log-level(level=DEBUG)'
    ./keycloak/bin/jboss-cli.sh --connect --command='/subsystem=logging/logger=org.keycloak:write-attribute(name=level,value=DEBUG)'
 ### Enabling proxy address forwarding
 When running Keycloak behind a proxy, you will need to enable proxy address forwarding.
    docker run -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak
 ### Setting up TLS(SSL)
 Keycloak image allows you to specify both a private key and a certificate for serving HTTPS. In that case you need to provide two files:
 * tls.crt - a certificate
 * tls.key - a private key
 Those files need to be mounted in `/etc/x509/https` directory. The image will automatically convert them into a Java keystore and reconfigure Wildfly to use it.
 NOTE: When using volume mounts in containers the files will be mounted in the container as owned by root, as the default permission on the keyfile will most likely be 700 it will result in an empty keystore.
 You will either have to make the key world readable or extend the image to add the keys with the appropriate owner.
 It is also possible to provide an additional CA bundle and setup Mutual TLS this way. In that case, you need to mount an additional volume (or multiple volumes) to the image. These volumes should contain all necessary `crt` files. The final step is to configure the `X509_CA_BUNDLE` environment variable to contain a list of the locations of the various CA certificate bundle files specified before, separated by space (` `). In case of an OpenShift environment, that could be `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
 NOTE: See `openshift-examples` directory for an out of the box setup for OpenShift.
 ### Enable some metrics
 Keycloak image can collect some statistics for various subsystem which will then be available in the management console and the `/metrics` endpoint.
 You can enable it with the KEYCLOAK_STATISTICS environment variables which take a list of statistics to enable:
 * `db` for the `datasources` subsystem
 * `http` for the `undertow` subsystem
 * `jgroups` for the `jgroups` subsystem
 for instance, `KEYCLOAK_STATISTICS=db,http` will enable statistics for the datasources and undertow subsystem.
 The special value `all` enables all statistics.
 Once enabled, you should see the metrics values changing on the `/metrics` endpoint for the management endpoint.
 ## Other details
 This image extends the [`registry.access.redhat.com/ubi8-minimal`](https://access.redhat.com/containers/?tab=overview#/registry.access.redhat.com/ubi8-minimal) base image and adds Keycloak and its dependencies on top of it.
 ## Building image with Keycloak from different sources
 ### Building Keycloak from GitHub repository
 It is possible to build Keycloak from a GitHub repository instead of downloading the official release. To do this set the `GITHUB_REPO` build argument to the GitHub repository name and optionally set the `GITHUB_BRANCH` build argument to the branch to build. For example:
    docker build --build-arg GIT_REPO=keycloak/keycloak --build-arg GIT_BRANCH=master .
 This will clone the repository then build Keycloak from source. If you don't include GIT_BRANCH it will use the `master` branch.
 #### Download Keycloak from an alternative location
 It is possible to download the Keycloak distribution from an alternative location. This can for example be useful if you want to build a Docker image from Keycloak built locally. For example:
    docker build --build-arg KEYCLOAK_DIST=http://172.17.0.1:8000/keycloak-4.1.0.Final-SNAPSHOT.tar.gz .
 For Keycloak built locally you need to first build the distribution then serve it with a web browser. For example use SimpleHTTPServer:
    cd $KEYCLOAK_CHECKOUT/distribution/server-dist/target
    python -m SimpleHTTPServer 8000
--- a/keycloak/keycloak.version
+++ b/keycloak/keycloak.version
@ -0,0 +1 @@
 KEYCLOAK_VERSION=11.0.0
--- a/keycloak/tools/autorun.sh
+++ b/keycloak/tools/autorun.sh
@ -0,0 +1,19 @@
 #!/bin/bash -e
 cd /opt/jboss/keycloak
 ENTRYPOINT_DIR=/opt/jboss/startup-scripts
 if [[ -d "$ENTRYPOINT_DIR" ]]; then
  # First run cli autoruns
  for f in "$ENTRYPOINT_DIR"/*; do
    if [[ "$f" == *.cli ]]; then
      echo "Executing cli script: $f"
      bin/jboss-cli.sh --file="$f"
    elif [[ -x "$f" ]]; then
      echo "Executing: $f"
      "$f"
    else
      echo "Ignoring file in $ENTRYPOINT_DIR (not *.cli or executable): $f"
    fi
  done
 fi
--- a/keycloak/tools/build-keycloak.sh
+++ b/keycloak/tools/build-keycloak.sh
@ -0,0 +1,105 @@
 #!/bin/bash -e
 ###########################
 # Build/download Keycloak #
 ###########################
 if [ "$GIT_REPO" != "" ]; then
    if [ "$GIT_BRANCH" == "" ]; then
        GIT_BRANCH="master"
    fi
    # Install Git
    microdnf install -y git
    # Install Maven
    cd /opt/jboss 
    curl -s https://apache.uib.no/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz | tar xz
    mv apache-maven-3.5.4 /opt/jboss/maven
    export M2_HOME=/opt/jboss/maven
    # Clone repository
    git clone --depth 1 https://github.com/$GIT_REPO.git -b $GIT_BRANCH /opt/jboss/keycloak-source
    # Build
    cd /opt/jboss/keycloak-source
    MASTER_HEAD=`git log -n1 --format="%H"`
    echo "Keycloak from [build]: $GIT_REPO/$GIT_BRANCH/commit/$MASTER_HEAD"
    $M2_HOME/bin/mvn -Pdistribution -pl distribution/server-dist -am -Dmaven.test.skip clean install
    cd /opt/jboss
    tar xfz /opt/jboss/keycloak-source/distribution/server-dist/target/keycloak-*.tar.gz
    # Remove temporary files
    rm -rf /opt/jboss/maven
    rm -rf /opt/jboss/keycloak-source
    rm -rf $HOME/.m2/repository
    mv /opt/jboss/keycloak-* /opt/jboss/keycloak
 else
    echo "Keycloak from [download]: $KEYCLOAK_DIST"
    cd /opt/jboss/
    curl -L $KEYCLOAK_DIST | tar zx
    mv /opt/jboss/keycloak-* /opt/jboss/keycloak
 fi
 #####################
 # Create DB modules #
 #####################
 mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
 cd /opt/jboss/keycloak/modules/system/layers/base/com/mysql/jdbc/main
 curl -O https://repo1.maven.org/maven2/mysql/mysql-connector-java/$JDBC_MYSQL_VERSION/mysql-connector-java-$JDBC_MYSQL_VERSION.jar
 cp /opt/jboss/tools/databases/mysql/module.xml .
 sed "s/JDBC_MYSQL_VERSION/$JDBC_MYSQL_VERSION/" /opt/jboss/tools/databases/mysql/module.xml > module.xml
 mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
 cd /opt/jboss/keycloak/modules/system/layers/base/org/postgresql/jdbc/main
 curl -L https://repo1.maven.org/maven2/org/postgresql/postgresql/$JDBC_POSTGRES_VERSION/postgresql-$JDBC_POSTGRES_VERSION.jar > postgres-jdbc.jar
 cp /opt/jboss/tools/databases/postgres/module.xml .
 mkdir -p /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
 cd /opt/jboss/keycloak/modules/system/layers/base/org/mariadb/jdbc/main
 curl -L https://repo1.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/$JDBC_MARIADB_VERSION/mariadb-java-client-$JDBC_MARIADB_VERSION.jar > mariadb-jdbc.jar
 cp /opt/jboss/tools/databases/mariadb/module.xml .
 mkdir -p /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
 cd /opt/jboss/keycloak/modules/system/layers/base/com/oracle/jdbc/main
 cp /opt/jboss/tools/databases/oracle/module.xml .
 mkdir -p /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
 cd /opt/jboss/keycloak/modules/system/layers/keycloak/com/microsoft/sqlserver/jdbc/main
 curl -L https://repo1.maven.org/maven2/com/microsoft/sqlserver/mssql-jdbc/$JDBC_MSSQL_VERSION/mssql-jdbc-$JDBC_MSSQL_VERSION.jar > mssql-jdbc.jar
 cp /opt/jboss/tools/databases/mssql/module.xml .
 ######################
 # Configure Keycloak #
 ######################
 cd /opt/jboss/keycloak
 bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-configuration.cli
 rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
 bin/jboss-cli.sh --file=/opt/jboss/tools/cli/standalone-ha-configuration.cli
 rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
 ###########
 # Garbage #
 ###########
 rm -rf /opt/jboss/keycloak/standalone/tmp/auth
 rm -rf /opt/jboss/keycloak/domain/tmp/auth
 ###################
 # Set permissions #
 ###################
 echo "jboss:x:1000:root" >> /etc/group
 echo "jboss:x:1000:1000:JBoss user:/opt/jboss:/sbin/nologin" >> /etc/passwd
 chown -R jboss:jboss /opt/jboss
 chmod -R g+rwX /opt/jboss
--- a/keycloak/tools/cli/databases/mariadb/change-database.cli
+++ b/keycloak/tools/cli/databases/mariadb/change-database.cli
@ -0,0 +1,9 @@
 /subsystem=datasources/data-source=KeycloakDS: remove()
 /subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mariadb://${env.DB_ADDR:mariadb}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mariadb)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
 /subsystem=datasources/jdbc-driver=mariadb:add(driver-name=mariadb, driver-module-name=org.mariadb.jdbc, driver-xa-datasource-class-name=org.mariadb.jdbc.MySQLDataSource)
--- a/keycloak/tools/cli/databases/mariadb/standalone-configuration.cli
+++ b/keycloak/tools/cli/databases/mariadb/standalone-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/mariadb/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/mariadb/standalone-ha-configuration.cli
+++ b/keycloak/tools/cli/databases/mariadb/standalone-ha-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/mariadb/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/mssql/change-database.cli
+++ b/keycloak/tools/cli/databases/mssql/change-database.cli
@ -0,0 +1,11 @@
 /subsystem=datasources/data-source=KeycloakDS: remove()
 /subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url="jdbc:sqlserver://${env.DB_ADDR:mssql}:${env.DB_PORT:1433};databaseName=${env.DB_DATABASE:keycloak};sendStringParametersAsUnicode=false;integratedSecurity=false;user=${env.DB_USER:keycloak};password=${env.DB_PASSWORD:password};${env.JDBC_PARAMS:}", driver-name=sqlserver)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
 /subsystem=datasources/jdbc-driver=sqlserver:add(driver-name=sqlserver,driver-module-name=com.microsoft.sqlserver.jdbc,driver-xa-datasource-class-name=com.microsoft.sqlserver.jdbc.SQLServerXADataSource)
 /subsystem=keycloak-server/spi=connectionsJpa/provider=default:write-attribute(name=properties.schema,value=${env.DB_SCHEMA:dbo})
--- a/keycloak/tools/cli/databases/mssql/standalone-configuration.cli
+++ b/keycloak/tools/cli/databases/mssql/standalone-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/mssql/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/mssql/standalone-ha-configuration.cli
+++ b/keycloak/tools/cli/databases/mssql/standalone-ha-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/mssql/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/mysql/change-database.cli
+++ b/keycloak/tools/cli/databases/mysql/change-database.cli
@ -0,0 +1,9 @@
 /subsystem=datasources/data-source=KeycloakDS: remove()
 /subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:mysql://${env.DB_ADDR:mysql}:${env.DB_PORT:3306}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=mysql)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
 /subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql, driver-module-name=com.mysql.jdbc, driver-xa-datasource-class-name=com.mysql.cj.jdbc.MysqlXADataSource)
--- a/keycloak/tools/cli/databases/mysql/standalone-configuration.cli
+++ b/keycloak/tools/cli/databases/mysql/standalone-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/mysql/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/mysql/standalone-ha-configuration.cli
+++ b/keycloak/tools/cli/databases/mysql/standalone-ha-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/mysql/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/oracle/change-database.cli
+++ b/keycloak/tools/cli/databases/oracle/change-database.cli
@ -0,0 +1,9 @@
 /subsystem=datasources/data-source=KeycloakDS: remove()
 /subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:oracle:thin:@${env.DB_ADDR:oracle}:${env.DB_PORT:1521}:${env.DB_DATABASE:XE}${env.JDBC_PARAMS:}, driver-name=oracle)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:SYSTEM})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:oracle})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1 FROM dual")
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
 /subsystem=datasources/jdbc-driver=oracle:add(driver-name=oracle, driver-module-name=com.oracle.jdbc, driver-xa-datasource-class-name=oracle.jdbc.xa.client.OracleXADataSource)
--- a/keycloak/tools/cli/databases/oracle/standalone-configuration.cli
+++ b/keycloak/tools/cli/databases/oracle/standalone-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/oracle/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/oracle/standalone-ha-configuration.cli
+++ b/keycloak/tools/cli/databases/oracle/standalone-ha-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/oracle/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/postgres/change-database.cli
+++ b/keycloak/tools/cli/databases/postgres/change-database.cli
@ -0,0 +1,11 @@
 /subsystem=datasources/data-source=KeycloakDS: remove()
 /subsystem=datasources/data-source=KeycloakDS: add(jndi-name=java:jboss/datasources/KeycloakDS,enabled=true,use-java-context=true,use-ccm=true, connection-url=jdbc:postgresql://${env.DB_ADDR:postgres}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}, driver-name=postgresql)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=user-name, value=${env.DB_USER:keycloak})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=password, value=${env.DB_PASSWORD:password})
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=check-valid-connection-sql, value="SELECT 1")
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation, value=true)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=background-validation-millis, value=60000)
 /subsystem=datasources/data-source=KeycloakDS: write-attribute(name=flush-strategy, value=IdleConnections)
 /subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
 /subsystem=keycloak-server/spi=connectionsJpa/provider=default:write-attribute(name=properties.schema,value=${env.DB_SCHEMA:public})
--- a/keycloak/tools/cli/databases/postgres/standalone-configuration.cli
+++ b/keycloak/tools/cli/databases/postgres/standalone-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/postgres/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/databases/postgres/standalone-ha-configuration.cli
+++ b/keycloak/tools/cli/databases/postgres/standalone-ha-configuration.cli
@ -0,0 +1,3 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/databases/postgres/change-database.cli
 stop-embedded-server
--- a/keycloak/tools/cli/files-plaintext-vault.cli
+++ b/keycloak/tools/cli/files-plaintext-vault.cli
@ -0,0 +1,6 @@
 embed-server --server-config=$configuration_file --std-out=discard
 echo ** Adding vault spi **
 /subsystem=keycloak-server/spi=vault/:add
 /subsystem=keycloak-server/spi=vault/provider=files-plaintext/:add(enabled=true,properties={dir => $plaintext_vault_provider_dir})
 stop-embedded-server
--- a/keycloak/tools/cli/hostname.cli
+++ b/keycloak/tools/cli/hostname.cli
@ -0,0 +1,2 @@
 /subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider, value="${keycloak.hostname.provider:default}")
 /subsystem=keycloak-server/spi=hostname/provider=fixed/:add(properties={hostname => "${keycloak.hostname.fixed.hostname:localhost}",httpPort => "${keycloak.hostname.fixed.httpPort:-1}",httpsPort => "${keycloak.hostname.fixed.httpsPort:-1}",alwaysHttps => "${keycloak.hostname.fixed.alwaysHttps:false}"},enabled=true)
--- a/keycloak/tools/cli/infinispan/cache-owners.cli
+++ b/keycloak/tools/cli/infinispan/cache-owners.cli
@ -0,0 +1,11 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 batch
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens: write-attribute(name=owners, value=${env.CACHE_OWNERS_COUNT:1})
 /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions: write-attribute(name=owners, value=${env.CACHE_OWNERS_AUTH_SESSIONS_COUNT:1})
 run-batch
 stop-embedded-server
--- a/keycloak/tools/cli/jgroups/discovery/default.cli
+++ b/keycloak/tools/cli/jgroups/discovery/default.cli
@ -0,0 +1,11 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 batch
 /subsystem=jgroups/stack=udp/protocol=PING:remove()
 /subsystem=jgroups/stack=udp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)
 /subsystem=jgroups/stack=tcp/protocol=MPING:remove()
 /subsystem=jgroups/stack=tcp/protocol=$keycloak_jgroups_discovery_protocol:add(add-index=0, properties=$keycloak_jgroups_discovery_protocol_properties)
 /subsystem=jgroups/channel=ee:write-attribute(name="stack", value=$keycloak_jgroups_transport_stack)
 run-batch
 stop-embedded-server
--- a/keycloak/tools/cli/loglevel.cli
+++ b/keycloak/tools/cli/loglevel.cli
@ -0,0 +1,9 @@
 /subsystem=logging/logger=org.keycloak:add
 /subsystem=logging/logger=org.keycloak:write-attribute(name=level,value=${env.KEYCLOAK_LOGLEVEL:INFO})
 /subsystem=logging/root-logger=ROOT:change-root-log-level(level=${env.ROOT_LOGLEVEL:INFO})
 /subsystem=logging/root-logger=ROOT:remove-handler(name="FILE")
 /subsystem=logging/periodic-rotating-file-handler=FILE:remove
 /subsystem=logging/console-handler=CONSOLE:undefine-attribute(name=level)
--- a/keycloak/tools/cli/metrics/db.cli
+++ b/keycloak/tools/cli/metrics/db.cli
@ -0,0 +1,5 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 batch
 /subsystem=datasources/data-source=KeycloakDS:write-attribute(name=statistics-enabled, value=true)
 run-batch
 stop-embedded-server
--- a/keycloak/tools/cli/metrics/http.cli
+++ b/keycloak/tools/cli/metrics/http.cli
@ -0,0 +1,5 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 batch
 /subsystem=undertow:write-attribute(name=statistics-enabled,value=true)
 run-batch
 stop-embedded-server
--- a/keycloak/tools/cli/metrics/jgroups.cli
+++ b/keycloak/tools/cli/metrics/jgroups.cli
@ -0,0 +1,5 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 batch
 /subsystem=jgroups/channel=ee:write-attribute(name=statistics-enabled, value=true)
 run-batch
 stop-embedded-server
--- a/keycloak/tools/cli/proxy.cli
+++ b/keycloak/tools/cli/proxy.cli
@ -0,0 +1,2 @@
 /subsystem=undertow/server=default-server/http-listener=default: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})
 /subsystem=undertow/server=default-server/https-listener=https: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})
--- a/keycloak/tools/cli/standalone-configuration.cli
+++ b/keycloak/tools/cli/standalone-configuration.cli
@ -0,0 +1,6 @@
 embed-server --server-config=standalone.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/loglevel.cli
 run-batch --file=/opt/jboss/tools/cli/proxy.cli
 run-batch --file=/opt/jboss/tools/cli/hostname.cli
 run-batch --file=/opt/jboss/tools/cli/theme.cli
 stop-embedded-server
--- a/keycloak/tools/cli/standalone-ha-configuration.cli
+++ b/keycloak/tools/cli/standalone-ha-configuration.cli
@ -0,0 +1,6 @@
 embed-server --server-config=standalone-ha.xml --std-out=echo
 run-batch --file=/opt/jboss/tools/cli/loglevel.cli
 run-batch --file=/opt/jboss/tools/cli/proxy.cli
 run-batch --file=/opt/jboss/tools/cli/hostname.cli
 run-batch --file=/opt/jboss/tools/cli/theme.cli
 stop-embedded-server
--- a/keycloak/tools/cli/theme.cli
+++ b/keycloak/tools/cli/theme.cli
@ -0,0 +1,2 @@
 /subsystem=keycloak-server/theme=defaults:write-attribute(name=welcomeTheme,value=${env.KEYCLOAK_WELCOME_THEME:keycloak})
 /subsystem=keycloak-server/theme=defaults:write-attribute(name=default,value=${env.KEYCLOAK_DEFAULT_THEME:keycloak})
--- a/keycloak/tools/cli/x509-keystore.cli
+++ b/keycloak/tools/cli/x509-keystore.cli
@ -0,0 +1,9 @@
 embed-server --server-config=$configuration_file --std-out=discard
 /subsystem=elytron/key-store=kcKeyStore:add(path=$keycloak_tls_keystore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_keystore_password})
 /subsystem=elytron/key-manager=kcKeyManager:add(key-store=kcKeyStore,credential-reference={clear-text=$keycloak_tls_keystore_password})
 /subsystem=elytron/server-ssl-context=kcSSLContext:add(key-manager=kcKeyManager)
 batch
 /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
 /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=kcSSLContext)
 run-batch
 stop-embedded-server
--- a/keycloak/tools/cli/x509-truststore.cli
+++ b/keycloak/tools/cli/x509-truststore.cli
@ -0,0 +1,25 @@
 embed-server --server-config=$configuration_file --std-out=discard
 /subsystem=elytron/key-store=kcTrustStore:add(path=$keycloak_tls_truststore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_truststore_password})
 /subsystem=elytron/trust-manager=kcTrustManager:add(key-store=kcTrustStore)
 if (outcome != success) of /subsystem=elytron/server-ssl-context=kcSSLContext:read-resource
    # Since WF requires a Key Manager for creating /subsystem=elytron/server-ssl-context, there's nothing we can do at this point.
    # We can not automatically generate a self-signed key (Elytron doesn't support this, see https://docs.wildfly.org/13/WildFly_Elytron_Security.html#configure-ssltls),
    # and we don't have anything else at hand.
    # However, there is no big harm here - the Trust Store is more needed by Keycloak Truststore SPI.
    echo "WARNING! There is no Key Manager (No Key Store specified). Skipping HTTPS Listener configuration..."
 else
    # The SSL Context has been added by keystore, not much to do - just append trust store and we are done.
 	/subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=trust-manager, value=kcTrustManager)
    /subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=want-client-auth, value=true)
 end-if
 if (outcome != success) of /subsystem=keycloak-server/spi=truststore:read-resource
    /subsystem=keycloak-server/spi=truststore/:add
 end-if
 /subsystem=keycloak-server/spi=truststore/provider=file/:add(enabled=true,properties={ \
    file => $keycloak_tls_truststore_file, \
    password => $keycloak_tls_truststore_password, \
    hostname-verification-policy => "WILDCARD", \
 disabled => "false"})
 stop-embedded-server
--- a/keycloak/tools/databases/change-database.sh
+++ b/keycloak/tools/databases/change-database.sh
@ -0,0 +1,11 @@
 #!/bin/bash -e
 DB_VENDOR=$1
 cd /opt/jboss/keycloak
 bin/jboss-cli.sh --file=/opt/jboss/tools/cli/databases/$DB_VENDOR/standalone-configuration.cli
 rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
 bin/jboss-cli.sh --file=/opt/jboss/tools/cli/databases/$DB_VENDOR/standalone-ha-configuration.cli
 rm -rf standalone/configuration/standalone_xml_history/current/*
--- a/keycloak/tools/databases/mariadb/module.xml
+++ b/keycloak/tools/databases/mariadb/module.xml
@ -0,0 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
  ~ JBoss, Home of Professional Open Source.
  ~ Copyright 2010, Red Hat, Inc., and individual contributors
  ~ as indicated by the @author tags. See the copyright.txt file in the
  ~ distribution for a full listing of individual contributors.
  ~
  ~ This is free software; you can redistribute it and/or modify it
  ~ under the terms of the GNU Lesser General Public License as
  ~ published by the Free Software Foundation; either version 2.1 of
  ~ the License, or (at your option) any later version.
  ~
  ~ This software is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  ~ Lesser General Public License for more details.
  ~
  ~ You should have received a copy of the GNU Lesser General Public
  ~ License along with this software; if not, write to the Free
  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  -->
 <module xmlns="urn:jboss:module:1.0" name="org.mariadb.jdbc">
   <resources>
      <resource-root path="mariadb-jdbc.jar"/>
   </resources>
   <dependencies>
      <module name="javax.api"/>
      <module name="javax.transaction.api"/>
   </dependencies>
 </module>
--- a/keycloak/tools/databases/mssql/module.xml
+++ b/keycloak/tools/databases/mssql/module.xml
@ -0,0 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <module xmlns="urn:jboss:module:1.3" name="com.microsoft.sqlserver.jdbc">
 <resources>
    <resource-root path="mssql-jdbc.jar"/>
 </resources>
 <dependencies>
    <module name="javax.api"/>
    <module name="javax.transaction.api"/>
    <module name="javax.xml.bind.api"/>
    <module name="javax.servlet.api" optional="true"/>
 </dependencies>
 </module>
--- a/keycloak/tools/databases/mysql/module.xml
+++ b/keycloak/tools/databases/mysql/module.xml
@ -0,0 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
  ~ JBoss, Home of Professional Open Source.
  ~ Copyright 2010, Red Hat, Inc., and individual contributors
  ~ as indicated by the @author tags. See the copyright.txt file in the
  ~ distribution for a full listing of individual contributors.
  ~
  ~ This is free software; you can redistribute it and/or modify it
  ~ under the terms of the GNU Lesser General Public License as
  ~ published by the Free Software Foundation; either version 2.1 of
  ~ the License, or (at your option) any later version.
  ~
  ~ This software is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  ~ Lesser General Public License for more details.
  ~
  ~ You should have received a copy of the GNU Lesser General Public
  ~ License along with this software; if not, write to the Free
  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  -->
 <module xmlns="urn:jboss:module:1.0" name="com.mysql.jdbc">
  <resources>
    <resource-root path="mysql-connector-java-JDBC_MYSQL_VERSION.jar"/>
  </resources>
  <dependencies>
    <module name="javax.api"/>
    <module name="javax.transaction.api"/>
  </dependencies>
 </module>
--- a/keycloak/tools/databases/oracle/module.xml
+++ b/keycloak/tools/databases/oracle/module.xml
@ -0,0 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
  ~ JBoss, Home of Professional Open Source.
  ~ Copyright 2010, Red Hat, Inc., and individual contributors
  ~ as indicated by the @author tags. See the copyright.txt file in the
  ~ distribution for a full listing of individual contributors.
  ~
  ~ This is free software; you can redistribute it and/or modify it
  ~ under the terms of the GNU Lesser General Public License as
  ~ published by the Free Software Foundation; either version 2.1 of
  ~ the License, or (at your option) any later version.
  ~
  ~ This software is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  ~ Lesser General Public License for more details.
  ~
  ~ You should have received a copy of the GNU Lesser General Public
  ~ License along with this software; if not, write to the Free
  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  -->
 <module xmlns="urn:jboss:module:1.0" name="com.oracle.jdbc">
  <resources>
    <resource-root path="driver/ojdbc.jar"/>
  </resources>
  <dependencies>
    <module name="javax.api"/>
    <module name="javax.transaction.api"/>
  </dependencies>
 </module>
--- a/keycloak/tools/databases/postgres/module.xml
+++ b/keycloak/tools/databases/postgres/module.xml
@ -0,0 +1,31 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
  ~ JBoss, Home of Professional Open Source.
  ~ Copyright 2010, Red Hat, Inc., and individual contributors
  ~ as indicated by the @author tags. See the copyright.txt file in the
  ~ distribution for a full listing of individual contributors.
  ~
  ~ This is free software; you can redistribute it and/or modify it
  ~ under the terms of the GNU Lesser General Public License as
  ~ published by the Free Software Foundation; either version 2.1 of
  ~ the License, or (at your option) any later version.
  ~
  ~ This software is distributed in the hope that it will be useful,
  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  ~ Lesser General Public License for more details.
  ~
  ~ You should have received a copy of the GNU Lesser General Public
  ~ License along with this software; if not, write to the Free
  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  -->
 <module xmlns="urn:jboss:module:1.0" name="org.postgresql.jdbc">
   <resources>
      <resource-root path="postgres-jdbc.jar"/>
   </resources>
   <dependencies>
      <module name="javax.api"/>
      <module name="javax.transaction.api"/>
   </dependencies>
 </module>
--- a/keycloak/tools/docker-entrypoint.sh
+++ b/keycloak/tools/docker-entrypoint.sh
@ -0,0 +1,234 @@
 #!/bin/bash
 set -eou pipefail
 # usage: file_env VAR [DEFAULT]
 #    ie: file_env 'XYZ_DB_PASSWORD' 'example'
 # (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
 #  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
 file_env() {
    local var="$1"
    local fileVar="${var}_FILE"
    local def="${2:-}"
    if [[ ${!var:-} && ${!fileVar:-} ]]; then
        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
        exit 1
    fi
    local val="$def"
    if [[ ${!var:-} ]]; then
        val="${!var}"
    elif [[ ${!fileVar:-} ]]; then
        val="$(< "${!fileVar}")"
    fi
    if [[ -n $val ]]; then
        export "$var"="$val"
    fi
    unset "$fileVar"
 }
 SYS_PROPS=""
 ##################
 # Add admin user #
 ##################
 file_env 'KEYCLOAK_USER'
 file_env 'KEYCLOAK_PASSWORD'
 if [[ -n ${KEYCLOAK_USER:-} && -n ${KEYCLOAK_PASSWORD:-} ]]; then
    /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "$KEYCLOAK_USER" --password "$KEYCLOAK_PASSWORD"
 fi
 ############
 # Hostname #
 ############
 if [[ -n ${KEYCLOAK_FRONTEND_URL:-} ]]; then
    SYS_PROPS+="-Dkeycloak.frontendUrl=$KEYCLOAK_FRONTEND_URL"
 fi
 if [[ -n ${KEYCLOAK_HOSTNAME:-} ]]; then
    SYS_PROPS+=" -Dkeycloak.hostname.provider=fixed -Dkeycloak.hostname.fixed.hostname=$KEYCLOAK_HOSTNAME"
    if [[ -n ${KEYCLOAK_HTTP_PORT:-} ]]; then
        SYS_PROPS+=" -Dkeycloak.hostname.fixed.httpPort=$KEYCLOAK_HTTP_PORT"
    fi
    if [[ -n ${KEYCLOAK_HTTPS_PORT:-} ]]; then
        SYS_PROPS+=" -Dkeycloak.hostname.fixed.httpsPort=$KEYCLOAK_HTTPS_PORT"
    fi
    if [[ -n ${KEYCLOAK_ALWAYS_HTTPS:-} ]]; then
            SYS_PROPS+=" -Dkeycloak.hostname.fixed.alwaysHttps=$KEYCLOAK_ALWAYS_HTTPS"
    fi
 fi
 ################
 # Realm import #
 ################
 if [[ -n ${KEYCLOAK_IMPORT:-} ]]; then
    SYS_PROPS+=" -Dkeycloak.import=$KEYCLOAK_IMPORT"
 fi
 ########################
 # JGroups bind options #
 ########################
 if [[ -z ${BIND:-} ]]; then
    BIND=$(hostname --all-ip-addresses)
 fi
 if [[ -z ${BIND_OPTS:-} ]]; then
    for BIND_IP in $BIND
    do
        BIND_OPTS+=" -Djboss.bind.address=$BIND_IP -Djboss.bind.address.private=$BIND_IP "
    done
 fi
 SYS_PROPS+=" $BIND_OPTS"
 #########################################
 # Expose management console for metrics #
 #########################################
 if [[ -n ${KEYCLOAK_STATISTICS:-} ]] ; then
    SYS_PROPS+=" -Djboss.bind.address.management=0.0.0.0"
 fi
 #################
 # Configuration #
 #################
 # If the server configuration parameter is not present, append the HA profile.
 if echo "$@" | grep -E -v -- '-c |-c=|--server-config |--server-config='; then
    SYS_PROPS+=" -c=standalone-ha.xml"
 fi
 ############
 # DB setup #
 ############
 file_env 'DB_USER'
 file_env 'DB_PASSWORD'
 # Lower case DB_VENDOR
 if [[ -n ${DB_VENDOR:-} ]]; then
  DB_VENDOR=$(echo "$DB_VENDOR" | tr "[:upper:]" "[:lower:]")
 fi
 # Detect DB vendor from default host names
 if [[ -z ${DB_VENDOR:-} ]]; then
    if (getent hosts postgres &>/dev/null); then
        export DB_VENDOR="postgres"
    elif (getent hosts mysql &>/dev/null); then
        export DB_VENDOR="mysql"
    elif (getent hosts mariadb &>/dev/null); then
        export DB_VENDOR="mariadb"
    elif (getent hosts oracle &>/dev/null); then
        export DB_VENDOR="oracle"
    elif (getent hosts mssql &>/dev/null); then
        export DB_VENDOR="mssql"
    fi
 fi
 # Detect DB vendor from legacy `*_ADDR` environment variables
 if [[ -z ${DB_VENDOR:-} ]]; then
    if (printenv | grep '^POSTGRES_ADDR=' &>/dev/null); then
        export DB_VENDOR="postgres"
    elif (printenv | grep '^MYSQL_ADDR=' &>/dev/null); then
        export DB_VENDOR="mysql"
    elif (printenv | grep '^MARIADB_ADDR=' &>/dev/null); then
        export DB_VENDOR="mariadb"
    elif (printenv | grep '^ORACLE_ADDR=' &>/dev/null); then
        export DB_VENDOR="oracle"
    elif (printenv | grep '^MSSQL_ADDR=' &>/dev/null); then
        export DB_VENDOR="mssql"
    fi
 fi
 # Default to H2 if DB type not detected
 if [[ -z ${DB_VENDOR:-} ]]; then
    export DB_VENDOR="h2"
 fi
 # if the DB_VENDOR is postgres then append port to the DB_ADDR
 function append_port_db_addr() {
  local db_host_regex='^[a-zA-Z0-9]([a-zA-Z0-9]|-|.)*:[0-9]{4,5}$'
  IFS=',' read -ra addresses <<< "$DB_ADDR"
  DB_ADDR=""
  for i in "${addresses[@]}"; do
    if [[ $i =~ $db_host_regex ]]; then
        DB_ADDR+=$i;
     else
        DB_ADDR+="${i}:${DB_PORT}";
     fi
        DB_ADDR+=","
  done
  DB_ADDR=$(echo $DB_ADDR | sed 's/.$//') # remove the last comma
 }
 # Set DB name
 case "$DB_VENDOR" in
    postgres)
        DB_NAME="PostgreSQL"
        if [[ -z ${DB_PORT:-} ]] ; then
          DB_PORT="5432"
        fi
        append_port_db_addr
        ;;
    mysql)
        DB_NAME="MySQL";;
    mariadb)
        DB_NAME="MariaDB";;
    oracle)
        DB_NAME="Oracle";;
    h2)
        DB_NAME="Embedded H2";;
    mssql)
        DB_NAME="Microsoft SQL Server";;
    *)
        echo "Unknown DB vendor $DB_VENDOR"
        exit 1
 esac
 # Append '?' in the beggining of the string if JDBC_PARAMS value isn't empty
 JDBC_PARAMS=$(echo "${JDBC_PARAMS:-}" | sed '/^$/! s/^/?/')
 export JDBC_PARAMS
 # Convert deprecated DB specific variables
 function set_legacy_vars() {
  local suffixes=(ADDR DATABASE USER PASSWORD PORT)
  for suffix in "${suffixes[@]}"; do
    local varname="$1_$suffix"
    if [[ -n ${!varname:-} ]]; then
      echo WARNING: "$varname" variable name is DEPRECATED replace with DB_"$suffix"
      export DB_"$suffix=${!varname}"
    fi
  done
 }
 set_legacy_vars "$(echo "$DB_VENDOR" | tr "[:upper:]" "[:lower:]")"
 # Configure DB
 echo "========================================================================="
 echo ""
 echo "  Using $DB_NAME database"
 echo ""
 echo "========================================================================="
 echo ""
 if [ "$DB_VENDOR" != "h2" ]; then
    /bin/sh /opt/jboss/tools/databases/change-database.sh $DB_VENDOR
 fi
 /opt/jboss/tools/x509.sh
 /opt/jboss/tools/jgroups.sh
 /opt/jboss/tools/infinispan.sh
 /opt/jboss/tools/statistics.sh
 /opt/jboss/tools/autorun.sh
 /opt/jboss/tools/vault.sh
 ##################
 # Start Keycloak #
 ##################
 exec /opt/jboss/keycloak/bin/standalone.sh $SYS_PROPS $@
 exit $?
--- a/keycloak/tools/infinispan.sh
+++ b/keycloak/tools/infinispan.sh
@ -0,0 +1,14 @@
 # How many owners / replicas should our distributed caches have. If <2 any node that is removed from the cluster will cause a data-loss!
 # As it is only sensible to replicate AuthenticationSessions for certain cases, their replication factor can be configured independently
 if [ -n "$CACHE_OWNERS_COUNT" ]; then
    echo "Setting cache owners to $CACHE_OWNERS_COUNT replicas"
    # Check and log the replication factor of AuthenticationSessions, otherwise this is set to 1 by default
    if [ -n "$CACHE_OWNERS_AUTH_SESSIONS_COUNT" ]; then
        echo "Enabling replication of AuthenticationSessions with ${CACHE_OWNERS_AUTH_SESSIONS_COUNT} replicas"
    else
        echo "AuthenticationSessions will NOT be replicated, set CACHE_OWNERS_AUTH_SESSIONS_COUNT to configure this"
    fi
 $JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/infinispan/cache-owners.cli" >& /dev/null
 fi
--- a/keycloak/tools/jgroups.sh
+++ b/keycloak/tools/jgroups.sh
@ -0,0 +1,30 @@
 #!/bin/bash
 # If JGROUPS_DISCOVERY_PROPERTIES is set, it must be in the following format: PROP1=FOO,PROP2=BAR
 # If JGROUPS_DISCOVERY_PROPERTIES_DIRECT is set, it must be in the following format: {PROP1=>FOO,PROP2=>BAR}
 # It's a configuration error to set both of these variables
 if [ -n "$JGROUPS_DISCOVERY_PROTOCOL" ]; then
    if [ -n "$JGROUPS_DISCOVERY_PROPERTIES" ] && [ -n "$JGROUPS_DISCOVERY_PROPERTIES_DIRECT" ]; then
       echo >&2 "error: both JGROUPS_DISCOVERY_PROPERTIES and JGROUPS_DISCOVERY_PROPERTIES_DIRECT are set (but are exclusive)"
       exit 1
    fi
    if [ -n "$JGROUPS_DISCOVERY_PROPERTIES_DIRECT" ]; then
       JGROUPS_DISCOVERY_PROPERTIES_PARSED="$JGROUPS_DISCOVERY_PROPERTIES_DIRECT"
    else
       JGROUPS_DISCOVERY_PROPERTIES_PARSED=`echo $JGROUPS_DISCOVERY_PROPERTIES | sed "s/=/=>/g"`
       JGROUPS_DISCOVERY_PROPERTIES_PARSED="{$JGROUPS_DISCOVERY_PROPERTIES_PARSED}"
    fi
    echo "Setting JGroups discovery to $JGROUPS_DISCOVERY_PROTOCOL with properties $JGROUPS_DISCOVERY_PROPERTIES_PARSED"
    echo "set keycloak_jgroups_discovery_protocol=${JGROUPS_DISCOVERY_PROTOCOL}" >> "$JBOSS_HOME/bin/.jbossclirc"
    echo "set keycloak_jgroups_discovery_protocol_properties=${JGROUPS_DISCOVERY_PROPERTIES_PARSED}" >> "$JBOSS_HOME/bin/.jbossclirc"
    echo "set keycloak_jgroups_transport_stack=${JGROUPS_TRANSPORT_STACK:-tcp}" >> "$JBOSS_HOME/bin/.jbossclirc"
    # If there's a specific CLI file for given protocol - execute it. If not, we should be good with the default one.
    if [ -f "/opt/jboss/tools/cli/jgroups/discovery/$JGROUPS_DISCOVERY_PROTOCOL.cli" ]; then
       $JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/jgroups/discovery/$JGROUPS_DISCOVERY_PROTOCOL.cli" >& /dev/null
    else
       $JBOSS_HOME/bin/jboss-cli.sh --file="/opt/jboss/tools/cli/jgroups/discovery/default.cli" >& /dev/null
    fi
 fi
--- a/keycloak/tools/statistics.sh
+++ b/keycloak/tools/statistics.sh
@ -0,0 +1,12 @@
 #!/bin/bash
 if [ -n "$KEYCLOAK_STATISTICS" ]; then
   IFS=',' read -ra metrics <<< "$KEYCLOAK_STATISTICS"
   for file in /opt/jboss/tools/cli/metrics/*.cli; do
      name=${file##*/}
      base=${name%.cli}
      if [[  $KEYCLOAK_STATISTICS == *"$base"* ]] || [[  $KEYCLOAK_STATISTICS == *"all"* ]];  then
         $JBOSS_HOME/bin/jboss-cli.sh --file="$file" >& /dev/null
      fi
   done
 fi
--- a/keycloak/tools/vault.sh
+++ b/keycloak/tools/vault.sh
@ -0,0 +1,13 @@
 #!/bin/bash
 if [ -d "$JBOSS_HOME/secrets" ]; then
    echo "set plaintext_vault_provider_dir=${JBOSS_HOME}/secrets" >> "$JBOSS_HOME/bin/.jbossclirc"
    echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/files-plaintext-vault.cli
    sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
    echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/files-plaintext-vault.cli
    sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
 fi
--- a/keycloak/tools/x509.sh
+++ b/keycloak/tools/x509.sh
@ -0,0 +1,111 @@
 #!/bin/bash
 function autogenerate_keystores() {
  # Keystore infix notation as used in templates to keystore name mapping
  declare -A KEYSTORES=( ["https"]="HTTPS" )
  local KEYSTORES_STORAGE="${JBOSS_HOME}/standalone/configuration/keystores"
  if [ ! -d "${KEYSTORES_STORAGE}" ]; then
    mkdir -p "${KEYSTORES_STORAGE}"
  fi
  # Auto-generate the HTTPS keystore if volumes for OpenShift's
  # serving x509 certificate secrets service were properly mounted
  for KEYSTORE_TYPE in "${!KEYSTORES[@]}"; do
    local X509_KEYSTORE_DIR="/etc/x509/${KEYSTORE_TYPE}"
    local X509_CRT="tls.crt"
    local X509_KEY="tls.key"
    local NAME="keycloak-${KEYSTORE_TYPE}-key"
    local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
    local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks"
    local PKCS12_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.pk12"
    if [ -f "${X509_KEYSTORE_DIR}/${X509_KEY}" ] && [ -f "${X509_KEYSTORE_DIR}/${X509_CRT}" ]; then
      echo "Creating ${KEYSTORES[$KEYSTORE_TYPE]} keystore via OpenShift's service serving x509 certificate secrets.."
      openssl pkcs12 -export \
      -name "${NAME}" \
      -inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
      -in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
      -out "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
      -password pass:"${PASSWORD}" >& /dev/null
      keytool -importkeystore -noprompt \
      -srcalias "${NAME}" -destalias "${NAME}" \
      -srckeystore "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
      -srcstoretype pkcs12 \
      -destkeystore "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" \
      -storepass "${PASSWORD}" -srcstorepass "${PASSWORD}" >& /dev/null
      if [ -f "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" ]; then
        echo "${KEYSTORES[$KEYSTORE_TYPE]} keystore successfully created at: ${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}"
      fi
      echo "set keycloak_tls_keystore_password=${PASSWORD}" >> "$JBOSS_HOME/bin/.jbossclirc"
      echo "set keycloak_tls_keystore_file=${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" >> "$JBOSS_HOME/bin/.jbossclirc"
      echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
      $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-keystore.cli >& /dev/null
      sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
      echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
      $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-keystore.cli >& /dev/null
      sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
    fi
  done
  # Auto-generate the Keycloak truststore if X509_CA_BUNDLE was provided
  local -r X509_CRT_DELIMITER="/-----BEGIN CERTIFICATE-----/"
  local JKS_TRUSTSTORE_FILE="truststore.jks"
  local JKS_TRUSTSTORE_PATH="${KEYSTORES_STORAGE}/${JKS_TRUSTSTORE_FILE}"
  local PASSWORD=$(openssl rand -base64 32 2>/dev/null)
  local TEMPORARY_CERTIFICATE="temporary_ca.crt"
  if [ -n "${X509_CA_BUNDLE}" ]; then
    pushd /tmp >& /dev/null
    echo "Creating Keycloak truststore.."
    # We use cat here, so that users could specify multiple CA Bundles using space or even wildcard:
    # X509_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/*.crt
    # Note, that there is no quotes here, that's intentional. Once can use spaces in the $X509_CA_BUNDLE like this:
    # X509_CA_BUNDLE=/ca.crt /ca2.crt
    cat ${X509_CA_BUNDLE} > ${TEMPORARY_CERTIFICATE}
    csplit -s -z -f crt- "${TEMPORARY_CERTIFICATE}" "${X509_CRT_DELIMITER}" '{*}'
    for CERT_FILE in crt-*; do
      keytool -import -noprompt -keystore "${JKS_TRUSTSTORE_PATH}" -file "${CERT_FILE}" \
      -storepass "${PASSWORD}" -alias "service-${CERT_FILE}" >& /dev/null
    done
    if [ -f "${JKS_TRUSTSTORE_PATH}" ]; then
      echo "Keycloak truststore successfully created at: ${JKS_TRUSTSTORE_PATH}"
    fi
    # Import existing system CA certificates into the newly generated truststore
    local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))"/../lib/security/cacerts")
    if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > /dev/null; then
      echo "Importing certificates from system's Java CA certificate bundle into Keycloak truststore.."
      keytool -importkeystore -noprompt \
      -srckeystore "${SYSTEM_CACERTS}" \
      -destkeystore "${JKS_TRUSTSTORE_PATH}" \
      -srcstoretype jks -deststoretype jks \
      -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
      if [ "$?" -eq "0" ]; then
        echo "Successfully imported certificates from system's Java CA certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}"
      else
        echo "Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!"
      fi
    fi
    echo "set keycloak_tls_truststore_password=${PASSWORD}" >> "$JBOSS_HOME/bin/.jbossclirc"
    echo "set keycloak_tls_truststore_file=${KEYSTORES_STORAGE}/${JKS_TRUSTSTORE_FILE}" >> "$JBOSS_HOME/bin/.jbossclirc"
    echo "set configuration_file=standalone.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-truststore.cli >& /dev/null
    sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
    echo "set configuration_file=standalone-ha.xml" >> "$JBOSS_HOME/bin/.jbossclirc"
    $JBOSS_HOME/bin/jboss-cli.sh --file=/opt/jboss/tools/cli/x509-truststore.cli >& /dev/null
    sed -i '$ d' "$JBOSS_HOME/bin/.jbossclirc"
    popd >& /dev/null
  fi
 }
 autogenerate_keystores
--- a/mc/Dockerfile
+++ b/mc/Dockerfile
@ -0,0 +1,9 @@
 FROM debian:stable-20200720-slim
 ARG TARGETARCH
 ARG MC_VERSION
 ADD https://dl.min.io/client/mc/release/linux-${TARGETARCH}/archive/mc.${MC_VERSION} /root/
 RUN mv /root/mc.${MC_VERSION} /usr/bin/mc && chmod +x /usr/bin/mc
 FROM scratch
 COPY --from=0 /usr/bin/mc /mc
 ENTRYPOINT ["/mc"]
--- a/mc/Makefile
+++ b/mc/Makefile
@ -0,0 +1,13 @@
 include mc/mc.version
 mc-nopush:
 	docker buildx build --platform linux/amd64 --load \
 	    --build-arg MC_VERSION=$(MC_VERSION) \
 	    --tag alemairebe/mc:$(MC_VERSION) mc
 mc:
 	docker buildx build --platform linux/amd64,linux/arm64,linux/arm,linux/ppc64le --push \
 	    --build-arg MC_VERSION=$(MC_VERSION) \
 	    --cache-from=type=registry,ref=alemairebe/mc \
 	    --cache-to=type=registry,ref=alemairebe/mc \
 	    --tag alemairebe/mc:$(MC_VERSION) mc
--- a/mc/mc.version
+++ b/mc/mc.version
@ -0,0 +1 @@
 MC_VERSION=RELEASE.2020-07-17T02-52-20Z
--- a/pgadmin4/.version
+++ b/pgadmin4/.version
@ -0,0 +1,2 @@
 VERSION=4.24
 GUNICORN_VERSION=20.0.4
--- a/pgadmin4/Dockerfile
+++ b/pgadmin4/Dockerfile
@ -0,0 +1,62 @@
 FROM postgres:9.5 as pg95-builder
 FROM postgres:9.6 as pg96-builder
 FROM postgres:10 as pg10-builder
 FROM postgres:11 as pg11-builder
 FROM postgres:12 as pg12-builder
 FROM debian:stable-20200720-slim as tool-builder
 # Copy the PG binaries
 COPY --from=pg95-builder /usr/lib/postgresql/9.5/bin/pg_dump /usr/local/pgsql/pgsql-9.5/
 COPY --from=pg95-builder /usr/lib/postgresql/9.5/bin/pg_dumpall /usr/local/pgsql/pgsql-9.5/
 COPY --from=pg95-builder /usr/lib/postgresql/9.5/bin/pg_restore /usr/local/pgsql/pgsql-9.5/
 COPY --from=pg95-builder /usr/lib/postgresql/9.5/bin/psql /usr/local/pgsql/pgsql-9.5/
 COPY --from=pg96-builder /usr/lib/postgresql/9.6/bin/pg_dump /usr/local/pgsql/pgsql-9.6/
 COPY --from=pg96-builder /usr/lib/postgresql/9.6/bin/pg_dumpall /usr/local/pgsql/pgsql-9.6/
 COPY --from=pg96-builder /usr/lib/postgresql/9.6/bin/pg_restore /usr/local/pgsql/pgsql-9.6/
 COPY --from=pg96-builder /usr/lib/postgresql/9.6/bin/psql /usr/local/pgsql/pgsql-9.6/
 COPY --from=pg10-builder /usr/lib/postgresql/10/bin/pg_dump /usr/local/pgsql/pgsql-10/
 COPY --from=pg10-builder /usr/lib/postgresql/10/bin/pg_dumpall /usr/local/pgsql/pgsql-10/
 COPY --from=pg10-builder /usr/lib/postgresql/10/bin/pg_restore /usr/local/pgsql/pgsql-10/
 COPY --from=pg10-builder /usr/lib/postgresql/10/bin/psql /usr/local/pgsql/pgsql-10/
 COPY --from=pg11-builder /usr/lib/postgresql/11/bin/pg_dump /usr/local/pgsql/pgsql-11/
 COPY --from=pg11-builder /usr/lib/postgresql/11/bin/pg_dumpall /usr/local/pgsql/pgsql-11/
 COPY --from=pg11-builder /usr/lib/postgresql/11/bin/pg_restore /usr/local/pgsql/pgsql-11/
 COPY --from=pg11-builder /usr/lib/postgresql/11/bin/psql /usr/local/pgsql/pgsql-11/
 COPY --from=pg12-builder /usr/lib/postgresql/12/bin/pg_dump /usr/local/pgsql/pgsql-12/
 COPY --from=pg12-builder /usr/lib/postgresql/12/bin/pg_dumpall /usr/local/pgsql/pgsql-12/
 COPY --from=pg12-builder /usr/lib/postgresql/12/bin/pg_restore /usr/local/pgsql/pgsql-12/
 COPY --from=pg12-builder /usr/lib/postgresql/12/bin/psql /usr/local/pgsql/pgsql-12/
 FROM debian:stable-20200720-slim
 ARG DEBIAN_FRONTEND=noninteractive
 COPY --from=tool-builder /usr/local/pgsql /usr/local/
 ARG TARGETARCH
 ARG VERSION=4.24
 ARG GUNICORN_VERSION=20.0.4
 RUN apt update -qq && apt install -qqy --no-install-recommends python3-pip python3-dev python3-setuptools gcc && \
    pip3 install --no-cache-dir pgadmin4==${VERSION} gunicorn==${GUNICORN_VERSION} && \
    apt remove -qqy gcc python3-dev python3-pip && apt autoremove -qqy && rm -rf /var/lib/apt/lists/* && \
    ln -s /usr/local/lib/python3.7/dist-packages/pgadmin4 /pgadmin4 && \
    ln -s /usr/bin/python3 /usr/bin/python && \
    groupadd -g 5050 pgadmin && \
    useradd -r -u 5050 -g pgadmin pgadmin && \
    mkdir -p /var/lib/pgadmin && \
    chown pgadmin:pgadmin /var/lib/pgadmin && \
    mkdir -p /var/log/pgadmin && \
    chown pgadmin:pgadmin /var/log/pgadmin && \
    touch /pgadmin4/config_distro.py && \
    chown pgadmin:pgadmin /pgadmin4/config_distro.py
 COPY entrypoint.sh /entrypoint.sh
 COPY run_pgadmin.py /pgadmin4/
 WORKDIR /pgadmin4
 USER 5050
 VOLUME /var/lib/pgadmin
 ENTRYPOINT ["/entrypoint.sh"]
--- a/pgadmin4/Makefile
+++ b/pgadmin4/Makefile
@ -0,0 +1,15 @@
 include pgadmin4/.version
 pgadmin4-nopush:
 	docker buildx build --platform linux/amd64 --load \
 	    --build-arg VERSION=$(VERSION) \
 	    --build-arg GUNICORN_VERSION=$(GUNICORN_VERSION) \
 	    --tag alemairebe/pgadmin4:$(VERSION) pgadmin4
 pgadmin4:
 	docker buildx build --platform linux/amd64,linux/arm64,linux/arm --push \
 	    --build-arg VERSION=$(VERSION) \
 	    --build-arg GUNICORN_VERSION=$(GUNICORN_VERSION) \
 	    --cache-from=type=registry,ref=alemairebe/pgadmin4:buildx \
 	    --cache-to=type=registry,ref=alemairebe/pgadmin4:buildx \
 	    --tag alemairebe/pgadmin4:$(VERSION) pgadmin4
--- a/pgadmin4/entrypoint.sh
+++ b/pgadmin4/entrypoint.sh
@ -0,0 +1,61 @@
 #!/bin/sh
 # Populate config_distro.py. This has some default config, as well as anything
 # provided by the user through the PGADMIN_CONFIG_* environment variables.
 # Only update the file on first launch. The empty file is created during the
 # container build so it can have the required ownership.
 if [ `wc -m /pgadmin4/config_distro.py | awk '{ print $1 }'` = "0" ]; then
    cat << EOF > /pgadmin4/config_distro.py
 HELP_PATH = '../../docs'
 DEFAULT_BINARY_PATHS = {
        'pg': '/usr/local/pgsql-12'
 }
 EOF
    # This is a bit kludgy, but necessary as the container uses BusyBox/ash as
    # it's shell and not bash which would allow a much cleaner implementation
    for var in $(env | grep PGADMIN_CONFIG_ | cut -d "=" -f 1); do
        echo ${var#PGADMIN_CONFIG_} = $(eval "echo \$$var") >> /pgadmin4/config_distro.py
    done
 fi
 if [ ! -f /var/lib/pgadmin/pgadmin4.db ]; then
    if [ -z "${PGADMIN_DEFAULT_EMAIL}" -o -z "${PGADMIN_DEFAULT_PASSWORD}" ]; then
        echo 'You need to specify PGADMIN_DEFAULT_EMAIL and PGADMIN_DEFAULT_PASSWORD environment variables'
        exit 1
    fi
    # Set the default username and password in a
    # backwards compatible way
    export PGADMIN_SETUP_EMAIL=${PGADMIN_DEFAULT_EMAIL}
    export PGADMIN_SETUP_PASSWORD=${PGADMIN_DEFAULT_PASSWORD}
    # Initialize DB before starting Gunicorn
    # Importing pgadmin4 (from this script) is enough
    python run_pgadmin.py
    export PGADMIN_SERVER_JSON_FILE=${PGADMIN_SERVER_JSON_FILE:-/pgadmin4/servers.json}
    # Pre-load any required servers
    if [ -f "${PGADMIN_SERVER_JSON_FILE}" ]; then
        # When running in Desktop mode, no user is created
        # so we have to import servers anonymously
        if [ "${PGADMIN_CONFIG_SERVER_MODE}" = "False" ]; then
            /usr/local/bin/python /pgadmin4/setup.py --load-servers "${PGADMIN_SERVER_JSON_FILE}"
        else
            /usr/local/bin/python /pgadmin4/setup.py --load-servers "${PGADMIN_SERVER_JSON_FILE}" --user ${PGADMIN_DEFAULT_EMAIL}
        fi
    fi
 fi
 # Get the session timeout from the pgAdmin config. We'll use this (in seconds)
 # to define the Gunicorn worker timeout
 TIMEOUT=$(cd /pgadmin4 && python -c 'import config; print(config.SESSION_EXPIRATION_TIME * 60 * 60 * 24)')
 # NOTE: currently pgadmin can run only with 1 worker due to sessions implementation
 # Using --threads to have multi-threaded single-process worker
 if [ ! -z ${PGADMIN_ENABLE_TLS} ]; then
    exec gunicorn --timeout ${TIMEOUT} --bind ${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-8443} -w 1 --threads ${GUNICORN_THREADS:-25} --access-logfile ${GUNICORN_ACCESS_LOGFILE:--} --keyfile /certs/server.key --certfile /certs/server.cert run_pgadmin:app
 else
    exec gunicorn --timeout ${TIMEOUT} --bind ${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-8080} -w 1 --threads ${GUNICORN_THREADS:-25} --access-logfile ${GUNICORN_ACCESS_LOGFILE:--} run_pgadmin:app
 fi
--- a/pgadmin4/run_pgadmin.py
+++ b/pgadmin4/run_pgadmin.py
@ -0,0 +1,4 @@
 import builtins
 builtins.SERVER_MODE = True
 from pgAdmin4 import app
--- a/readme.adoc
+++ b/readme.adoc
@ -0,0 +1,14 @@
 image:https://gitlab.com/alemaire/buildx/badges/master/pipeline.svg[link="https://gitlab.com/alemaire/buildx/-/commits/master",title="pipeline status"]
 On debian :
 install docker CE from docker as packaged version is not egal or higher than 19.03
 apt install binfmt-support
 docker buildx create --use
 docker buildx build --platform linux/amd64,linux/arm64,linux/arm,linux/ppc64le --push --tag alemairebe/mc:RELEASE.2020-06-26T19-56-55Z --build-arg MC_VERSION=RELEASE.2020-06-26T19-56-55Z .
 --cache-from=type=registry,ref=user/app
		`@ -0,0 +1,2 @@`
							`/subsystem=keycloak-server/spi=hostname:write-attribute(name=default-provider, value="${keycloak.hostname.provider:default}")`
							`/subsystem=keycloak-server/spi=hostname/provider=fixed/:add(properties={hostname => "${keycloak.hostname.fixed.hostname:localhost}",httpPort => "${keycloak.hostname.fixed.httpPort:-1}",httpsPort => "${keycloak.hostname.fixed.httpsPort:-1}",alwaysHttps => "${keycloak.hostname.fixed.alwaysHttps:false}"},enabled=true)`
		`@ -0,0 +1,2 @@`
							`/subsystem=undertow/server=default-server/http-listener=default: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})`
							`/subsystem=undertow/server=default-server/https-listener=https: write-attribute(name=proxy-address-forwarding, value=${env.PROXY_ADDRESS_FORWARDING:false})`
		`@ -0,0 +1,2 @@`
							`/subsystem=keycloak-server/theme=defaults:write-attribute(name=welcomeTheme,value=${env.KEYCLOAK_WELCOME_THEME:keycloak})`
							`/subsystem=keycloak-server/theme=defaults:write-attribute(name=default,value=${env.KEYCLOAK_DEFAULT_THEME:keycloak})`