Docker setup to run localy keycloak, postgress and minio

Author: sradzhabov

keycloak-minio-docker/README.md

@@ -0,0 +1,43 @@
+Here is the polished and spell-checked version of your markdown text:
+
+## Setup
+
+The **Keycloak** container must be running before the **MinIO** container starts up. It takes a few minutes for **Keycloak** and **Postgres** to fully bootstrap.
+
+The file `minio-realm-config.json` is imported at boot and creates the following configuration:
+
+  * Realm: `minio_realm`
+  * Realm Role: `readonly`
+  * OpenID Client: `minio-client`
+  * Mapper for `minio-client` mapping the user's **Realm Role** to the token attribute `"policy"`.
+  * Client User: `testuser` with the assigned role `readonly`.
+
+-----
+
+## Credentials
+
+**MinIO** admin credentials, along with the credentials for **Keycloak** and **Postgres**, are specified in the `docker-compose.yaml` file and `init.env`.
+
+The credentials for the **test user** are specified within the `minio-realm-config.json` file.
+
+-----
+
+## Start
+
+Initialize environment variables:
+
+```bash
+source init.env
+```
+
+Start the **Keycloak** and **Postgres** containers:
+
+```bash
+docker compose -f keycloak.yaml up
+```
+
+Once **Keycloak** is running and available, start **MinIO**:
+
+```bash
+docker compose -f minio.yaml up
+```

keycloak-minio-docker/init.env

@@ -0,0 +1,5 @@
+export KEYCLOAK_USER=admin
+export KEYCLOAK_PASSWORD=admin
+export POSTGRES_DB=keycloakdb
+export POSTGRES_USER=psuser
+export POSTGRES_PASSWORD=pspassword

keycloak-minio-docker/keycloak.yaml

@@ -0,0 +1,49 @@
+services:
+  postgres-db:
+    image: postgres:16-alpine
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    networks:
+      - keycloak-network
+
+  keycloak:
+    container_name: keycloak_app
+    image: quay.io/keycloak/keycloak:latest
+    user: root
+    restart: always
+    ports:
+      - "8080:8080"
+    environment:
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_USER}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_PASSWORD}
+      KC_HTTP_ENABLED: 'true'
+      KC_HOSTNAME_STRICT_HTTPS: false
+      KC_HOSTNAME: keycloak
+      KEYCLOAK_IMPORT: /opt/keycloak/data/import/realm-config.json
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres-db/${POSTGRES_DB}
+      KC_DB_USERNAME: ${POSTGRES_USER}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
+    depends_on:
+      - postgres-db
+    networks:
+      - keycloak-network
+    command: ["start", "--import-realm"]
+    volumes:
+      - ./minio-realm-config.json:/opt/keycloak/data/import/minio-realm-config.json
+      - keycloak-data:/opt/keycloak/data
+
+volumes:
+  postgres_data:
+    driver: local
+  keycloak-data:
+
+networks:
+  keycloak-network:
+    name: keycloak-network
+    driver: bridge
+

keycloak-minio-docker/minio-realm-config.json

@@ -0,0 +1,90 @@
+{
+  "realm": "minio_realm",
+  "enabled": true,
+  "users": [
+    {
+      "username": "testuser",
+      "email": "[email protected]",
+      "firstName": "Sarah",
+      "lastName": "Connor",
+      "enabled": true,
+      "emailVerified": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "password",
+          "temporary": false
+        }
+      ],
+      "realmRoles": [
+        "readonly"
+      ]
+    }
+  ],
+  "clients": [
+    {
+      "clientId": "minio-client",
+      "name": "MinIO OIDC Client",
+      "secret": "nrb2E4DKOL7QmShrtTO1O7RERXeKt6UC",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "clientAuthenticatorType": "client-secret",
+      "publicClient": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "standardFlowEnabled": true,
+      "rootUrl": "http://127.0.0.1:9001",
+      "redirectUris": [
+        "http://127.0.0.1:9001/oauth_callback"
+      ],
+      "defaultClientScopes": [
+        "openid",
+        "profile",
+        "email"
+      ],
+      "optionalClientScopes": [
+        "offline_access"
+      ],
+      "protocolMappers": [
+        {
+          "name": "realm-role-mapper",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "introspection.token.claim": "true",
+            "multivalued": "true",
+            "userinfo.token.claim": "true",
+            "id.token.claim": "true",
+            "lightweight.claim": "false",
+            "access.token.claim": "true",
+            "claim.name": "policy",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "name": "security-admin-audience-mapper",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-mapper",
+          "config": {
+            "included.client.audience": "security-admin-console",
+            "id.token.claim": "true",
+            "access.token.claim": "true"
+          }
+        }
+      ]
+    }
+  ],
+  "roles": {
+    "realm": [
+      {
+        "name": "readonly",
+        "description": "This role provides read only access to all buckets",
+        "composite": false,
+        "clientRole": false,
+        "attributes": {}
+      }
+    ]
+  }
+}

keycloak-minio-docker/minio.yaml

@@ -0,0 +1,42 @@
+services:
+  # ----------------------------------
+  # MinIO Object Storage
+  # ----------------------------------
+  minio:
+    image: quay.io/minio/minio:RELEASE.2025-04-22T22-12-26Z
+    container_name: minio
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minioadmin
+      
+      # OIDC Configuration (uses the service name 'keycloak' and the standard port)
+      MINIO_IDENTITY_OPENID_CONFIG_URL: http://keycloak:8080/realms/minio_realm/.well-known/openid-configuration
+      MINIO_IDENTITY_OPENID_CLIENT_ID: minio-client
+      MINIO_IDENTITY_OPENID_CLIENT_SECRET: nrb2E4DKOL7QmShrtTO1O7RERXeKt6UC
+      MINIO_IDENTITY_OPENID_CLAIM_NAME: "policy"
+      MINIO_IDENTITY_OPENID_SCOPES: openid,profile,email
+      MINIO_BROWSER_REDIRECT_URL: http://127.0.0.1:9001
+      MINIO_IDENTITY_OPENID_REDIRECT_URI: http://127.0.0.1:9001/oauth_callback
+      MINIO_IDENTITY_OPENID_DISPLAY_NAME: "Login with SSO"
+      
+
+    command: server /data --console-address ":9001"
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    volumes:
+      - minio-data:/data
+    networks:
+      - keycloak-network
+    restart: unless-stopped
+
+volumes:
+  minio-data:
+  keycloak-data:
+
+
+networks:
+  keycloak-network:
+    name: keycloak-network
+    external: true
+