feat(lab-03): Keycloak advanced — 2-node cluster, MailHog SMTP, brute-force policy, custom scopes

Author: RedjiJB

.github/workflows/ci.yml

@@ -148,4 +148,37 @@ jobs:
 
       - name: Cleanup
         if: always()
-        run: docker compose -f docker/docker-compose.lan.yml down -v
+        run: docker compose -f docker/docker-compose.lan.yml down -v
+
+  lab-03-smoke:
+    name: Lab 03 — Keycloak Cluster + MailHog
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install tools
+        run: sudo apt-get install -y netcat-openbsd curl
+
+      - name: Start advanced stack (2 nodes + postgres + mailhog)
+        run: docker compose -f docker/docker-compose.advanced.yml up -d
+
+      - name: Wait for Keycloak node 1
+        run: timeout 200 bash -c 'until curl -sf http://localhost:8080/health/ready; do sleep 5; done'
+
+      - name: Wait for Keycloak node 2
+        run: timeout 200 bash -c 'until curl -sf http://localhost:8081/health/ready; do sleep 5; done'
+
+      - name: Run Lab 02-03 test script
+        env:
+          KC_PASS: "Lab03Password!"
+        run: bash tests/labs/test-lab-02-03.sh
+
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.advanced.yml logs
+
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.advanced.yml down -v

docker/docker-compose.advanced.yml

@@ -1,34 +1,116 @@
-# Lab 03 — Advanced Features: keycloak with TLS, resource limits, logging
----
+# Lab 02-03: Advanced Features — Keycloak cluster + MailHog SMTP + brute force protection
+# Purpose: HA deployment, email flow testing, session replication, token policies
+#
+# Usage:
+#   docker compose -f docker/docker-compose.advanced.yml up -d
+#   Keycloak node 1:  http://localhost:8080
+#   Keycloak node 2:  http://localhost:8081
+#   MailHog UI:       http://localhost:8025  (catches all Keycloak emails)
+#   MailHog SMTP:     localhost:1025
+
 services:
-  keycloak:
-    image: quay.io/keycloak/keycloak:24
-    container_name: it-stack-keycloak
+
+  # ─── SHARED DATABASE ─────────────────────────────────────────────────────
+  keycloak-db:
+    image: postgres:16-alpine
+    container_name: it-stack-kc-db-adv
     restart: unless-stopped
-    ports:
-      - "8080:$firstPort"
     environment:
-      - IT_STACK_ENV=lab-03-advanced
-      - TLS_ENABLED=true
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: "Lab03Password!"
     volumes:
-      - keycloak_data:/var/lib/keycloak
-      - ./certs:/etc/ssl/certs:ro
-    deploy:
-      resources:
-        limits:
-          cpus: "2.0"
-          memory: G
-    logging:
-      driver: json-file
-      options:
-        max-size: "100m"
-        max-file: "5"
+      - kc-db-adv:/var/lib/postgresql/data
     networks:
-      - it-stack-net
+      - kc-db-net
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U keycloak -d keycloak"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
 
-networks:
-  it-stack-net:
-    driver: bridge
+  # ─── MAILHOG — SMTP sink for email testing ────────────────────────────────
+  mailhog:
+    image: mailhog/mailhog:latest
+    container_name: it-stack-mailhog
+    restart: unless-stopped
+    ports:
+      - "1025:1025"   # SMTP
+      - "8025:8025"   # Web UI
+    networks:
+      - kc-app-net
+
+  # ─── KEYCLOAK NODE 1 ─────────────────────────────────────────────────────
+  keycloak-1:
+    image: quay.io/keycloak/keycloak:24.0
+    container_name: it-stack-keycloak-1
+    restart: unless-stopped
+    command: start-dev --http-port=8080
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://keycloak-db:5432/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: "Lab03Password!"
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: "Lab03Password!"
+      KC_HOSTNAME_STRICT: "false"
+      KC_HTTP_ENABLED: "true"
+      KC_PROXY_HEADERS: forwarded
+      # Cache — distributed mode for clustering
+      KC_CACHE: ispn
+      KC_CACHE_STACK: tcp
+      JAVA_OPTS_APPEND: "-Djgroups.bind_addr=it-stack-keycloak-1"
+    ports:
+      - "8080:8080"
+    networks:
+      - kc-app-net
+      - kc-db-net
+    depends_on:
+      keycloak-db:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready || exit 1"]
+      interval: 15s
+      timeout: 10s
+      retries: 15
+      start_period: 60s
+
+  # ─── KEYCLOAK NODE 2 ─────────────────────────────────────────────────────
+  keycloak-2:
+    image: quay.io/keycloak/keycloak:24.0
+    container_name: it-stack-keycloak-2
+    restart: unless-stopped
+    command: start-dev --http-port=8081
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://keycloak-db:5432/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: "Lab03Password!"
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: "Lab03Password!"
+      KC_HOSTNAME_STRICT: "false"
+      KC_HTTP_ENABLED: "true"
+      KC_PROXY_HEADERS: forwarded
+      KC_CACHE: ispn
+      KC_CACHE_STACK: tcp
+      JAVA_OPTS_APPEND: "-Djgroups.bind_addr=it-stack-keycloak-2"
+    ports:
+      - "8081:8081"
+    networks:
+      - kc-app-net
+      - kc-db-net
+    depends_on:
+      keycloak-db:
+        condition: service_healthy
+      keycloak-1:
+        condition: service_healthy
 
 volumes:
-  keycloak_data:
+  kc-db-adv:
+
+networks:
+  kc-app-net:
+    driver: bridge
+  kc-db-net:
+    driver: bridge
+    internal: true