fix(dev): persist Keycloak across restarts (dev-file + named volume) #42

2026-06-04T14:42:45Z

sharang commented

2026-06-04 14:42:45 +00:00

Summary

Stops Keycloak from dissolving every time the certifai stack goes idle.

KC_DB: dev-mem → KC_DB: dev-file — H2 now writes to /opt/keycloak/data/h2/.
New keycloak-data named volume mounted at that path so the DB survives container restarts.
realm-export.json bind-mount stays read-only — --import-realm continues to run on fresh starts, so docker compose down -v remains the clean-slate lever.

Bit twice during the M7.1 testing session: every time KC went idle the realm + the 5 test users vanished and we had to re-import. This closes that gap.

Test plan

docker compose config — yaml parses
docker compose down -v && docker compose up -d keycloak → KC up → admin/admin login at :8080 shows the certifai realm with all 5 test users
docker compose restart keycloak → realm + users still there afterwards (the actual regression we're fixing)

## Summary Stops Keycloak from dissolving every time the certifai stack goes idle. * `KC_DB: dev-mem` → `KC_DB: dev-file` — H2 now writes to `/opt/keycloak/data/h2/`. * New `keycloak-data` named volume mounted at that path so the DB survives container restarts. * `realm-export.json` bind-mount stays read-only — `--import-realm` continues to run on fresh starts, so `docker compose down -v` remains the clean-slate lever. Bit twice during the M7.1 testing session: every time KC went idle the realm + the 5 test users vanished and we had to re-import. This closes that gap. ## Test plan - [x] `docker compose config` — yaml parses - [ ] `docker compose down -v && docker compose up -d keycloak` → KC up → admin/admin login at `:8080` shows the certifai realm with all 5 test users - [ ] `docker compose restart keycloak` → realm + users still there afterwards (the actual regression we're fixing)

sharang added 1 commit 2026-06-04 14:42:46 +00:00

fix(dev): switch Keycloak to dev-file + persistent volume

CI / Deploy (pull_request) Has been skipped

Details

CI / E2E Tests (pull_request) Has been skipped

Details

CI / Format (push) Successful in 15s

Details

CI / Clippy (push) Successful in 2m17s

Details

CI / Security Audit (push) Has been skipped

Details

CI / Tests (push) Has been skipped

Details

CI / Format (pull_request) Successful in 3s

Details

CI / Clippy (pull_request) Successful in 2m13s

Details

CI / Security Audit (pull_request) Has been skipped

Details

CI / Tests (pull_request) Has been skipped

Details

CI / Deploy (push) Has been skipped

Details

CI / E2E Tests (push) Has been skipped

Details

ea70a2eb33

KC_DB was set to dev-mem (H2 in-memory) — every time the keycloak
container went idle or restarted, the realm + the M7.1 test users
dissolved and the next smoke run failed with token_not_found until
realm-export was re-imported manually. Bit twice during the M7.1
testing session.

dev-file points H2 at /opt/keycloak/data/h2/ and the new
keycloak-data named volume keeps it across container lifecycles. The
realm-export.json bind-mount is still read-only and re-imported on
fresh starts via `--import-realm`, so a `docker compose down -v` is
still the canonical "rebuild from scratch" lever.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

sharang merged commit dec283c1ca into main

2026-06-04 14:46:16 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sharang/certifai#42