Step 5 of 7

Part 4: Local Infrastructure

4.1 Create the certificate generation script

Create certs/generate.sh at the project root. This script uses mkcert to generate all certificates needed for local mTLS development in a single run. Make it executable:

mkdir -p certs
chmod +x certs/generate.sh

The script creates the following files in certs/:

FilePurpose
ca.crtmkcert root CA certificate (PEM)
tls.crt / tls.keyProvider HTTPS server certificate (PEM)
client.crt / client.keyProvider AMQP client certificate for mTLS to Artemis (PEM)
broker.p12Artemis broker keystore (PKCS12)
ca-truststore.p12Artemis CA truststore — verifies consumer client certificates (PKCS12)
keycloak-keystore.p12Keycloak HTTPS keystore (PKCS12)
validator-keystore.p12Validator AMQP client keystore (PKCS12)
validator-truststore.p12Validator CA truststore (PKCS12)

The key SANs configured for each certificate are:

CertificateSANs include
Brokerlocalhost, ffice-provider-artemis, provider-artemis, *.swim.lab
Keycloakkeycloak.swim.lab, keycloak, localhost
Provider HTTPSlocalhost, ffice-provider, ffice-provider.swim.lab
Provider client (AMQP)ffice-provider, localhost
Validator client (AMQP)ffice-provider-validator, localhost

Add certs/ to .gitignore to avoid committing certificates. Only the script itself should be in source control.

4.2 Infrastructure overview

compose.yml starts the following services:

ServicePortPurpose
provider-artemis5671 (AMQPS), 8161 (console)AMQP broker for event delivery to subscribers
provider-postgres5432PostgreSQL for events and subscriptions
kafka9092Kafka broker for FF-ICE event ingress
kafka-initCreates ffice-events-all-topic and ffice-events-dlq-topic
akhq9090Kafka web UI
keycloak8543 (HTTPS)OIDC identity provider
keycloak-postgres5433Keycloak database
ffice-provider-validator8085Provider validator UI and AMQP consumer
ffice-provider-validator-db3308MariaDB for validator message persistence

To run without the validator (e.g. provider-only development), scale the validator services to zero:

podman compose up -d --scale ffice-provider-validator=0 --scale ffice-provider-validator-db=0

4.3 Optional: add keycloak.swim.lab to /etc/hosts

The provider and Keycloak communicate using the hostname keycloak.swim.lab. If you access Keycloak's admin console from a browser, add the following line to your /etc/hosts:

127.0.0.1  keycloak.swim.lab

On Linux with Podman (not macOS), also add:

127.0.0.1  host.containers.internal