Step 5 of 7
Part 4: Local Infrastructure
4.1 Create the certificate generation script
Create certs/generate.sh at the project root. This script uses mkcert to generate all certificates needed for local mTLS development in a single run. Make it executable:
mkdir -p certs
chmod +x certs/generate.shThe script creates the following files in certs/:
| File | Purpose |
|---|---|
ca.crt | mkcert root CA certificate (PEM) |
tls.crt / tls.key | Provider HTTPS server certificate (PEM) |
client.crt / client.key | Provider AMQP client certificate for mTLS to Artemis (PEM) |
broker.p12 | Artemis broker keystore (PKCS12) |
ca-truststore.p12 | Artemis CA truststore — verifies consumer client certificates (PKCS12) |
keycloak-keystore.p12 | Keycloak HTTPS keystore (PKCS12) |
validator-keystore.p12 | Validator AMQP client keystore (PKCS12) |
validator-truststore.p12 | Validator CA truststore (PKCS12) |
The key SANs configured for each certificate are:
| Certificate | SANs include |
|---|---|
| Broker | localhost, ffice-provider-artemis, provider-artemis, *.swim.lab |
| Keycloak | keycloak.swim.lab, keycloak, localhost |
| Provider HTTPS | localhost, ffice-provider, ffice-provider.swim.lab |
| Provider client (AMQP) | ffice-provider, localhost |
| Validator client (AMQP) | ffice-provider-validator, localhost |
Add certs/ to .gitignore to avoid committing certificates. Only the script itself should be in source control.
4.2 Infrastructure overview
compose.yml starts the following services:
| Service | Port | Purpose |
|---|---|---|
provider-artemis | 5671 (AMQPS), 8161 (console) | AMQP broker for event delivery to subscribers |
provider-postgres | 5432 | PostgreSQL for events and subscriptions |
kafka | 9092 | Kafka broker for FF-ICE event ingress |
kafka-init | — | Creates ffice-events-all-topic and ffice-events-dlq-topic |
akhq | 9090 | Kafka web UI |
keycloak | 8543 (HTTPS) | OIDC identity provider |
keycloak-postgres | 5433 | Keycloak database |
ffice-provider-validator | 8085 | Provider validator UI and AMQP consumer |
ffice-provider-validator-db | 3308 | MariaDB for validator message persistence |
To run without the validator (e.g. provider-only development), scale the validator services to zero:
podman compose up -d --scale ffice-provider-validator=0 --scale ffice-provider-validator-db=04.3 Optional: add keycloak.swim.lab to /etc/hosts
The provider and Keycloak communicate using the hostname keycloak.swim.lab. If you access Keycloak's admin console from a browser, add the following line to your /etc/hosts:
127.0.0.1 keycloak.swim.labOn Linux with Podman (not macOS), also add:
127.0.0.1 host.containers.internal