Keycloak

This reference implementation deploys Keycloak with the Keycloak operator.

Dependencies

• Kustomize
• An Ingress Controller or a Gateway API Controller
• A GitOps CD tool like Argo CD or Flux CD
• A PostgreSQL database (CNPG in-cluster or a managed Postgres instance)

Installation

For the Keycloak Operator to function, at minimum the following must be deployed:

• The Keycloak Operator (Controller)
• A Keycloak Instance (Custom Resource)

Using for example Flux CD you can install the Keycloak implementation using the following 2 kustomizations.

Keycloak Operator (Controller)

Kustomization:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: keycloak-operator
  namespace: flux-system
spec:
  interval: 15m0s
  sourceRef:
    kind: GitRepository
    name: flux-system
  serviceAccountName: kustomize-controller
  path: ./infrastructure/keycloak/operator/overlays/local
  prune: true
  wait: true
  dependsOn:
    - name: cluster-resources
    - name: cloudnative-pg
    - name: sealed-secrets
    - name: kyverno-policies

Keycloak Instance

Kustomization:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: keycloak-instances
  namespace: flux-system
spec:
  interval: 15m0s
  sourceRef:
    kind: GitRepository
    name: flux-system
  serviceAccountName: kustomize-controller
  path: ./infrastructure/keycloak/instances/overlays/local
  prune: true
  wait: true
  dependsOn:
    - name: cluster-resources
    - name: cloudnative-pg
    - name: sealed-secrets
    - name: kyverno-policies

SealedSecret

The Keycloak admin password is stored as a Sealed Secret. Create it as follows:

kubectl create secret generic keycloak \
  --namespace keycloak \
  --from-literal=KEYCLOAK_ADMIN_PASSWORD='YourSuperSecretPassword' \
  --dry-run=client -o yaml > secret.yaml

kubeseal \
  --format yaml \
  --name keycloak \
  --namespace keycloak \
  --controller-name=sealed-secrets-controller \
  --controller-namespace=sealed-secrets \
  < secret.yaml > sealed-secret.yaml

git add sealed-secret.yaml
rm secret.yaml

Configuration

The fully qualified domain name (FQDN) of your Keycloak instance must be configured by patching the manifests in:

./infrastructure/keycloak/instances/overlays/<cluster>/kustomization.yaml

It is also possible to deploy a Keycloak realm declaratively using the KeycloakRealmImport Custom Resource provided by the operator.

A working example is provided in: ./infrastructure/keycloak/instances/base/realm.yaml

More information can be found here.

Realm import limitations

KeycloakRealmImport is only performed once. If the already exists, the import (including changes) is silently skipped

Accessing the Admin Console

After a successful deployment, the Keycloak Admin Console is available at your configured hostname, for example:

https://keycloak.example.nl

The default admin username created by the Keycloak operator is temp-admin. Use this username together with the password from the keycloak Sealed Secret to log in.

After logging in you end up in the master realm. Before creating users, switch to the havenplus realm using the realm selector in the top-left corner of the Admin Console.