Keycloak
This reference implementation deploys Keycloak with the Keycloak operator.
Dependencies
- Kustomize
- An Ingress Controller or a Gateway API Controller
- A GitOps CD tool like Argo CD or Flux CD
- A PostgreSQL database (CNPG in-cluster or a managed Postgres instance)
Installation
For the Keycloak Operator to function, at minimum the following must be deployed:
- The Keycloak Operator (Controller)
- A Keycloak Instance (Custom Resource)
Using for example Flux CD you can install the Keycloak implementation using the following 2 kustomizations.
Keycloak Operator (Controller)
Kustomization:
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: keycloak-operator
namespace: flux-system
spec:
interval: 15m0s
sourceRef:
kind: GitRepository
name: flux-system
serviceAccountName: kustomize-controller
path: ./infrastructure/keycloak/operator/overlays/local
prune: true
wait: true
dependsOn:
- name: cluster-resources
- name: cloudnative-pg
- name: sealed-secrets
- name: kyverno-policies
Keycloak Instance
Kustomization:
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: keycloak-instances
namespace: flux-system
spec:
interval: 15m0s
sourceRef:
kind: GitRepository
name: flux-system
serviceAccountName: kustomize-controller
path: ./infrastructure/keycloak/instances/overlays/local
prune: true
wait: true
dependsOn:
- name: cluster-resources
- name: cloudnative-pg
- name: sealed-secrets
- name: kyverno-policies
SealedSecret
The Keycloak admin password is stored as a Sealed Secret. Create it as follows:
kubectl create secret generic keycloak \
--namespace keycloak \
--from-literal=KEYCLOAK_ADMIN_PASSWORD='YourSuperSecretPassword' \
--dry-run=client -o yaml > secret.yaml
kubeseal \
--format yaml \
--name keycloak \
--namespace keycloak \
--controller-name=sealed-secrets-controller \
--controller-namespace=sealed-secrets \
< secret.yaml > sealed-secret.yaml
git add sealed-secret.yaml
rm secret.yaml
Configuration
The fully qualified domain name (FQDN) of your Keycloak instance must be configured by patching the manifests in:
./infrastructure/keycloak/instances/overlays/local/kustomization.yaml
It is also possible to deploy a Keycloak realm declaratively using the KeycloakRealmImport Custom Resource provided by the operator.
A working example is provided in: ./infrastructure/keycloak/instances/base/pinniped-client.yaml
More information can be found here.
Accessing the Admin Console
After a successful deployment, the Keycloak Admin Console is available at your configured hostname, for example:
Use the previously configured admin credentials to log in.