Keycloak.X will become the reference soon. According to the Keycloak Blogpost, Keycloak 18 will not support Wildfly, after that no wildfly version… Now it is time to migrate! We are still waiting for a Kubernetes operator with Keycloak.X, in this post we will see how to build your own cluster based on Keycloak.X 16.1.0

Build your own docker image

By default, Keycloak.X needs some customization before launch. The team has included a command line tool (./bin/kc.sh) with a « build » option, that will generate some configurations.

Our work is based on https://gist.github.com/pedroigor/e1476a41b544d15c1bd59155aad4f6ad, but things have changed recently with Keycloak 15 and 16.

FROM quay.io/keycloak/keycloak-x
WORKDIR /opt/keycloak
RUN ./bin/kc.sh build --cache=ispn --cache-stack=kubernetes --db=postgres --db-url=jdbc:postgresql://keycloak-postgres/keycloak --db-username=keycloak --db-password=password --hostname-strict false --http-enabled true
ENTRYPOINT [ "./bin/kc.sh" ]

just use :

docker build -t mycustomkeycloak .

What’s important here ?

Cache

Keycloak has a shortcut for an infinispan configuration, generated with –cache=ispn and –cache-stack=kubernetes.

Take a look at ./conf/cache-ispn.xml, all caches are set to be replicated :

        <distributed-cache name="sessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="authenticationSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>
        <distributed-cache name="offlineSessions" owners="2">
            <expiration lifespan="-1"/>
        </distributed-cache>

Database

This is not a joke… remember how it was in Keycloak « wildfly » to connect to an external database ?

Here : –db=postgres –db-url=jdbc:postgresql://keycloak-postgres/keycloak –db-username=keycloak –db-password=password

Optional features

Some optional features have dedicated flags to enable :

--features-account2 <enabled|disabled>
                     Enables the ACCOUNT2 feature.
--features-account_api <enabled|disabled>
                     Enables the ACCOUNT_API feature.
--features-admin2 <enabled|disabled>
                     Enables the ADMIN2 feature.
--features-admin_fine_grained_authz <enabled|disabled>
                     Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
--features-authorization <enabled|disabled>
                     Enables the AUTHORIZATION feature.
--features-ciba <enabled|disabled>
                     Enables the CIBA feature.
--features-client_policies <enabled|disabled>
                     Enables the CLIENT_POLICIES feature.
--features-declarative_user_profile <enabled|disabled>
                     Enables the DECLARATIVE_USER_PROFILE feature.
--features-docker <enabled|disabled>
                     Enables the DOCKER feature.
--features-impersonation <enabled|disabled>
                     Enables the IMPERSONATION feature.
--features-map_storage <enabled|disabled>
                     Enables the MAP_STORAGE feature.
--features-openshift_integration <enabled|disabled>
                     Enables the OPENSHIFT_INTEGRATION feature.
--features-par <enabled|disabled>
                     Enables the PAR feature.
--features-scripts <enabled|disabled>
                     Enables the SCRIPTS feature.
--features-token_exchange <enabled|disabled>
                     Enables the TOKEN_EXCHANGE feature.
--features-upload_scripts <enabled|disabled>
                     Enables the UPLOAD_SCRIPTS feature.
--features-web_authn <enabled|disabled>
                     Enables the WEB_AUTHN feature.
-ft, --features <preview>
                     Enables all tech preview features.

Deployment

This is only a deployment without the database.

apiVersion: v1
kind: Service
metadata:
  name: keycloak
  labels:
    service: keycloak
spec:
  type: LoadBalancer
  ports:
    - port: 8080
      targetPort: 8080
      name: http
  selector:
    service: keycloak
    layer: security
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  labels:
    service: keycloak
    layer: security
spec:
  replicas: 2
  selector:
    matchLabels:
      service: keycloak
      layer: security
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        service: keycloak
        layer: security
    spec:
      containers:
        - image: mycustomkeycloak
          imagePullPolicy: Never
          args: ["start", "-b","--http-enabled=true", "--http-port=8080", "--http-host=127.0.0.1","-Djgroups.dns.query=keycloak-jgroups-ping.keycloak.svc.cluster.local","--hostname-strict=false","--http-enabled=true"]
          name: keycloak
          resources:
            limits:
              memory: 512Mi
          ports:
            - containerPort: 8080
            - containerPort: 4444
            - containerPort: 8888
          env:
            - name: KEYCLOAK_ADMIN
              value: admin
            - name: KEYCLOAK_ADMIN_PASSWORD
              value: admin
---
apiVersion: v1
kind: Service
metadata:
  labels:
    service: keycloak
  name: keycloak-jgroups-ping
spec:
  clusterIP: None
  ports:
    - port: 4444
      name: ping
      protocol: TCP
      targetPort: 4444
  selector:
    service: keycloak
  sessionAffinity: None
  type: ClusterIP

Do not forget port 4444 for replication.

kubectl create -f keycloak.yml

That’s it ! Keycloak.X is working on your Kube cluster.

References

You may find the original article from our partner Please Open It here : https://blog.please-open.it/keycloakx-kubernetes/

Mathieu PASSENAUD