Keycloak.X will become the reference soon. According to the Keycloak Blogpost, Keycloak 18 will not support Wildfly, after that no wildfly version… Now it is time to migrate! We are still waiting for a Kubernetes operator with Keycloak.X, in this post we will see how to build your own cluster based on Keycloak.X 16.1.0
Build your own docker image
By default, Keycloak.X needs some customization before launch. The team has included a command line tool (./bin/kc.sh) with a « build » option, that will generate some configurations.
Our work is based on https://gist.github.com/pedroigor/e1476a41b544d15c1bd59155aad4f6ad, but things have changed recently with Keycloak 15 and 16.
FROM quay.io/keycloak/keycloak-x
WORKDIR /opt/keycloak
RUN ./bin/kc.sh build --cache=ispn --cache-stack=kubernetes --db=postgres --db-url=jdbc:postgresql://keycloak-postgres/keycloak --db-username=keycloak --db-password=password --hostname-strict false --http-enabled true
ENTRYPOINT [ "./bin/kc.sh" ]just use :
docker build -t mycustomkeycloak .
What’s important here ?
Cache
Keycloak has a shortcut for an infinispan configuration, generated with –cache=ispn and –cache-stack=kubernetes.
Take a look at ./conf/cache-ispn.xml, all caches are set to be replicated :
<distributed-cache name="sessions" owners="2">
<expiration lifespan="-1"/>
</distributed-cache>
<distributed-cache name="authenticationSessions" owners="2">
<expiration lifespan="-1"/>
</distributed-cache>
<distributed-cache name="offlineSessions" owners="2">
<expiration lifespan="-1"/>
</distributed-cache>
Database
This is not a joke… remember how it was in Keycloak « wildfly » to connect to an external database ?
Here : –db=postgres –db-url=jdbc:postgresql://keycloak-postgres/keycloak –db-username=keycloak –db-password=password
Optional features
Some optional features have dedicated flags to enable :
--features-account2 <enabled|disabled>
Enables the ACCOUNT2 feature.
--features-account_api <enabled|disabled>
Enables the ACCOUNT_API feature.
--features-admin2 <enabled|disabled>
Enables the ADMIN2 feature.
--features-admin_fine_grained_authz <enabled|disabled>
Enables the ADMIN_FINE_GRAINED_AUTHZ feature.
--features-authorization <enabled|disabled>
Enables the AUTHORIZATION feature.
--features-ciba <enabled|disabled>
Enables the CIBA feature.
--features-client_policies <enabled|disabled>
Enables the CLIENT_POLICIES feature.
--features-declarative_user_profile <enabled|disabled>
Enables the DECLARATIVE_USER_PROFILE feature.
--features-docker <enabled|disabled>
Enables the DOCKER feature.
--features-impersonation <enabled|disabled>
Enables the IMPERSONATION feature.
--features-map_storage <enabled|disabled>
Enables the MAP_STORAGE feature.
--features-openshift_integration <enabled|disabled>
Enables the OPENSHIFT_INTEGRATION feature.
--features-par <enabled|disabled>
Enables the PAR feature.
--features-scripts <enabled|disabled>
Enables the SCRIPTS feature.
--features-token_exchange <enabled|disabled>
Enables the TOKEN_EXCHANGE feature.
--features-upload_scripts <enabled|disabled>
Enables the UPLOAD_SCRIPTS feature.
--features-web_authn <enabled|disabled>
Enables the WEB_AUTHN feature.
-ft, --features <preview>
Enables all tech preview features.
Deployment
This is only a deployment without the database.
apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
service: keycloak
spec:
type: LoadBalancer
ports:
- port: 8080
targetPort: 8080
name: http
selector:
service: keycloak
layer: security
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
service: keycloak
layer: security
spec:
replicas: 2
selector:
matchLabels:
service: keycloak
layer: security
strategy:
type: Recreate
template:
metadata:
labels:
service: keycloak
layer: security
spec:
containers:
- image: mycustomkeycloak
imagePullPolicy: Never
args: ["start", "-b","--http-enabled=true", "--http-port=8080", "--http-host=127.0.0.1","-Djgroups.dns.query=keycloak-jgroups-ping.keycloak.svc.cluster.local","--hostname-strict=false","--http-enabled=true"]
name: keycloak
resources:
limits:
memory: 512Mi
ports:
- containerPort: 8080
- containerPort: 4444
- containerPort: 8888
env:
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
value: admin
---
apiVersion: v1
kind: Service
metadata:
labels:
service: keycloak
name: keycloak-jgroups-ping
spec:
clusterIP: None
ports:
- port: 4444
name: ping
protocol: TCP
targetPort: 4444
selector:
service: keycloak
sessionAffinity: None
type: ClusterIP
Do not forget port 4444 for replication.
kubectl create -f keycloak.yml
That’s it ! Keycloak.X is working on your Kube cluster.
References
- https://gist.github.com/pedroigor/e1476a41b544d15c1bd59155aad4f6ad
- https://github.com/keycloak/keycloak-community/blob/main/design/keycloak.x/configuration.md
You may find the original article from our partner Please Open It here : https://blog.please-open.it/keycloakx-kubernetes/
Please-open.it is JANUA's main partner. Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
- Keycloak Authenticator explained - 7 mars 2024
- Keycloak OIDC authentication with N8N workflow - 1 décembre 2023
- How we build our own Authorizations platform using KeyCloak - 13 novembre 2023