Skip to content

Docker image for Keycloak 6.0.1 (postgres, ssl) + k8s + Openshift

Notifications You must be signed in to change notification settings

maslick/keycloak-docker

Repository files navigation

=keycloak-docker=

  • Docker image for the Keycloak auth server 6.0.1
  • Postgres support (instead of the default h2)
  • HTTPS (SSL) support, so Keycloak can be easily deployed to the cloud (EC2, Azure) or used locally

1. Prerequisites

2.1. Installation (vanilla Keycloak image)

SSL is achieved via using the reverse proxy (e.g. Nginx), but you should handle this yourself. This is recommended for production environments.

docker-compose up -d

2.2. Installation (custom image with SSL support)

./ssl.sh          // self-signed certificate
./build.sh
./compose.sh

This will:

  • Generate a self-signed ssl certificate and deploy it to the keystore (see ssl.sh and keycloak docs for more details)
  • Build the docker image
  • Run postgres and keycloak using docker-compose

3. Run

Go to this address in your browser:

https://{your_host}/auth

Default password admin:admin can be changed in docker-compose.yml: KEYCLOAK_USER, KEYCLOAK_PASSWORD

Third-party signed certificate

  1. Get certificate from www.sslforfree.com
* ca_bundle.crt (root and intermediate certificates)
* certificate.crt (public key)
* private.key (private key)
  1. Create a java keystore (jks) from files acquired in step 1
// combine letsencrypt certificate with the issued certificate
cat certificate.crt ca_bundle.crt > fullchain.pem

// convert to PKCS12 store
openssl pkcs12 -export -in fullchain.pem -inkey private.key -name auth.maslick.com -out fullchain_plus_key.p12 -password pass:secret

// convert to java keystore
keytool -importkeystore -deststorepass secret -destkeypass secret -destkeystore keycloak.jks -srckeystore fullchain_plus_key.p12 -srcstoretype PKCS12 -srcstorepass secret

Deployment to Openshift cluster

  1. Create new project:
oc new-project test
  1. Create persistent database:
oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/db-templates/postgresql-persistent-template.json \
  -p DATABASE_SERVICE_NAME=keycloak-db \
  -p POSTGRESQL_USER=keycloak \
  -p POSTGRESQL_PASSWORD=keycloak \
  -p POSTGRESQL_DATABASE=keycloakdb
  1. Create a keycloak instance:
oc new-app -f openshift-keycloak.yaml \
  -p KEYCLOAK_USER=admin \
  -p KEYCLOAK_PASSWORD=admin \
  -p NAMESPACE=test \
  -p HOSTNAME_HTTP=keycloak.maslick.com

or directly from github:

oc new-app -f https://raw.githubusercontent.com/maslick/keycloak-docker/master/openshift-keycloak.yaml \
  -p KEYCLOAK_USER=admin \
  -p KEYCLOAK_PASSWORD=admin \
  -p NAMESPACE=test \
  -p HOSTNAME_HTTP=keycloak.maslick.com

P.S. HOSTNAME_HTTP is not mandatory.

Deployment to Kubernetes cluster (GKE)

  1. Follow instructions on how to install Nginx-ingress controller and cert-manager to your GKE cluster (1-10).

  2. Create db (optional)

k create ns keycloak
helm install \
  --name keycloakdb \
  stable/postgresql \
  --set "postgresqlUsername=keycloak" \
  --set "postgresqlPassword=password" \
  --set "postgresqlDatabase=keycloakdb" \
  --namespace keycloak
  1. Deploy keycloak
k apply -f k8s-keycloak.yaml -n keycloak
k expose deployment keycloak --target-port=8080 --type=NodePort -n keycloak
k apply -f k8s-ingress.yaml -n keycloak

Deployment to k8s via helm charts

  • Install tiller:
k create serviceaccount tiller --namespace kube-system
k create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
helm init --service-account tiller
k get pods --namespace kube-system
  • Install helm:
brew install kubernetes-helm
helm repo add codecentric https://codecentric.github.io/helm-charts
helm install --name keycloak codecentric/keycloak \
  --set keycloak.image.tag=6.0.1 \
  --set keycloak.replicas=3 \
  --set keycloak.username=admin \
  --set keycloak.password=admin \
  --set keycloak.persistence.deployPostgres=true \
  --set keycloak.persistence.dbVendor=postgres \
  --namespace keycloak