I am trying to spin up keycloak for my app which is in production, we only have few users, but still want it to be production grade instead of keeping it in memory. We used to host version 13 in dev mode in our kubernetes cluster and somehow it was deleted. So this time we want to keep it as production grade and went through the documentation in keycloak.org website. Documentation is very good to understand in depth. If you want to go through again after few months it will take time to memorize what you went through last time. So here I am documenting for my own sanity to remember it faster than going through all documentation again.
Configurations
Lot of things has been changed from keycloak 13 to keycloak 19. All configuration parameters can be found here — https://www.keycloak.org/server/all-config, cli configs and equivalent k8s env variables are also listed there. Now we will go through that are important.
You can see in the list, there are different types of configurations. Build options and configuration, as name says, build options are available at the build time and the data get persisted in the image. And configuration parameters can be set at start time, if build options are passed in at start time, they will be ignored.
First few options
Let’s start with type of args we have.
* start
* build
For now we are only interested in start, you can use — optimized with start to tell no need to run build and use conf file, but as we are using Kubernetes I would recommend to pass configuration as environment variables. So first part of spec would look like
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:19.0.3
args: ["start"]
env:
- name: KEYCLOAK_ADMIN
value: "admin"
- name: KEYCLOAK_ADMIN_PASSWORD
value: "admin"
- name: DB_VENDOR
value: postgresFrom what you see you see, we are passing admin credentials to be when keycloak is up, we are also setting the what DB we are using.
TLS — Security
For production environments, you should never expose Keycloak endpoints through HTTP, as sensitive data is at the core of what Keycloak exchanges with other applications. And as we are going to use kubernetes certification, I would rather do the https termination at ingress level. You can go through this link — https://www.keycloak.org/server/reverseproxy for more details. So proxy setting would look like below
- name: KC_PROXY
value: edgeHostname
Keycloak exposes different endpoints to talk with applications as well as to allow accessing the administration console. These endpoints can be categorized into three main groups:
- Frontend
- Backend
- Administration Console
The base URL for each group has an important impact on how tokens are issued and validated, on how links are created for actions that require the user to be redirected to Keycloak (for example, when resetting password through email links), and, most importantly, how applications will discover these endpoints when fetching the OpenID Connect Discovery Document from realms/{realm-name}/.well-known/openid-configuration.
For now I am only interested in setting below environment variable.
- name: KC_HOSTNAME
value: sso.mysite.comDB Settings
As there is no database name configuration exist any more, I would like to use DB_HOST_URL where you can pass in jdbc rl with hostname, port and database name as well
- name: KC_DB_URL
value: jdbc:postgresql://mypostgres:25060/keycloak
- name: KC_DB_USERNAME
value: "keycloak"
- name: KC_DB_PASSWORD
value: "password"Loggings
You can read about setting up logs here in this page — https://www.keycloak.org/server/logging . For now, I am only interested in below conifgs.
- name: KC_LOG_LEVEL
value: "INFO"
- name: KC_LOG_CONSOLE_COLOR
value: "true"Health Checks
To expose health endpoints we need explicitly set the property to true to enable them.
- name: KC_METRICS_ENABLED
value: "true"
- name: KC_HEALTH_ENABLED
value: "true"