First thing to do is get familiar with keycloak. once you are happy it might be useful take a look at the keycloak quickstarts.
They seem to have all the examples and samples on getting going with keycloak.
In particular you want to look at the keycloak kubernetes examples
For posterity I will show the contents of keycloak.yaml:
apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: keycloak
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: default
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:10.0.1
env:
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "admin"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
readinessProbe:
httpGet:
path: /auth/realms/master
port: 8080and keycloak-ingress.yaml:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: keycloak
spec:
tls:
- hosts:
- KEYCLOAK_HOST
rules:
- host: KEYCLOAK_HOST
http:
paths:
- backend:
serviceName: keycloak
servicePort: 8080Environment Variables
We want to customise a few things about how keycloak runs and we do this by updating the environment variables.
So let us find what environment variabels are available and which we need to change.
We know the image beind used it:
quay.io/keycloak/keycloak:10.0.1
So lets see what the readme of that container image says
It is rather dissapointing that when we check on quay for keycloak, there is an empty readme. So our princess is in another castle.
The best readme I could find was on keycloak-containers.
So the list of available environment variables I could find were:
KEYCLOAK_USERKEYCLOAK_PASSWORDDB_VENDOR–h2,postgres,mysql,mariadb,oracle,mssqlDB_ADDR– database hostnameDB_PORT– optoinal defaults to vendor portDB_DATABASE– database nameDB_SCHEMA– only postgres uses thisDB_USER– user to auth with dbDB_PASSWORD– user password to auth with dbKEYCLOAK_FRONTEND_URL– A set fixed url for frontend requestsKEYCLOAK_LOGLEVELROOT_LOGLEVEL–ALL,DEBUG,ERROR,FATAL,INFO,OFF,TRACEandWARNKEYCLOAK_STATISTICS–db,httporall
Oh I found an even more exhaustive list of environment variables in the docker entrypoint
Creating a K8s service as a reference to an external servie
As per kubernetes up and running, it is worthwhile to represent an external service in kubernetes. That way you get built in naming, service discovery and it looks like the database is a k8s service.
It also helps when replacing a service or switching between prod and test.
my-db.yaml:
kind: Service
apiVersion: v1
metadata:
name: external-database
namespace: prod
spec:
type: ExternalName
externalName: database.company.comIf you just have an ip you need to create the service and the endpoint with:
kind: Service
apiVersion: v1
metadata:
name: keycloak-external-db-ip
spec:
ports:
- protocol: TCP
port: 3306
targetPort: 3306kind: Endpoints
apiVersion: v1
metadata:
name: keycloak-external-db-ip
subsets:
- addresses:
- ip: my-ip.example.com
ports:
- port: 3306now the actual service dns name will be:
my-svc.my-namespace.svc.cluster.localso in this case:
keycloak-external-db-ip.keycloak.svc.cluster.localSet that as DB_ADDR with the other credentials and we should be good to go.
So updarte that and the other environment variables and deploy:
Create the deployment:
kubectl create -f keycloak-deployment.yml -n keycloakcreate the service and the ingress:
kubectl apply -f keycloak-service.yml -n keycloak
kubectl apply -f keycloak-ingress.yml -n keycloakBoom and you should be up and running
Sources
- Kubernetes services
- kubernetes containers
- Brendan Burns. “Kubernetes: Up and Running.”
- Stian Thorgenson from Keycloak video on setting up on K8S
- K8s Mapping external services