Keycloak is an open-source identity and access management solution that provides features like single sign-on, social login, user federation, and more. Deploying Keycloak in a Kubernetes environment can offer scalability, reliability, and ease of management. This guide will walk you through deploying Keycloak using both Helm charts and the Keycloak Operator.

What is Keycloak?

Keycloak is an open-source identity and access management solution that helps secure applications and services by managing user identities and access. It supports protocols like OpenID Connect, SAML, and OAuth 2.0, making it a versatile choice for modern applications.

What is Helm?

Helm is a package manager for Kubernetes that simplifies the deployment and management of applications. It uses Helm charts, which are pre-configured templates for deploying applications, making it easier to manage dependencies and configurations.

What is the Keycloak Operator?

The Keycloak Operator is a Kubernetes-native way to manage Keycloak deployments. It automates the lifecycle of Keycloak instances, handling tasks like upgrades, backups, and scaling.

Quick Answer: Deploying Keycloak in Kubernetes

To deploy Keycloak in Kubernetes, you can use either Helm charts or the Keycloak Operator. Helm charts provide a straightforward way to install and configure Keycloak, while the Operator offers advanced automation and management capabilities.

Why use Helm for Keycloak deployment?

Helm simplifies the deployment process by providing pre-configured charts. It allows you to manage dependencies and configurations easily, making it ideal for quick setups and development environments.

Quick Reference

  • helm repo add bitnami https://charts.bitnami.com/bitnami - Add Bitnami Helm repository
  • helm install my-keycloak bitnami/keycloak - Install Keycloak using Helm

Step-by-step guide to deploying Keycloak using Helm

Prerequisites

  • Kubernetes cluster up and running
  • kubectl installed and configured
  • Helm installed

Add the Bitnami Helm repository

First, add the Bitnami Helm repository to your local Helm client.

helm repo add bitnami https://charts.bitnami.com/bitnami

Update Helm repositories

Ensure your Helm repositories are up to date.

helm repo update

Install Keycloak using Helm

Deploy Keycloak using the Bitnami Helm chart.

helm install my-keycloak bitnami/keycloak

Verify the installation

Check the status of the pods to ensure Keycloak is running.

kubectl get pods

Access Keycloak

Once the pods are running, you can access Keycloak by port-forwarding the service.

kubectl port-forward svc/my-keycloak 8080:8080

Visit http://localhost:8080 in your browser to access the Keycloak admin console.

Configure Keycloak

Log in to the Keycloak admin console using the default credentials. You can find the username and password with the following commands:

echo Username: $(kubectl get secret --namespace default my-keycloak -o jsonpath="{.data.admin-user}" | base64 --decode)
echo Password: $(kubectl get secret --namespace default my-keycloak -o jsonpath="{.data.admin-password}" | base64 --decode)

🎯 Key Takeaways

  • Helm simplifies Keycloak deployment with pre-configured charts.
  • Use `helm repo add` and `helm install` for quick setups.
  • Verify the installation with `kubectl get pods`.
  • Access Keycloak using port-forwarding.

Why use the Keycloak Operator for Keycloak deployment?

The Keycloak Operator automates the management of Keycloak instances, handling tasks like upgrades, backups, and scaling. It is ideal for production environments where you need advanced management capabilities.

Quick Reference

  • kubectl apply -f https://operatorhub.io/install/stable/keycloak-operator.yaml - Install Keycloak Operator
  • kubectl apply -f keycloak-cr.yaml - Create Keycloak instance using Custom Resource

Step-by-step guide to deploying Keycloak using the Operator

Prerequisites

  • Kubernetes cluster up and running
  • kubectl installed and configured
  • Operator Lifecycle Manager (OLM) installed

Install the Keycloak Operator

Apply the YAML file to install the Keycloak Operator.

kubectl apply -f https://operatorhub.io/install/stable/keycloak-operator.yaml

Verify the Operator installation

Check the status of the Operator pod to ensure it is running.

kubectl get pods -n operators

Create a Keycloak instance

Create a Keycloak instance using a Custom Resource (CR).

apiVersion: keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-keycloak
spec:
  instances: 1
  extensions:
    - https://github.com/keycloak/keycloak/releases/download/21.1.1/keycloak-x-21.1.1-runner.jar
  externalAccess:
    enabled: true
    strategy: LoadBalancer

Save the above YAML to a file named keycloak-cr.yaml and apply it.

kubectl apply -f keycloak-cr.yaml

Verify the Keycloak instance

Check the status of the Keycloak pods to ensure they are running.

kubectl get pods

Access Keycloak

Once the pods are running, you can access Keycloak using the external IP address provided by the LoadBalancer.

kubectl get svc example-keycloak

Visit the external IP in your browser to access the Keycloak admin console.

Configure Keycloak

Log in to the Keycloak admin console using the default credentials. You can find the username and password with the following commands:

kubectl get secret example-keycloak-initial-admin -o jsonpath='{.data.username}' | base64 --decode
kubectl get secret example-keycloak-initial-admin -o jsonpath='{.data.password}' | base64 --decode

🎯 Key Takeaways

  • The Keycloak Operator automates Keycloak management.
  • Install the Operator using the Operator Lifecycle Manager.
  • Create a Keycloak instance using a Custom Resource.
  • Access Keycloak using the external IP address.

Comparison Table: Helm vs. Keycloak Operator

ApproachProsConsUse When
HelmSimple setup, easy configurationLimited automation, manual updatesDevelopment, quick setups
Keycloak OperatorAdvanced automation, managed lifecycleComplex setup, requires OLMProduction, automated management

Security Considerations

Secure Storage of Secrets

Ensure that all secrets, such as admin credentials and database passwords, are stored securely. Avoid hardcoding sensitive information in your configuration files.

⚠️ Warning: Never commit secrets to version control systems.

Network Policies

Configure network policies to restrict access to your Keycloak instance. Only allow necessary traffic to and from your Keycloak pods.

Regular Updates

Regularly update your Keycloak images to the latest versions to ensure you have the latest security patches and features.

Best Practice: Use image pull policies to always pull the latest images.

Backup and Recovery

Implement a robust backup and recovery strategy for your Keycloak data. Regularly back up your database and configuration files to prevent data loss.

Troubleshooting Common Issues

Issue: Keycloak pods are not starting

Check the logs of the Keycloak pods for any errors.

kubectl logs <pod-name>

Issue: Unable to access Keycloak admin console

Ensure that the service is correctly exposed and accessible. Check the service type and external IP.

kubectl get svc

Issue: Incorrect admin credentials

If you forget the admin credentials, you can reset them by deleting the initial admin secret.

kubectl delete secret example-keycloak-initial-admin

Recreate the Keycloak instance to generate new credentials.

💜 Pro Tip: Use a password manager to store and manage your Keycloak credentials securely.

Conclusion

Deploying Keycloak in Kubernetes can be achieved using either Helm charts or the Keycloak Operator. Helm provides a simple and straightforward way to set up Keycloak, while the Operator offers advanced automation and management capabilities. Choose the method that best fits your environment and requirements.

That’s it. Simple, secure, works.