Deploying KeyCloak on kubernetes and/or OpenShift
- Working Kubernetes Cluster
- kubectl or oc utility installed
- StorageClass defined on your Kubernetes instance
first time only: generate a self-signed certificate to configure Ingress
cd .deploy/keycloak/manual
# generate a self-signed key pair
openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt \
-subj "/C=US/ST=California/L=Los Angeles/O=Sumo/OU=Demo/CN=*.traefik.k8s/emailAddress=webmaster@traefik.k8s"
# verify cert
openssl verify tls.crt# generate a kubernetes tls file
kubectl create secret tls keycloak-secrets-tls \
--key tls.key --cert tls.crt \
-o yaml --dry-run > 02-keycloak-secrets-tls.yml
# apply tls secret
kubectl create -f 02-keycloak-secrets-tls.yml --namespace defaultFollow instructions from manual or helm or OpenShift
Then continue steps below.
When running Keycloak behind a proxy, you will need to enable proxy address forwarding. Read Documentation
PROXY_ADDRESS_FORWARDING="true"Access Keycloak Admin Console
Open Keycloak WebConsole
- Create a Keycloak realm called
ngxviaMaster > Add realmmenu, and switch tongxrealm - Import
.deploy/keycloak/realm-manual-import.jsonviaManage > Importmenu
Open Keycloak WebConsole
- Create a Keycloak realm called
ngxviaMaster > Add realmmenu, and switch tongxrealm - Create a public client called
ngxwebandngxapiunder realmngx - Create a role
ROLE_USER,ROLE_ADMINunder realmngx - Add a user
sumo,sumo1,sumo2,sumo3under realmngxand add the user to user roleROLE_USER - Add a user
ngxadminunder realmngxand add the user to user roleROLE_ADMIN
- add
ngxapi_audienceClient Scopes at Realmngxwith Audience mapper name:ngxapi_audience_mapper, Mapper Type -->audienceand addingngxapiClient underIncluded Client Audience. - for
ngxwebclient, addngxapi_audienceat Client Scopes tab - for
ngxapiclient, addngxapi_audienceat Client Scopes tab (for Swagger API Docs)
if you change keycloak config via UI, you may want to export changes and check-in to GitHib for automated deployment next time.
# get keycloak pod name
# oc get pods # for OpenShift
POD_NAME=$(kubectl get pods -lapp=keycloak -o jsonpath='{.items[0].metadata.name}')
# ssh to pod
# oc rsh <keycloak-pod-name> # for OpenShift
kubectl exec -it $POD_NAME -- /bin/bash
# in the shell , run
/bin/sh /opt/jboss/keycloak/bin/standalone.sh \
-Dkeycloak.migration.realmName=ngx \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=dir \
-Dkeycloak.migration.dir=/tmp/sumo \
-Djboss.socket.binding.port-offset --debug
# -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777
# copy files back to codebase
# exit previous shell first, then
kubectl cp $POD_NAME:/tmp/sumo /Developer/Work/SPA/ngx-starter-kit/.deploy/keycloak/realm-import
# oc rsync <pod-name>:/tmp/sumo /Developer/Work/SPA/ngx-starter-kit/.deploy/keycloak # for OpenShiftIf you get a error Failed to add user 'admin' to realm 'master': user with username exists this is most likely because
you've already ran the example, but not deleted the persisted volume for the database. In this case the admin user already
exists. You can ignore this warning.
-
Secure a Spring Boot Rest app with Spring Security and Keycloak
-
https://github.com/clevercloud-jhipster/clevercloud-keycloak-jhipster-ldap/blob/master/Dockerfile