Deploying KeyCloak on kubernetes and/or OpenShift
- Working Kubernetes Cluster
- kubectl or oc utility installed
- StorageClass defined on your Kubernetes instance
first time only: generate a self-signed certificate to configure Ingress
cd .deploy/keycloak/manual
# generate a self-signed key pair
openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt \
-subj "/C=US/ST=California/L=Los Angeles/O=Sumo/OU=Demo/CN=*.traefik.k8s/emailAddress=webmaster@traefik.k8s"
# verify cert
openssl verify tls.crt
# generate a kubernetes tls file
kubectl create secret tls keycloak-secrets-tls \
--key tls.key --cert tls.crt \
-o yaml --dry-run > 02-keycloak-secrets-tls.yml
# apply tls secret
kubectl create -f 02-keycloak-secrets-tls.yml --namespace default
Follow instructions from manual or helm or OpenShift
Then continue steps below.
When running Keycloak behind a proxy, you will need to enable proxy address forwarding. Read Documentation
PROXY_ADDRESS_FORWARDING="true"
Access Keycloak Admin Console
Open Keycloak WebConsole
- Create a Keycloak realm called
ngx
viaMaster > Add realm
menu, and switch tongx
realm - Import
.deploy/keycloak/realm-manual-import.json
viaManage > Import
menu
Open Keycloak WebConsole
- Create a Keycloak realm called
ngx
viaMaster > Add realm
menu, and switch tongx
realm - Create a public client called
ngxweb
andngxapi
under realmngx
- Create a role
ROLE_USER
,ROLE_ADMIN
under realmngx
- Add a user
sumo
,sumo1
,sumo2
,sumo3
under realmngx
and add the user to user roleROLE_USER
- Add a user
ngxadmin
under realmngx
and add the user to user roleROLE_ADMIN
- add
ngxapi_audience
Client Scopes at Realmngx
with Audience mapper name:ngxapi_audience_mapper
, Mapper Type -->audience
and addingngxapi
Client underIncluded Client Audience
. - for
ngxweb
client, addngxapi_audience
at Client Scopes tab - for
ngxapi
client, addngxapi_audience
at Client Scopes tab (for Swagger API Docs)
if you change keycloak config via UI, you may want to export changes and check-in to GitHib for automated deployment next time.
# get keycloak pod name
# oc get pods # for OpenShift
POD_NAME=$(kubectl get pods -lapp=keycloak -o jsonpath='{.items[0].metadata.name}')
# ssh to pod
# oc rsh <keycloak-pod-name> # for OpenShift
kubectl exec -it $POD_NAME -- /bin/bash
# in the shell , run
/bin/sh /opt/jboss/keycloak/bin/standalone.sh \
-Dkeycloak.migration.realmName=ngx \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=dir \
-Dkeycloak.migration.dir=/tmp/sumo \
-Djboss.socket.binding.port-offset --debug
# -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777
# copy files back to codebase
# exit previous shell first, then
kubectl cp $POD_NAME:/tmp/sumo /Developer/Work/SPA/ngx-starter-kit/.deploy/keycloak/realm-import
# oc rsync <pod-name>:/tmp/sumo /Developer/Work/SPA/ngx-starter-kit/.deploy/keycloak # for OpenShift
If you get a error Failed to add user 'admin' to realm 'master': user with username exists
this is most likely because
you've already ran the example, but not deleted the persisted volume for the database. In this case the admin user already
exists. You can ignore this warning.
-
Secure a Spring Boot Rest app with Spring Security and Keycloak
-
https://github.com/clevercloud-jhipster/clevercloud-keycloak-jhipster-ldap/blob/master/Dockerfile