Sign in Subscribe

Save costs on auth0 and deploy own keycloak(x) 20 cluster on kubernetes

Keycloak is an open-source identity and access management (IAM) solution that's perfect for developers like you. It's designed to make your life easier by handling all the complex authentication and authorization stuff, so you can focus on building awesome web applications and services.

Save costs on auth0 and deploy own keycloak(x) 20 cluster on kubernetes

In this blog post i want to show you how i created my keycloak cluster (2 replicas) inside a kubernetes cluster. (Which is only dedicated for this keycloak cluster).

What is keycloak?

Keycloak is an open-source identity and access management (IAM) solution that's perfect for developers like you. It's designed to make your life easier by handling all the complex authentication and authorization stuff, so you can focus on building awesome web applications and services.

With Keycloak, you get Single Sign-On (SSO) capabilities, meaning your users only need to log in once to access multiple applications without the hassle of re-entering their credentials. It supports various identity providers like LDAP, Active Directory, Google, Facebook, and more, making integration with existing systems a breeze.

No more worrying about user permissions! Keycloak provides role-based access control, allowing you to define fine-grained access policies based on user roles or attributes. This ensures that users only get access to the resources they're supposed to, boosting the overall security of your applications.

But that's not all! Keycloak comes packed with other nifty features, like multi-factor authentication (MFA) for that extra layer of security, social login options for user convenience, and user registration and federation support.

For you API lovers out there, Keycloak supports OAuth 2.0 and OpenID Connect, making secure API access a walk in the park and allowing smooth integration with other applications and services.

Implementation is a breeze too! Keycloak provides comprehensive documentation and client libraries for various programming languages and platforms. You can deploy it as a standalone server or effortlessly integrate it into your existing application stacks using Docker containers or JBoss WildFly.

So, get ready to supercharge your app's security with Keycloak. It handles the heavy lifting, ensures your users are safe and sound, and lets you focus on creating amazing features and functionalities for your web apps. And the best part? It's open-source and has an active community, so you'll always have support and continuous improvements.

Prerequisites

  • Kubernetes Cluster (either locally using minikube or any managed Kubernetes service)
  • kubectl installed on local machine
  • Helm package manager installed and configured
  • Postgres database

I decided to use keycloak together with a managed postgres database on digitalocean for automated backups and easy recovery. Since authentication is crucial in our application, data should be secure.

Helm Chart

As helm chart we use
https://github.com/codecentric/helm-charts/tree/master/charts/keycloakx
from codecentric AG, which is excellent documented.

To deploy Keycloak using the codecentric Helm chart, you first need to add the codecentric Helm repository:

helm repo add codecentric https://charts.codecentric.com
helm repo update

Main Part

The main part in this installation is our custom values.yaml file for helm. With this file we can heavily customize the helm installation of keycloak inside our kubernetes cluster.

values.yaml

command:
  - "/opt/keycloak/bin/kc.sh"
  - "--verbose"
  - "start"
  - "--http-enabled=true"
  - "--http-port=8080"
  - "--hostname-strict=false"
  - "--hostname-strict-https=false"
  - "--spi-events-listener-jboss-logging-success-level=info"
  - "--spi-events-listener-jboss-logging-error-level=warn"
service:
  type: LoadBalancer
cache:
  stack: custom

image:
  repository: yhc44/keycloak-kubeping
  tag: latest

extraEnv: |
  - name: KC_CACHE_CONFIG_FILE
    value: cache-ispn-kubeping.xml
  - name: KEYCLOAK_ADMIN
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: user
  - name: KEYCLOAK_ADMIN_PASSWORD
    valueFrom:
      secretKeyRef:
        name: {{ include "keycloak.fullname" . }}-admin-creds
        key: password
  - name: JAVA_OPTS_APPEND
    value: >-
      -XX:+UseContainerSupport
      -XX:MaxRAMPercentage=50.0
      -Djava.awt.headless=true
      -Dkubeping_namespace={{ .Release.Namespace }}
      -Dkubeping_label="keycloak-cluster=default"

serviceAccount:
  create: true
  allowReadPods: true

podLabels:
  keycloak-cluster: default

dbchecker:
  enabled: true

database:
  vendor: postgres
  hostname: your-db-hostname.example
  port: dbport
  username: dbuser
  password: dbpass
  database: keycloak

secrets:
  admin-creds:
    annotations:
      note: prod secret for {{ include "keycloak.fullname" . }}
    stringData:
      user: initialadminuser
      password: supersecretpassword

Please set your own keycloak admin user/password and your custom database credentials.

Additionally we use a LoadBalancer Service, so an external ip is automatically created, since i use managed kubernetes on digitalocean. If your kubernetes cluster does not support automatic loadbalancer provisioning, please remove service type part.

Custom docker Image

As you can see, we use a custom docker image yhc44/keycloak-kubeping from my repository.

It is built with the following Dockerfile

Dockerfile

FROM quay.io/keycloak/keycloak:20.0

ENV JGROUPS_KUBERNETES_VERSION 1.0.16.Final

RUN curl -s -L -o /opt/keycloak/providers/jgroups-kubernetes-$JGROUPS_KUBERNETES_VERSION.jar https://search.maven.org/remotecontent?filepath=org/jgroups/kubernetes/jgroups-kubernetes/$JGROUPS_KUBERNETES_VERSION/jgroups-kubernetes-$JGROUPS_KUBERNETES_VERSION.jar

COPY cache-ispn-kubeping.xml /opt/keycloak/conf

We need this, because keycloak does not support KUBE_PING as discovery mode. Since we want to run a cluster, this step is mandatory. Happily i did this for you, so you can use my repository. For security reasons, feel free to deploy your own docker repository with the given Dockerfile. Be careful to change url inside values.yaml accordingly.

Install

If you set everything up, we can install keycloak inside the keycloak namespace via

helm install keycloak codecentric/keycloakx -n keycloak --set replicas=2 --values values.yaml

After everything is set up, you can visit your keycloak admin dashboard via the newly created loadbalancer ip.

In my case, i made a dns a record with auth.* to point to this ip, so i can easily reach the admin dashboard.

End

Deploying Keycloak on Kubernetes using the codecentric Helm chart is straightforward and efficient. With Helm, you get the added benefits of easy configuration, updates, and rollbacks. This tutorial is focused on Kubernetes, but there are various other ways to deploy Keycloak, such as using ECS or EC2 instances on AWS. Keep an eye on my blog for potential future tutorials on those topics!

If you encounter any issues or have any queries, don't hesitate to reach out or check out my GitHub repository for more detailed code and configurations.

https://github.com/yhc44/blog

cheers