Save costs on auth0 and deploy own keycloak(x) 20 cluster on kubernetes
Keycloak is an open-source identity and access management (IAM) solution that's perfect for developers like you. It's designed to make your life easier by handling all the complex authentication and authorization stuff, so you can focus on building awesome web applications and services.
In this blog post i want to show you how i created my keycloak cluster (2 replicas) inside a kubernetes cluster. (Which is only dedicated for this keycloak cluster).
What is keycloak?
Keycloak is an open-source identity and access management (IAM) solution that's perfect for developers like you. It's designed to make your life easier by handling all the complex authentication and authorization stuff, so you can focus on building awesome web applications and services.
With Keycloak, you get Single Sign-On (SSO) capabilities, meaning your users only need to log in once to access multiple applications without the hassle of re-entering their credentials. It supports various identity providers like LDAP, Active Directory, Google, Facebook, and more, making integration with existing systems a breeze.
No more worrying about user permissions! Keycloak provides role-based access control, allowing you to define fine-grained access policies based on user roles or attributes. This ensures that users only get access to the resources they're supposed to, boosting the overall security of your applications.
But that's not all! Keycloak comes packed with other nifty features, like multi-factor authentication (MFA) for that extra layer of security, social login options for user convenience, and user registration and federation support.
For you API lovers out there, Keycloak supports OAuth 2.0 and OpenID Connect, making secure API access a walk in the park and allowing smooth integration with other applications and services.
Implementation is a breeze too! Keycloak provides comprehensive documentation and client libraries for various programming languages and platforms. You can deploy it as a standalone server or effortlessly integrate it into your existing application stacks using Docker containers or JBoss WildFly.
So, get ready to supercharge your app's security with Keycloak. It handles the heavy lifting, ensures your users are safe and sound, and lets you focus on creating amazing features and functionalities for your web apps. And the best part? It's open-source and has an active community, so you'll always have support and continuous improvements.
Prerequisites
- Kubernetes Cluster (either locally using minikube or any managed Kubernetes service)
- kubectl installed on local machine
- Helm package manager installed and configured
- Postgres database
I decided to use keycloak together with a managed postgres database on digitalocean for automated backups and easy recovery. Since authentication is crucial in our application, data should be secure.
Helm Chart
As helm chart we use
https://github.com/codecentric/helm-charts/tree/master/charts/keycloakx
from codecentric AG, which is excellent documented.
To deploy Keycloak using the codecentric Helm chart, you first need to add the codecentric Helm repository:
helm repo add codecentric https://charts.codecentric.com
helm repo update
Main Part
The main part in this installation is our custom values.yaml file for helm. With this file we can heavily customize the helm installation of keycloak inside our kubernetes cluster.
values.yaml
command:
- "/opt/keycloak/bin/kc.sh"
- "--verbose"
- "start"
- "--http-enabled=true"
- "--http-port=8080"
- "--hostname-strict=false"
- "--hostname-strict-https=false"
- "--spi-events-listener-jboss-logging-success-level=info"
- "--spi-events-listener-jboss-logging-error-level=warn"
service:
type: LoadBalancer
cache:
stack: custom
image:
repository: yhc44/keycloak-kubeping
tag: latest
extraEnv: |
- name: KC_CACHE_CONFIG_FILE
value: cache-ispn-kubeping.xml
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: user
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: password
- name: JAVA_OPTS_APPEND
value: >-
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=50.0
-Djava.awt.headless=true
-Dkubeping_namespace={{ .Release.Namespace }}
-Dkubeping_label="keycloak-cluster=default"
serviceAccount:
create: true
allowReadPods: true
podLabels:
keycloak-cluster: default
dbchecker:
enabled: true
database:
vendor: postgres
hostname: your-db-hostname.example
port: dbport
username: dbuser
password: dbpass
database: keycloak
secrets:
admin-creds:
annotations:
note: prod secret for {{ include "keycloak.fullname" . }}
stringData:
user: initialadminuser
password: supersecretpassword
Please set your own keycloak admin user/password and your custom database credentials.
Additionally we use a LoadBalancer Service, so an external ip is automatically created, since i use managed kubernetes on digitalocean. If your kubernetes cluster does not support automatic loadbalancer provisioning, please remove service type part.
Custom docker Image
As you can see, we use a custom docker image yhc44/keycloak-kubeping from my repository.
It is built with the following Dockerfile
Dockerfile
FROM quay.io/keycloak/keycloak:20.0
ENV JGROUPS_KUBERNETES_VERSION 1.0.16.Final
RUN curl -s -L -o /opt/keycloak/providers/jgroups-kubernetes-$JGROUPS_KUBERNETES_VERSION.jar https://search.maven.org/remotecontent?filepath=org/jgroups/kubernetes/jgroups-kubernetes/$JGROUPS_KUBERNETES_VERSION/jgroups-kubernetes-$JGROUPS_KUBERNETES_VERSION.jar
COPY cache-ispn-kubeping.xml /opt/keycloak/conf
We need this, because keycloak does not support KUBE_PING as discovery mode. Since we want to run a cluster, this step is mandatory. Happily i did this for you, so you can use my repository. For security reasons, feel free to deploy your own docker repository with the given Dockerfile. Be careful to change url inside values.yaml accordingly.
Install
If you set everything up, we can install keycloak inside the keycloak namespace via
helm install keycloak codecentric/keycloakx -n keycloak --set replicas=2 --values values.yaml
After everything is set up, you can visit your keycloak admin dashboard via the newly created loadbalancer ip.
In my case, i made a dns a record with auth.* to point to this ip, so i can easily reach the admin dashboard.
End
Deploying Keycloak on Kubernetes using the codecentric Helm chart is straightforward and efficient. With Helm, you get the added benefits of easy configuration, updates, and rollbacks. This tutorial is focused on Kubernetes, but there are various other ways to deploy Keycloak, such as using ECS or EC2 instances on AWS. Keep an eye on my blog for potential future tutorials on those topics!
If you encounter any issues or have any queries, don't hesitate to reach out or check out my GitHub repository for more detailed code and configurations.
cheers