Keycloak Configuration💣
Ingress💣
The helm chart is setup to integrate with Istio. Istio must be deployed to your cluster before enabling the integration. To create the istio endpoint, set the following in your values.yaml
hostname: <your_domain_name.com>
istio:
enabled: true
keycloak:
enabled: true
This will create an endpoint at https://keycloak.
Keycloak requires that Istio be setup as passthrough. To do this, set the following in Istio’s
values.yaml
:extraServers: - port: name: https-keycloak protocol: TLS number: 8443 hosts: - keycloak.bigbang.dev tls: mode: PASSTHROUGH
If you also need Istio to terminate TLS for other apps, like logging, security, or monitoring tools, in the same cluster as Keycloak, you will need to do one of the following:
- Create certificates for Istio TLS termination and Keycloak TLS that do not overlap
- Use different ingress ports for Keycloak and Istio TLS termination apps
- Provide two proxys (e.g. load balancers) with different IPs into the cluster, one for keycloak, and one for TLS terminated apps.
The reason this is needed is because browsers reuse connections that have the same IP:Port and a valid certificate. Istio should attempt to detect and return a 421 response to not reuse the connection, but it doesn’t (yet), which results in a data leak vulnerability to the wrong application, and typically a 404 error. This happens when you go to one of the TLS terminated apps first, then attempt to connect to keycloak second.
Admin user💣
The administrative user’s credentials are pulled from a secret named credentials
created by the helm chart. To override the default username and password, set the following in your values.yaml
:
secrets:
credentials:
stringData:
adminuser: your_admin_username
password: your_admin_password
The helm chart will automatically create a secret with your credentials and set the appropriate environmental variables for the user to be created.
Certificates💣
TLS certificates and Certificate Authorities can be used by creating secrets containing the values and volume mounting them into the pod. Thare are two ways to create the secrets. They can be created using gitops tools like a flux kustomize overlay for example. Another way to create the secrets is to use the keycloak helm chart. The following shows you how this would be done in the values.yaml
:
secrets:
env:
stringData:
# Tell Keycloak to use this CA file
X509_CA_BUNDLE: /etc/x509/https/cas.pem
certauthority:
stringData:
cas.pem: |
<Certificate Authorities String>
tlscert:
stringData:
tls.crt: |
<TLS CRT string>
tlskey:
stringData:
tls.key: |
<TLS Key string>
# NOTE: If you have other volumes you must include them together with this setting
extraVolumes: |-
- name: certauthority
secret:
secretName: {{ include "keycloak.fullname" . }}-certauthority
- name: tlscert
secret:
secretName: {{ include "keycloak.fullname" . }}-tlscert
- name: tlskey
secret:
secretName: {{ include "keycloak.fullname" . }}-tlskey
# NOTE: If you have other volume mounts you must include them together with this setting
extraVolumeMounts: |-
- name: certauthority
mountPath: /etc/x509/https/cas.pem
subPath: cas.pem
readOnly: true
- name: tlscert
mountPath: /etc/x509/https/tls.crt
subPath: tls.crt
readOnly: true
- name: tlskey
mountPath: /etc/x509/https/tls.key
subPath: tls.key
readOnly: true
Each secret above will be volume mounted at /etc/x509/https
, where Keycloak will look for certificates to install.
Database💣
By default, the helm chart uses an internal PostgreSQL database. To point to an external database, use the Keycloak container documentation. Example of helm chart values:
postgresql:
# Disable PostgreSQL dependency
enabled: false
secrets:
env:
stringData:
DB_USER: "myDBUser"
DB_PASSWORD: "myDBPassword"
DB_VENDOR: postgres
DB_ADDR: mypostgres.bigbang.dev
DB_PORT: "5432"
DB_DATABASE: mydb
The values are templatized, so you can use helm templating like
{{ default "true" .Values.enabled }}
This will create a secret named keycloak-env
which is then added by reference for the keycloak pod’s environment.
High Availability (HA) / Clustering💣
The helm chart is already setup to support Keycloak clustering using DNS Ping for service disovery. To enable this, update replicas
to be > 1 in your values.yaml
:
replicas: 2
Custom Registration💣
Platform One has included a plugin in the Keycloak docker image to help customize new user registrations. The configuration for this plugin can be set by volume mounting a configuration file into the pod. The following configuration in values.yaml
shows you how to do this:
secrets:
env:
stringData:
# Let Keycloak know to use the custom registration configuration
CUSTOM_REGISTRATION_CONFIG: /opt/jboss/keycloak/customreg.yaml
customreg:
stringData:
customreg.yaml: |-
<configuration in yaml form>
# NOTE: If you have other volumes you must include them together with this setting
extraVolumes: |-
- name: customreg
secret:
secretName: {{ include "keycloak.fullname" . }}-customreg
# NOTE: If you have other volume mounts you must include them together with this setting
extraVolumeMounts: |-
- name: customreg
mountPath: /opt/jboss/keycloak/customreg.yaml
subPath: customreg.yaml
readOnly: true
The helm chart will create a secret named keycloak-customreg
containing the configuration. This gets volume mounted in the pod as a file. An environmental variable is set to tell the plugin to use the configuration.
Custom Realm💣
Setting up a custom realm using a .json
file can be done using a volume mount of a file and an environmental variable. However, it is NOT recommended because it has the potential to override existing realm settings. If you need to set this for development or testing purposes, see the official documentation and the test-values.yml for a working example.
Environmental Variables💣
By default, the helm chart sets several environmental variables to support Istio, HA/Clustering, and Monitoring. If you need to add additional environmental variables (or modify existing ones in .Values.secrets.env
), use the following:
secrets:
env:
stringData:
# The values are templatized. You can use helm templating like `{{ default "true" .Values.enabled }}`
MY_ENV_VAR: MY_VALUE_FOR_MY_ENV_VAR
Do not change
extraEnvFrom
invalues.yaml
without also including the secretkeycloak-env
. Otherwise, you will lose the default environmental variables.
You can also set extraEnv
in values.yaml
. But beware that this is a single string, not a map.
Monitoring💣
The helm chart is setup to perform monitoring of metrics using Prometheus. This can be enabled by setting the following in values.yaml
:
serviceMonitor:
enabled: true
In addition, if integrating with BigBang’s Prometheus, you should set the following to deploy a NetworkPolicy allowing access from Prometheus to Keycloak’s metrics endpoint.
monitoring:
enabled: true