Keycloak™ (self-managed)

Warning

This page provides a starting point for installing an application. The information is useful, but not kept up-to-date. If you struggle, contact Elastisys Consulting.

This page describes how to install a Customer Application

You are solely responsible for Customer Applications.

If you are an Elastisys Managed Services customer, please review your responsibilities in ToS 5.2.

Specifically, you are responsible for performing due diligence for the project discussed in this page. At the very least, you must:

• assess project ownership, governance and licensing;
• assess project roadmap and future suitability;
• assess project compatibility with your use-case;
• assess business continuity, i.e., what will you do if the project is abandoned;
• subscribe to security advisories related to the project;
• apply security patches and updates, as needed;
• regularly test disaster recovery.

This page will help you succeed in connecting your application to an identity and access management solution Keycloak, which meets your security and compliance requirements.

Keycloak is a widely recognized open-source Identity and Access Management (IAM) solution that provides user authentication and authorization services for applications. It offers a comprehensive set of features, including Single Sign-On (SSO), user federation, and social login support, making it a popular choice for securing applications in a variety of industries.

As of May 2023, Keycloak is a CNCF Incubating project.

In this guide we outline the necessary steps to configure and deploy a Keycloak instance on a Welkin cluster that is using the managed PostgreSQL service.

This will provide you with a robust and secure IAM solution to manage user access and authorization for your applications running on Welkin.

Initial preparation

Note: This guide assumes that you have managed PostgreSQL as an additional service.

Setup an application database and user in PostgreSQL

Take note of the following variables for the next section.

• The application secret you have created.

• The following environment variables:

echo $PGHOST
echo $APP_USERNAME
echo $APP_DATABASE

Configure Keycloak with managed PostgreSQL

We chose Bitnami's Helm chart for Keycloak due to its open-source nature, ease of deployment, security optimization, and active maintenance.

Bitnami is a well known provider of pre-configured, open-source application stacks that simplify deployment and management in various environments, such as Kubernetes. They offer a Helm chart for Keycloak, which streamlines deployment while adhering to Kubernetes best practices for security.

Deploying Keycloak

Below is a sample values.yaml file that can be used to deploy Keycloak, please read the notes and change what is necessary.

resources: # (1)
  limits:
    #cpu: 1000m
    memory: 1000Mi
  requests:
    cpu: 1000m
    memory: 400Mi

postgresql:
  enabled: false

externalDatabase: # (2)
  host: "<PGHOST>"
  port: 5432
  user: <APP_USERNAME>
  database: <APP_DATABASE>
  existingSecret: "<secret-name>"
  existingSecretPasswordKey: "PGPASSWORD"

ingress: # (3)
  enabled: true
  ingressClassName: "nginx"
  hostname: <URL>
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  tls: true

containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
  runAsNonRoot: true
  seccompProfile:
    type: "RuntimeDefault"

production: true # (4)
proxy: edge

1. The example provided serves as a starting point for configuring resource requests and limits for your Keycloak deployment. Be sure to tailor these values to your specific requirements, and monitor your deployment to optimize resource allocation for your unique use case.
2. Insert the variables that you got from initial preparation.
3. Configure the Ingress hostname and which issuer you will be using.
4. Enabling production mode and TLS for HTTPS. Disclaimer: Enabling production mode does not mean that the configuration here is ready for production. Please see further reading on Production configuration.

Failure

The values file above was produced for Keycloak Chart version 16.1.5 (appVersion 22.0.3). The shape of the values files and the required configuration may have changed with newer versions of the Keycloak Chart. Prefer installing the latest version to make sure you get all security updates. If you understand the security risks and only want to "kick-the-tires" then add --version 16.1.5 in the command below.

With the above values you can deploy Keycloak with:

helm repo add bitnami https://charts.bitnami.com/bitnami
helm upgrade --install keycloak bitnami/keycloak --values values.yaml

It might take up to 2 minutes for Keycloak to start. You can check progress as follows:

kubectl get pods --watch

Make sure you see READY 1/1 for the Keycloak Pod.

Accessing Keycloak

When you have deployed Keycloak and can access the URL you can:

Login as admin and configure realms, users, and clients.

The default admin user is user.

The initial admin password can be fetched using the command below (assuming default namespace):

kubectl get secret keycloak -o jsonpath="{.data.admin-password}" | base64 -d

Note: If you uninstall and install Keycloak the initial admin password will be regenerated but the previous initial admin password may still be used unless you clear the PostgreSQL database.

For more information about using Keycloak to secure/protect your applications, see “Securing your applications” and “Reverse Proxy” in the further reading section.

Further Reading

• Documentation
• Guides
• Production Configuration
• Reverse Proxy
  • Ingress NGINX
  • Oauth2-Proxy
    • Note: the “oidc-issuer-url” may be outdated in the guide. See this issue.
    • Note: Keycloak realm steps may be different if you are using the new admin console. Instructions for that can be found on their GitHub.
• Securing your applications