minikube addons list
Make sure you have Minikube installed, ideally with the Ingress addon enabled.
To check if you have the Ingress addon enabled run:
minikube addons list
If the Ingress addon is not enabled run the following to enable it:
minikube addons enable ingress
The Keycloak QuickStarts repository includes some example files to help deploy Keycloak to Kubernetes.
Let’s start with creating the Keycloak deployment and service:
kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml
This will start Keycloak on Kubernetes. It will also create an initial admin user with username admin
and password
admin
.
Start by creating an Ingress for Keycloak:
wget -q -O - https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak-ingress.yaml | \
sed "s/KEYCLOAK_HOST/keycloak.$(minikube ip).nip.io/" | \
kubectl create -f -
If you don’t have wget
and sed
available, download the file and manually edit the file replacing KEYCLOAK_HOST
with keycloak.<minikube ip address>.nip.io
.
Run the following to find out the URLs of Keycloak:
KEYCLOAK_URL=https://keycloak.$(minikube ip).nip.io &&
echo "" &&
echo "Keycloak: $KEYCLOAK_URL" &&
echo "Keycloak Admin Console: $KEYCLOAK_URL/admin" &&
echo "Keycloak Account Console: $KEYCLOAK_URL/realms/myrealm/account" &&
echo ""
Remember these URLs as you will need them throughout this guide. The URL for the account console won’t work right now as you will need to create the realm first.
If you don’t have the Ingress addon enabled, first run in a separate shell:
minikube tunnel
and you can now access Keycloak from the following URL:
KEYCLOAK_URL=http://$(minikube ip):$(kubectl get services/keycloak -o go-template='{{(index .spec.ports 0).nodePort}}') &&
echo "" &&
echo "Keycloak: $KEYCLOAK_URL" &&
echo "Keycloak Admin Console: $KEYCLOAK_URL/admin" &&
echo "Keycloak Account Console: $KEYCLOAK_URL/realms/myrealm/account" &&
echo ""
Remember these URLs as you will need them throughout this guide. The URL for the account console won’t work right now as you will need to create the realm first.
Go to the Keycloak Admin Console and login with the username and password you created earlier.
A realm in Keycloak is the equivalent of a tenant. It allows creating isolated groups of applications and users. By default
there is a single realm in Keycloak called master
. This is dedicated to manage Keycloak and should not be used for
your own applications.
Let’s create our first realm.
Open the Keycloak Admin Console
Hover the mouse over the dropdown in the top-left corner where it says master
, then click on Create realm
Fill in the form with the following values:
Realm name: myrealm
Click Create
Initially there are no users in a new realm, so let’s create one:
Open the Keycloak Admin Console
Click Users
(left-hand menu)
Click Create new user
(top-right corner of table)
Fill in the form with the following values:
Username: myuser
First Name: Your first name
Last Name: Your last name
Click Create
The user will need an initial password set to be able to login. To do this:
Click Credentials
(top of the page)
Fill in the Set password
form with a password
Click ON
next to Temporary
to prevent having to update password on first login
Let’s now try to login to the account console to verify the user is configured correctly.
Open the Keycloak Account Console
Login with myuser
and the password you created earlier
You should now be logged-in to the account console where users can manage their accounts.
Let’s try to secure our first application. First step is to register this application with your Keycloak instance:
Open the Keycloak Admin Console
Click 'Clients'
Click 'Create client'
Fill in the form with the following values:
Client type: OpenID Connect
Client ID: myclient
Click 'Next'
Make sure 'Standard flow' is enabled
Click 'Save'
After the client is created you need to update the following values for the client:
Valid redirect URIs: https://www.keycloak.org/app/*
Web origins: https://www.keycloak.org
Remember to click Save
.
To make it easy for you we have a SPA testing application available on the Keycloak website.
Open https://www.keycloak.org/app/. Change Keycloak URL
to the URL of your Keycloak instance. Click Save
.
Now you can click Sign in
to authenticate to this application using the Keycloak server you started earlier.
Before you go and run Keycloak in production there are a few more things that you will want to do, including:
Switch to a production ready database such as PostgreSQL
Configure SSL with your own certificates
Switch the admin password to a more secure password
For more information check out the server guides.