Keycloak Operator on Kubernetes

Get started with Keycloak Operator on Kubernetes

Before you start

This quickstart requires a running Kubernetes cluster. You may use Minikube or install the cluster manually.

Install Keycloak Operator on Kubernetes

The best way to install the Keycloak Operator in Kubernetes environment is to use Operator Lifecycle Manager (OLM). Before moving on, make sure you followed the OLM installation guide and all Operatorhub entries have been successfully pulled.

Next, navigate to the OLM Web Console to navigate to the Keycloak Operator using menu on the left side and following OperatorsOperatorHub. Then, focus on the search input box and type "keycloak".

Install Operator On Kubernetes

Next, navigate to Keycloak Operator and click on it. Next, follow the instructions on the screen:

Install Operator On OpenShfit

Make sure you’ve chosen a proper namespace when selecting the Subscription in the next screen.

If you followed all the instructions on the screen, you should see a similar screen with a description of an installed Keycloak Operator:

Install Operator On OpenShfit

Create Keycloak Cluster using Keycloak Operator

Once Keycloak Operator is subscribed to a specific namespace, you can install a Keycloak installation by creating a Keycloak Custom Resource:

$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/operator-examples/mykeycloak.yaml

The above example will create a single Keycloak instance (you may change this by modifying instances parameter).

After a few minutes, Keycloak cluster should be up and running. Once the Keycloak instance is created, check if it’s ready:

$ kubectl get keycloak/mykeycloak -o jsonpath='{.status.ready}'
true

Create Keycloak Realm using Keycloak Operator

Keycloak Operator uses KeycloakRealm Custom Resources to create and manage Realm resources. Create it by using the following command:

$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/operator-examples/myrealm.yaml

The above command will create a new Realm in Keycloak installation matched by instanceSelector. The newly created Realm will be named "basic".

Once the Realm is created, check if it’s ready:

$ kubectl get keycloakrealms/myrealm -o jsonpath='{.status.ready}'
true

Login to Keycloak Admin Console with Keycloak Operator

Before logging into the Admin Console, you need to check what is the Admin Username and Password. The credentials are stored inside the following Secret:

$ kubectl get keycloak mykeycloak --output="jsonpath={.status.credentialSecret}"
credential-mykeycloak

Next, you need to view the username and password:

$ kubectl get secret credential-mykeycloak -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
ADMIN_PASSWORD: CvsRKQOofhGrgg==
ADMIN_USERNAME: admin

Run the following to find out the URLs of Keycloak:

$ KEYCLOAK_URL=https://$(oc get route keycloak --template='{{ .spec.host }}')/auth &&
echo "" &&
echo "Keycloak:                 $KEYCLOAK_URL" &&
echo "Keycloak Admin Console:   $KEYCLOAK_URL/admin" &&
echo "Keycloak Account Console: $KEYCLOAK_URL/realms/myrealm/account" &&
echo ""
Keycloak:                 https://keycloak-default.apps.cluster-slaskawi-11a6.slaskawi-11a6.example.opentlc.com/auth
Keycloak Admin Console:   https://keycloak-default.apps.cluster-slaskawi-11a6.slaskawi-11a6.example.opentlc.com/auth/admin
Keycloak Account Console: https://keycloak-default.apps.cluster-slaskawi-11a6.slaskawi-11a6.example.opentlc.com/auth/realms/myrealm/account

Navigate to Keycloak URL using your browser and use Admin username and password obtained in previous steps:

Admin console login with Keycloak Operator

Create Keycloak User using Keycloak Operator

Keycloak Operator uses KeycloakUser Custom Resources to create and manage Users. Create it by using the following command:

$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/operator-examples/myuser.yaml

The above command will create a new User within Keycloak Realm matched by realmSelector. The newly created User will have username set to "myuser".

Once the User is created, you may check if it’s ready:

$ kubectl get keycloakuser/myuser -o jsonpath='{.status.ready}'
true

User’s password is stored in a Secret generated with the following pattern: credential-[realm]-[username]-[namespace]:

$ kubectl get secret credential-myrealm-myuser-default -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
password: 12345
username: myuser

Create a Client to secure your first app

Keycloak Operator uses KeycloakClient Custom Resources to create and manage Client resources. You may create it by using the following command:

$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/operator-examples/myclient.yaml

The above command will create a new Client within Keycloak Realm matched by realmSelector. The newly created Client will have an ID "client-secret".

Once the Client is created, check if it’s ready:

$ kubectl get keycloakclient/myclient -o jsonpath='{.status.ready}'
true

To make it easy for you we have a SPA testing application available on the Keycloak website.

Open https://www.keycloak.org/app/. Change Keycloak URL to the URL of your Keycloak instance. Click Save.

Now you can click Sign in to authenticate to this application using the Keycloak server you started earlier.