Keycloak Operator on Openshift

Get started with Keycloak Operator on Openshift

Before you start

This quickstart requires a running OpenShift cluster. You may use Red Hat Code Ready Container (as described in Keycloak Operator Openshift Getting Stated Guide).

Install Keycloak Operator on OpenShift

Install the Keycloak Operator by using Operator Lifecycle Manager (OLM). Navigate homeOperatorsOperatorHub in the menu on the left side of the OpenShift Console. Then, focus on the search input box and type "keycloak":

Install Operator On OpenShfit

Next, navigate to Keycloak Operator and click on it. Next, follow the instructions on the screen:

Install Operator On OpenShfit

Make sure you’ve chosen a proper namespace when selecting the Subscription in the next screen.

If you followed all the instructions on the screen, you should see a similar screen with a description of an installed Keycloak Operator:

Install Operator On OpenShfit

Create Keycloak Cluster using Keycloak Operator

Once Keycloak Operator is subscribed to a specific namespace, you can install a Keycloak installation by creating a Keycloak Custom Resource:

$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/operator-examples/mykeycloak.yaml

The above example will create a single Keycloak instance (you may change this by modifying instances parameter).

After a few minutes, Keycloak cluster should be up and running. Once the Keycloak instance is created, check if it’s ready:

$ kubectl get keycloak/mykeycloak -o jsonpath='{.status.ready}'
true

Create Keycloak Realm using Keycloak Operator

Keycloak Operator uses KeycloakRealm Custom Resources to create and manage Realm resources. Create it by using the following command:

$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/operator-examples/myrealm.yaml

The above command will create a new Realm in Keycloak installation matched by instanceSelector. The newly created Realm will be named "basic".

Once the Realm is created, check if it’s ready:

$ kubectl get keycloakrealms/myrealm -o jsonpath='{.status.ready}'
true

Login to Keycloak Admin Console with Keycloak Operator

Before logging into the Admin Console, you need to check what is the Admin Username and Password. The credentials are stored inside the following Secret:

$ kubectl get keycloak mykeycloak --output="jsonpath={.status.credentialSecret}"
credential-mykeycloak

Next, you need to view the username and password:

$ kubectl get secret credential-mykeycloak -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
ADMIN_PASSWORD: CvsRKQOofhGrgg==
ADMIN_USERNAME: admin

Run the following to find out the URLs of Keycloak:

$ KEYCLOAK_URL=https://$(oc get route keycloak --template='{{ .spec.host }}')/auth &&
echo "" &&
echo "Keycloak:                 $KEYCLOAK_URL" &&
echo "Keycloak Admin Console:   $KEYCLOAK_URL/admin" &&
echo "Keycloak Account Console: $KEYCLOAK_URL/realms/myrealm/account" &&
echo ""
Keycloak:                 https://keycloak-default.apps.cluster-slaskawi-11a6.slaskawi-11a6.example.opentlc.com/auth
Keycloak Admin Console:   https://keycloak-default.apps.cluster-slaskawi-11a6.slaskawi-11a6.example.opentlc.com/auth/admin
Keycloak Account Console: https://keycloak-default.apps.cluster-slaskawi-11a6.slaskawi-11a6.example.opentlc.com/auth/realms/myrealm/account

Navigate to Keycloak URL using your browser and use Admin username and password obtained in previous steps:

Admin console login with Keycloak Operator

Create Keycloak User using Keycloak Operator

Keycloak Operator uses KeycloakUser Custom Resources to create and manage Users. Create it by using the following command:

$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/operator-examples/myuser.yaml

The above command will create a new User within Keycloak Realm matched by realmSelector. The newly created User will have username set to "myuser".

Once the User is created, you may check if it’s ready:

$ kubectl get keycloakuser/myuser -o jsonpath='{.status.ready}'
true

User’s password is stored in a Secret generated with the following pattern: credential-[realm]-[username]-[namespace]:

$ kubectl get secret credential-myrealm-myuser-default -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
password: 12345
username: myuser

Create a Client to secure your first app

Keycloak Operator uses KeycloakClient Custom Resources to create and manage Client resources. You may create it by using the following command:

$ kubectl create -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/operator-examples/myclient.yaml

The above command will create a new Client within Keycloak Realm matched by realmSelector. The newly created Client will have an ID "client-secret".

Once the Client is created, check if it’s ready:

$ kubectl get keycloakclient/myclient -o jsonpath='{.status.ready}'
true

To make it easy for you we have a SPA testing application available on the Keycloak website.

Open https://www.keycloak.org/app/. Change Keycloak URL to the URL of your Keycloak instance. Click Save.

Now you can click Sign in to authenticate to this application using the Keycloak server you started earlier.