Configure Keycloak

This page outlines the configuration values for the Keycloak deployed via Axual Governance Helm chart.

About Keycloak

Keycloak is an Open Source Identity and Access Management. Keycloak provides user federation, strong authentication, user management, fine-grained authorization, and more

Keycloak Configuration

Since we are using the codecentric KeycloakX helm charts, we suggest looking at the KeycloakX public documentation to have a complete list of configurations.

Keycloak Repository Configuration

Initially, you can override the registry, tag, and pullPolicy for the Keycloak pod.

By default, these values come from the Axual Governance charts.

You can also override the imagePullSecrets; if not specify the Keycloak pod will use the global.imagePullSecrets

values.yaml

keycloak:
  image:
    # The Keycloak image repository
    repository: quay.io/keycloak/keycloak
    # Overrides the Keycloak image tag whose default is the chart appVersion
    tag: "22.0.4"
    # Overrides the Keycloak image tag with a specific digest
    digest: ""
    # The Keycloak image pull policy
    pullPolicy: IfNotPresent
  # Image pull secrets for the Pod
  imagePullSecrets:
    - name: axualdockercred

Keycloak Database Configuration

You can configure Keycloak to interact with a MySQL database

values.yaml

keycloak:
  database:
    vendor: "mysql"
    hostname: "keycloak-mysql"
    database: "keycloak-db"
    port: "3306"
    username: "keycloak"
    password: "notsecret"

Keycloak Admin Configuration

You can provide as extraEnv variables to define the Keycloak Admin credentials

values.yaml

keycloak:
  extraEnv: |
    - name: KEYCLOAK_ADMIN
      value: "admin"
    - name: KEYCLOAK_ADMIN_PASSWORD
      value: "notsecret"

Ingress Configuration

Keycloak helm-charts allow configuring an Ingress to make the Keycloak Admin console accessible outside the kubernetes cluster.

By default, the Keycloak is configured not to be exposed outside the kubernetes cluster since the Self-Service relies on the API Gateway to interact with the Keycloak.

In case you want to enable Keycloak Admin console’s ingress, you can configure it as follows

values.yaml

keycloak:

  ingress:
    # -- Enable creation of the Ingress resource to expose this service.
    enabled: true
    # -- The name of the IngressClass cluster resource.
    # The associated IngressClass defines which controller will implement the resource.
    className: ""
    # -- Annotations to add to the Ingress resource.
    annotations: {}
    hosts:
      - # -- The fully qualified domain name of a network host.
        host: "chart-example.local"
        paths:
          - # -- Matched against the path of an incoming request.
            path: "/auth"
            # -- Determines the interpretation of the Path matching.
            # Can be one of the following values: `Exact`, `Prefix`, `ImplementationSpecific`.
            pathType: "ImplementationSpecific"
    # -- TLS configuration for this Ingress.
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local

Route Configuration

Keycloak helm-charts allow configuring an OpenShift Route to make the Keycloak Admin console accessible outside the kubernetes cluster.

By default, the Keycloak is configured not to be exposed outside the kubernetes cluster since the Self-Service relies on the API Gateway to interact with the Keycloak.

In case you want to enable Keycloak Admin console’s OpenShift Route, you can configure it as follows

values.yaml

keycloak:

  route:
    # -- Enable creation of an OpenShift Route resource to expose this service.
    enabled: true
    # -- Annotations to add to the Route.
    annotations: {}
    # -- Labels to add to the route.
    labels: {}
    # -- An alias/DNS that points to the service. Optional. If not specified a route name will typically be automatically chosen.
    host: ""
    # -- subdomain is a DNS subdomain that is requested within the ingress controller’s domain (as a subdomain). If host is set this field is ignored.
    subdomain: ""
    # -- Path that the router watches for, to route traffic for to the service.
    path: "/auth"
    tls:
      # -- The Certificate Authority certificate contents.
      caCertificate: ""
      # -- Certificate contents. This should be a single serving certificate, not a certificate chain. Do not include a CA certificate.
      certificate: ""
      # -- Key file contents.
      key: ""
      # -- Indicates termination type. One of: `edge`, `passthrough`, or `reencrypt`.
      termination: "passthrough"
      # --The CA certificate of the final destination. When using reencrypt termination this file should be provided
      # in order to have routers use it for health checks on the secure connection.
      destinationCACertificate: ""