K8S Keycloak with Traefik
2 min readJan 16, 2024
I used keycloak to do an authentication process in my recent projects. This is a note for my configuration in K8S.
Useful read below.
I’m not gonna go through on Argocd and Traefik. Let’s assume you already have both in your cluster.
First, Create YML for Keycloak Deployment. Set KC_PROXY = edge.
kind: Deployment
apiVersion: apps/v1
metadata:
name: keycloak
labels:
app: keycloak
namespace: development
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:23.0.4
args: ["start"]
env:
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: keycloak-secret
key: KEYCLOAK_ADMIN
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secret
key: KEYCLOAK_ADMIN_PASSWORD
- name: KC_DB
valueFrom:
secretKeyRef:
name: keycloak-secret
key: KC_DB
- name: KC_DB_URL
valueFrom:
secretKeyRef:
name: keycloak-secret
key: KC_DB_URL
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secret
key: KC_DB_USERNAME
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secret
key: KC_DB_PASSWORD
- name: KC_HOSTNAME_STRICT_HTTPS
valueFrom:
secretKeyRef:
name: keycloak-secret
key: KC_HOSTNAME_STRICT_HTTPS
- name: KC_HOSTNAME
valueFrom:
secretKeyRef:
name: keycloak-secret
key: KC_HOSTNAME
- name: KC_PROXY
value: "edge"
ports:
- name: keycloak
containerPort: 8080
readinessProbe:
httpGet:
path: /realms/master
port: 8080Then, Service for Keycloak.
apiVersion: v1
kind: Service
metadata:
name: keycloak-service
namespace: development
spec:
ports:
- protocol: TCP
name: keycloak-service
port: 8080
selector:
app: keycloakNext is K8S Secret. I used PostgreSQL for Keycloak DB. You need to define KC_HOSTNAME for your Keycloak URL.
apiVersion: v1
kind: Secret
metadata:
name: keycloak-secret
namespace: development
type: Opaque
stringData:
KEYCLOAK_ADMIN: "admin"
KEYCLOAK_ADMIN_PASSWORD: "password"
KC_DB: "postgres"
KC_DB_URL: "jdbc:postgresql://postgres-primary.postgres.svc.cluster.local:5432/keycloak"
KC_DB_USERNAME: "keycloak"
KC_DB_PASSWORD: "password"
KC_HOSTNAME_STRICT_HTTPS: "false"
KC_HOSTNAME: "keycloak.mywebsite.com"Last is Ingress Route. Set URL match for HTTP and HTTPS. Use middleware to redirect to HTTPS.
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: keycloak-web
namespace: development
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`keycloak.mywebsite.com`)
middlewares:
- name: keycloak-web-redirect-scheme
services:
- name: keycloak-service
port: 8080
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: keycloak-websecure
namespace: development
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`keycloak.mywebsite.com`)
services:
- name: keycloak-service
port: 8080
tls:
certResolver: myresolver
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: keycloak-web-redirect-scheme
namespace: development
spec:
redirectScheme:
permanent: true
port: '443'
scheme: httpsHope this help you guys.
