A Kubernetes Operator based on the Operator SDK for creating and syncing resources in Keycloak.
The official documentation might be found in the here.
- Keycloak documentation
- User Mailing List - Mailing list for help and general questions about Keycloak
If you've found a security vulnerability, please look at the instructions on how to properly report it
If you believe you have discovered a defect in the Keycloak Operator please open an an issue. Please remember to provide a good summary, description as well as steps to reproduce the issue.
| CustomResourceDefinition | Description |
|---|---|
| Keycloak | Manages, installs and configures Keycloak on the cluster |
| KeycloakRealm | Represents a realm in a keycloak server |
| KeycloakUser | Represents a user in a keycloak server |
| KeycloakClient | Represents a client in a keycloak server |
| KeycloakBackup | Manage Keycloak database backups -- This feature is deprecated |
The official documentation contains installation instruction for this Operator.
Getting started with keycloak-operator on Openshift
Getting started with keycloak-operator on Kubernetes
Note: You will need a running Kubernetes or OpenShift cluster to use the Operator
- Run
make cluster/prepare# This will apply the necessary Custom Resource Definitions (CRDs) and RBAC rules to the clusters - Run
kubectl apply -f deploy/operator.yaml# This will start the operator in the current namespace
Once the CRDs and RBAC rules are applied and the operator is running. Use the examples from the operator.
- Run
kubectl apply -f deploy/examples/keycloak/keycloak.yaml
Note: You will need a running Kubernetes or OpenShift cluster to use the Operator
- clone this repo to
$GOPATH/src/github.com/keycloak/keycloak-operator - run
make setup/mod cluster/prepare - deploy a PostgreSQL Database -- The embedded database installation is deprecated
- run
make code/run-- The above step will launch the operator on the local machine -- To see how do debug the operator or how to deploy to a cluster, see below alternatives to step 3 - check the IP/url of the installed Database
- modify secret external-db-secret.yaml setting the values
- execute the secret with
kubectl apply -f ./deploy/examples/keycloak/external-db-secret.yaml - In a new terminal run
make cluster/create/examples - Optional: configure Ingress and DNS Resolver
- minikube:
-- runminikube addons enable ingress
-- run./hack/modify_etc_hosts.sh - Docker for Mac:
-- runkubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-0.32.0/deploy/static/provider/cloud/deploy.yaml(see also https://kubernetes.github.io/ingress-nginx/deploy/)
-- run./hack/modify_etc_hosts.sh keycloak.local 127.0.0.1
- minikube:
- Run
make test/e2e
To clean the cluster (Removes CRDs, CRs, RBAC and namespace)
- run
make cluster/clean
Debug the operator in Goland
- go get -u github.com/go-delve/delve/cmd/dlv
- Create new
Go Builddebug configuration - Change the properties to the following
* Name = Keycloak Operator
* Run Kind = File
* Files = <project full path>/cmd/manager/main.go
* Working Directory = <project full path>
* Environment = KUBERNETES_CONFIG=<kube config path>;WATCH_NAMESPACE=keycloak
- Apply and click Debug Keycloak operator
Debug the operator in VS Code
- go get -u github.com/go-delve/delve/cmd/dlv
- Create new launch configuration, changing your kube config location
{
"name": "Keycloak Operator",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}/cmd/manager/main.go",
"env": {
"WATCH_NAMESPACE": "keycloak",
"KUBERNETES_CONFIG": "<kube config path>"
},
"cwd": "${workspaceFolder}",
"args": []
}- Debug Keycloak Operator
Deploy the operator into the running cluster
- build image with
operator-sdk build <image registry>/<organisation>/keycloak-operator:<tag>. e.g.operator-sdk build quay.io/keycloak/keycloak-operator:test - Change the
imageproperty indeploy/operator.yamlto the above full image path - run
kubectl apply -f deploy/operator.yaml -n <NAMESPACE>
Debug the e2e operator tests in Goland
- Set
Test kindtoPackage - Set
Working directoryto<your project directory> - Set
Go tool argumentsto-i -parallel=1 - Set
Program argumentsto-root=<your project directory> -kubeconfig=<your home directory>/.kube/config -globalMan deploy/empty-init.yaml -namespacedMan deploy/empty-init.yaml -test.v -singleNamespace -localOperator -test.timeout 0 - Apply and click Debug Keycloak operator
| Command | Description |
|---|---|
make cluster/prepare |
Creates the keycloak namespace, applies all CRDs to the cluster and sets up the RBAC files |
make cluster/clean |
Deletes the keycloak namespace, all keycloak.org CRDs and all RBAC files named keycloak-operator |
make cluster/create/examples |
Applies the example Keycloak and KeycloakRealm CRs |
| Command | Description |
|---|---|
make test/unit |
Runs unit tests |
make test/e2e |
Runs e2e tests with operator ran locally |
make test/e2e-latest-image |
Runs e2e tests with latest available operator image running in the cluster |
make test/e2e-local-image |
Runs e2e tests with local operator image running in the cluster |
make test/coverage/prepare |
Prepares coverage report from unit and e2e test results |
make test/coverage |
Generates coverage report |
It's possible to deploy CRDs, roles, role bindings, etc. separately from running the tests:
- Run
make cluster/prepareas a cluster admin. - Run
make test/ibm-validationas a user. The user needs the following permissions to run te tests:
apiGroups: ["", "apps", "keycloak.org"]
resources: ["persistentvolumeclaims", "deployments", "statefulsets", "keycloaks", "keycloakrealms", "keycloakusers", "keycloakclients", "keycloakbackups"]
verbs: ["*"]
Please bear in mind this is intended to be used for internal purposes as there's no guarantee it'll work without any issues.
| Command | Description |
|---|---|
make setup |
Runs setup/mod setup/githooks code/gen |
make setup/githooks |
Copys githooks from ./githooks to .git/hooks |
make setup/mod |
Resets the main module's vendor directory to include all packages |
make setup/operator-sdk |
Installs the operator-sdk |
make code/run |
Runs the operator locally for development purposes |
make code/compile |
Builds the operator |
make code/gen |
Generates/Updates the operator files based on the CR status and spec definitions |
make code/check |
Checks for linting errors in the code |
make code/fix |
Formats code using gofmt |
make code/lint |
Checks for linting errors in the code |
make client/gen |
Generates/Updates the clients bases on the CR status and spec definitions |
NOTE: This functionality works only in OpenShift environment.
| Command | Description |
|---|---|
make cluster/prepare/monitoring |
Installs and configures Application Monitoring Operator |
| Command | Description |
|---|---|
make setup/travis |
Downloads operator-sdk, makes it executable and copys to /usr/local/bin/ |
All images used by the Operator might be controlled using dedicated Environmental Variables:
| Image | Environment variable | Default |
|---|---|---|
Keycloak |
RELATED_IMAGE_KEYCLOAK |
quay.io/keycloak/keycloak:9.0.2 |
RHSSO for OpenJ9 |
RELATED_IMAGE_RHSSO_OPENJ9 |
registry.redhat.io/rh-sso-7/sso74-openshift-rhel8:7.4-1 |
RHSSO for OpenJDK |
RELATED_IMAGE_RHSSO_OPENJDK |
registry.redhat.io/rh-sso-7/sso74-openshift-rhel8:7.4-1 |
| Init container | RELATED_IMAGE_KEYCLOAK_INIT_CONTAINER |
quay.io/keycloak/keycloak-init-container:latest |
| Backup container | RELATED_IMAGE_RHMI_BACKUP_CONTAINER |
quay.io/integreatly/backup-container:1.0.16 |
| Postgresql | RELATED_IMAGE_POSTGRESQL |
registry.redhat.io/rhel8/postgresql-10:1 |
Before contributing to Keycloak Operator please read our contributing guidelines.
- Keycloak - Keycloak Server and Java adapters
- Keycloak Documentation - Documentation for Keycloak
- Keycloak QuickStarts - QuickStarts for getting started with Keycloak
- Keycloak Docker - Docker images for Keycloak
- Keycloak Node.js Connect - Node.js adapter for Keycloak
- Keycloak Node.js Admin Client - Node.js library for Keycloak Admin REST API