Alauda Build of Keycloak
  • Русский

    • Keycloak

    The Keycloak Custom Resource defines and manages a Keycloak server instance. The Operator reconciles this resource to create and maintain the Kubernetes resources required to run Keycloak, including Deployments, Services, Ingress, and Secrets.

    Содержание

    Resource InformationExampleSpec Fieldsspec.instancesspec.dbspec.httpspec.ingressspec.hostnamespec.proxyspec.resourcesspec.additionalOptionsspec.bootstrapAdminspec.cachespec.featuresspec.schedulingspec.networkPolicyspec.livenessProbe / spec.readinessProbespec.imagespec.imagePullSecretsspec.envStatus Conditions

    Resource Information

    PropertyValue
    API Groupk8s.keycloak.org
    API Versionv2alpha1
    KindKeycloak
    Pluralkeycloaks
    Short Namekc
    ScopeNamespaced

    Example

    apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
  namespace: keycloak
spec:
  instances: 2
  db:
    vendor: postgres
    host: postgres-db
    usernameSecret:
      name: keycloak-db-secret
      key: username
    passwordSecret:
      name: keycloak-db-secret
      key: password
  http:
    tlsSecret: keycloak-tls-secret
  ingress:
    enabled: true
    className: nginx
    tlsSecret: keycloak-tls-secret
  hostname:
    hostname: keycloak.example.com
  proxy:
    headers: xforwarded
  additionalOptions:
    - name: metrics-enabled
      value: "true"
  resources:
    requests:
      cpu: "500m"
      memory: "1Gi"
    limits:
      cpu: "2"
      memory: "2Gi"

    Spec Fields

    spec.instances

    PropertyValue
    Typeinteger
    RequiredNo (default: 1)

    Number of Keycloak server replicas. Set to 2 or more for high availability. Multiple instances share session state via the embedded Infinispan cache cluster.

    spec.db

    Database connection configuration.

    FieldTypeDescription
    vendorstringDatabase vendor. Supported values: postgres, mysql, mariadb, mssql, oracle.
    hoststringHostname of the database server. Ignored if url is set.
    portintegerPort of the database server. Ignored if url is set.
    databasestringDatabase name. Ignored if url is set.
    schemastringDatabase schema to use.
    urlstringFull JDBC URL. Overrides host, port, and database if set.
    usernameSecretSecretKeySelectorReference to the Secret containing the database username.
    passwordSecretSecretKeySelectorReference to the Secret containing the database password.
    poolInitialSizeintegerInitial size of the database connection pool.
    poolMinSizeintegerMinimum size of the database connection pool.
    poolMaxSizeintegerMaximum size of the database connection pool.

    SecretKeySelector fields:

    FieldTypeDescription
    namestringName of the Kubernetes Secret.
    keystringKey within the Secret.
    optionalbooleanWhether the Secret must exist.

    spec.http

    HTTP and HTTPS listener configuration.

    FieldTypeDescription
    httpEnabledbooleanEnables the HTTP (non-TLS) listener. Recommended for development only.
    httpPortintegerHTTP port. Default: 8080.
    httpsPortintegerHTTPS port. Default: 8443.
    tlsSecretstringName of the TLS Secret for HTTPS at the Pod level. The Secret must be of type kubernetes.io/tls.
    annotationsmap[string]stringAnnotations to append to the Service object.
    labelsmap[string]stringLabels to append to the Service object.

    spec.ingress

    Kubernetes Ingress configuration.

    FieldTypeDescription
    enabledbooleanCreates an Ingress resource when set to true.
    classNamestringIngress class name (for example, nginx).
    tlsSecretstringName of the TLS Secret for the Ingress TLS entry.
    annotationsmap[string]stringAdditional annotations for the Ingress object.
    labelsmap[string]stringAdditional labels for the Ingress object.

    spec.hostname

    Hostname and URL configuration.

    FieldTypeDescription
    hostnamestringPublic hostname for the Keycloak server. Required when Ingress is enabled.
    adminstringHostname for the Admin Console. Defaults to hostname if not set.
    strictbooleanDisables dynamic hostname resolution from request headers. Recommended for production.
    backchannelDynamicbooleanEnables dynamic backchannel URL resolution. Set to true when applications access Keycloak via a private network.

    spec.proxy

    Reverse proxy configuration.

    FieldTypeDescription
    headersstringProxy headers accepted by the server. Set to xforwarded for NGINX Ingress. Misconfiguration may expose security vulnerabilities.

    spec.resources

    Compute resources for the Keycloak container.

    FieldTypeDescription
    requests.cpustringCPU request. Recommended minimum: 500m.
    requests.memorystringMemory request. Recommended minimum: 1Gi.
    limits.cpustringCPU limit.
    limits.memorystringMemory limit. Recommended minimum: 2Gi.

    spec.additionalOptions

    An array of key-value pairs for additional Keycloak server configuration options. Values can be direct strings or references to Secrets.

    additionalOptions:
  - name: metrics-enabled
    value: "true"
  - name: log-level
    value: "INFO"
  - name: my-secret-option
    secret:
      name: my-secret
      key: option-value

    Refer to the Keycloak All Configuration reference for available option names.

    spec.bootstrapAdmin

    Configures the initial bootstrap administrator. Used only during initial cluster creation.

    FieldTypeDescription
    user.secretstringName of the Secret containing username and password keys for the bootstrap admin user.
    service.secretstringName of the Secret containing client-id and client-secret keys for the bootstrap admin service account.

    spec.cache

    Keycloak cache configuration.

    FieldTypeDescription
    configMapFile.namestringName of the ConfigMap containing the Infinispan cache configuration XML.
    configMapFile.keystringKey within the ConfigMap.

    spec.features

    Enable or disable specific Keycloak feature flags.

    features:
  enabled:
    - "token-exchange"
    - "admin-fine-grained-authz"
  disabled:
    - "impersonation"

    spec.scheduling

    Pod scheduling configuration for Keycloak Pods. Supports the same fields as Kubernetes Pod scheduling:

    FieldTypeDescription
    affinityAffinityNode and Pod affinity/anti-affinity rules.
    tolerations[]TolerationToleration rules for tainted nodes.
    topologySpreadConstraints[]TopologySpreadConstraintConstraints for spreading Pods across topology domains.
    priorityClassNamestringPriority class name for the Keycloak Pods.

    spec.networkPolicy

    Controls ingress traffic flow into Keycloak Pods.

    FieldTypeDescription
    enabledbooleanEnables ingress traffic control. Default: true.
    http[]NetworkPolicyPeerSources allowed to access the HTTP endpoint. An empty list allows all sources.
    https[]NetworkPolicyPeerSources allowed to access the HTTPS endpoint.
    management[]NetworkPolicyPeerSources allowed to access the management endpoint (metrics, health).

    spec.livenessProbe / spec.readinessProbe

    Probe configuration for the Keycloak container.

    FieldTypeDescription
    periodSecondsintegerInterval between probe checks. Default: 10.
    failureThresholdintegerNumber of consecutive failures before the probe is considered failed. Default: 3.

    spec.image

    Custom Keycloak container image. Overrides the default image managed by the Operator.

    spec:
  image: "quay.io/my-org/my-keycloak:custom-tag"

    spec.imagePullSecrets

    List of Secrets to use when pulling the Keycloak image from a private registry.

    spec:
  imagePullSecrets:
    - name: my-registry-secret

    spec.env

    Environment variables for the Keycloak container. Use spec.additionalOptions for standard Keycloak configuration options and spec.env for non-standard or container-level variables.

    spec:
  env:
    - name: JAVA_OPTS_APPEND
      value: "-Xms512m -Xmx2048m"
    - name: MY_SECRET_VAR
      secret:
        name: my-secret
        key: my-key

    Status Conditions

    The Operator sets the following conditions on the Keycloak resource status:

    Condition TypeDescription
    ReadyTrue when all Keycloak instances are running and healthy.
    HasErrorsTrue when the Operator encounters an error during reconciliation.
    RollingUpdateTrue while a rolling update of the Keycloak Deployment is in progress.