Menu ---

Mesut Pişkin | Blog.

Keycloak with MSSQL Deployment on Kubernetes Cluster

Keycloak

Keycloak is an excessive overall performance Java-primarily based identification totally and gets right of entry to control solution. It shall we builders to upload an authentication layer to their packages with minimal effort. Keycloak is an Open Source IAM solution for applications. Docker Images are available on the quay.io repository.

While looking for an Open Source Identity and Access Management  provider, I was looking for the following:

  • OpenID Connect & OAuth 2.0
  • Two-factor authentication (Authenticator, E-Mail, SMS, etc.)
  • Support Authorization (Attribute-based access control (ABAC), Role-based access control (RBAC), User-based access control (UBAC), Context-based access control (CBAC) Rule-based access control)
  • Support Client Libraries
  • Modern Tech Stack
  • Support Multiple Database (PostgreSQL, MySQL, Microsoft SQL Server, etc.)
  • High Performance and Scalable

 

Dockerize Keycloak with Microsoft SQL (MsSQL) Deployment on Kubernetes Cluster

We can deploy Keycloak on the Kubernetes cluster by creating deployment, service, ingress and secret yaml’s for it.

Keycloak Docker Container Environments

Environment NameExample ValueDescription
DB_ADDRmssql.data.svc.cluster.localSpecify the hostname of the database.
DB_DATABASEkeycloakSpecify the name of the database to use (optional, default is keycloak).
DB_PORT1433Specify the port of the database (optional, default is DB vendor default port)
DB_PASSWORDPassword@1Specify the user’s password to use to authenticate to the database
DB_USERsaSpecify users of the database.
DB_SCHEMASpecify the name of the schema to use for DB that supports schemas.
KEYCLOAK_PASSWORDdboBy default, there is no admin user created so you won’t be able to login to the admin console. To create an admin account you need to use environment variables to pass in an initial username and password.
KEYCLOAK_USERPassword@123By default, there is no admin user created so you won’t be able to login to the admin console. To create an admin account you need to use environment variables to pass in an initial username and password.
JDBC_PARAMSencrypt=false (https://learn.microsoft.com/en-us/sql/connect/jdbc/building-the-connection-url?view=sql-server-ver16)JDBC driver connection parameters

If you are getting “Notifications​ KeyCloak Microsoft SQL server connection error “KIX path building failed Exception” set trustServerCertificate=false;encrypt=false values

PROXY_ADDRESS_FORWARDINGtrue/falseWhen running Keycloak behind a proxy, you must enable proxy address forwarding.

 

1- secret.yaml

apiVersion: v1
stringData:
  KEYCLOAK_ROOT_USER: admin
  KEYCLOAK_ROOT_PASSWORD: Password@1
  KEYCLOAK_DB_USER: sa 
  KEYCLOAK_DB_PASSWORD: Password@1
kind: Secret
metadata:
  name: keycloak-mssql
type: Opaque

2- deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kompose.cmd: kompose convert
    kompose.version: 1.26.1 (HEAD)
  creationTimestamp: null
  labels:
    io.kompose.service: keycloak-mssql
  name: keycloak-mssql
spec:
  replicas: 1
  selector:
    matchLabels:
      io.kompose.service: keycloak-mssql
  strategy: {}
  template:
    metadata:
      annotations:
        kompose.cmd: kompose convert
        kompose.version: 1.26.1 (HEAD)
      creationTimestamp: null
      labels:
        io.kompose.service: keycloak-mssql
    spec:
      containers:
        - env:
            - name: DB_ADDR
              value: mssql.data.svc.cluster.local
            - name: DB_DATABASE
              value: Keycloak
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: KEYCLOAK_DB_PASSWORD
                  name: keycloak-mssql
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  key: KEYCLOAK_DB_USER
                  name: keycloak-mssql
            - name: DB_VENDOR
              value: mssql
            - name: KEYCLOAK_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: KEYCLOAK_ROOT_PASSWORD
                  name: keycloak-mssql
            - name: KEYCLOAK_USER
              valueFrom:
                secretKeyRef:
                  key: KEYCLOAK_ROOT_USER
                  name: keycloak-mssql
            - name: JDBC_PARAMS
              value: trustServerCertificate=false;encrypt=false
            - name: PROXY_ADDRESS_FORWARDING
              value: "true"
          image: quay.io/keycloak/keycloak:19.0.2-legacy
          name: fi-keycloak-mssql
          # args: ["start", "--hostname=0.0.0.0",  "--hostname-admin=0.0.0.0"]
      restartPolicy: Always
status: {}

3- service.yaml

apiVersion: v1
kind: Service
metadata:
  annotations:
    kompose.cmd: kompose convert
    kompose.version: 1.26.1 (HEAD)
  creationTimestamp: null
  labels:
    io.kompose.service: keycloak-mssql
  name: keycloak-mssql
spec:
  ports:
    - name: "8080"
      port: 8080
      targetPort: 8080
  selector:
    io.kompose.service: keycloak-mssql
status:
  loadBalancer: {}

4- ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-mssql
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - keycloak.mywebsite.com.tr
    secretName:  wildcard-fimple
  rules:
  - host: keycloak.mywebsite.com.tr
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: keycloak-mssql
            port:
              number: 8080

and you are ready for

kubectl apply