Alauda Build of Keycloak

Keycloak

The Keycloak Custom Resource defines and manages a Keycloak server instance. The Operator reconciles this resource to create and maintain the Kubernetes resources required to run Keycloak, including Deployments, Services, Ingress, and Secrets.

TOC

Resource InformationExampleSpec Fieldsspec.instancesspec.dbspec.httpspec.ingressspec.hostnamespec.proxyspec.resourcesspec.additionalOptionsspec.bootstrapAdminspec.cachespec.featuresspec.schedulingspec.networkPolicyspec.livenessProbe / spec.readinessProbespec.imagespec.imagePullSecretsspec.envStatus Conditions

Resource Information

PropertyValue
API Groupk8s.keycloak.org
API Versionv2alpha1
KindKeycloak
Pluralkeycloaks
Short Namekc
ScopeNamespaced

Example

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
  namespace: keycloak
spec:
  instances: 2
  db:
    vendor: postgres
    host: postgres-db
    usernameSecret:
      name: keycloak-db-secret
      key: username
    passwordSecret:
      name: keycloak-db-secret
      key: password
  http:
    tlsSecret: keycloak-tls-secret
  ingress:
    enabled: true
    className: nginx
    tlsSecret: keycloak-tls-secret
  hostname:
    hostname: keycloak.example.com
  proxy:
    headers: xforwarded
  additionalOptions:
    - name: metrics-enabled
      value: "true"
  resources:
    requests:
      cpu: "500m"
      memory: "1Gi"
    limits:
      cpu: "2"
      memory: "2Gi"

Spec Fields

spec.instances

PropertyValue
Typeinteger
RequiredNo (default: 1)

Number of Keycloak server replicas. Set to 2 or more for high availability. Multiple instances share session state via the embedded Infinispan cache cluster.

spec.db

Database connection configuration.

FieldTypeDescription
vendorstringDatabase vendor. Supported values: postgres, mysql, mariadb, mssql, oracle.
hoststringHostname of the database server. Ignored if url is set.
portintegerPort of the database server. Ignored if url is set.
databasestringDatabase name. Ignored if url is set.
schemastringDatabase schema to use.
urlstringFull JDBC URL. Overrides host, port, and database if set.
usernameSecretSecretKeySelectorReference to the Secret containing the database username.
passwordSecretSecretKeySelectorReference to the Secret containing the database password.
poolInitialSizeintegerInitial size of the database connection pool.
poolMinSizeintegerMinimum size of the database connection pool.
poolMaxSizeintegerMaximum size of the database connection pool.

SecretKeySelector fields:

FieldTypeDescription
namestringName of the Kubernetes Secret.
keystringKey within the Secret.
optionalbooleanWhether the Secret must exist.

spec.http

HTTP and HTTPS listener configuration.

FieldTypeDescription
httpEnabledbooleanEnables the HTTP (non-TLS) listener. Recommended for development only.
httpPortintegerHTTP port. Default: 8080.
httpsPortintegerHTTPS port. Default: 8443.
tlsSecretstringName of the TLS Secret for HTTPS at the Pod level. The Secret must be of type kubernetes.io/tls.
annotationsmap[string]stringAnnotations to append to the Service object.
labelsmap[string]stringLabels to append to the Service object.

spec.ingress

Kubernetes Ingress configuration.

FieldTypeDescription
enabledbooleanCreates an Ingress resource when set to true.
classNamestringIngress class name (for example, nginx).
tlsSecretstringName of the TLS Secret for the Ingress TLS entry.
annotationsmap[string]stringAdditional annotations for the Ingress object.
labelsmap[string]stringAdditional labels for the Ingress object.

spec.hostname

Hostname and URL configuration.

FieldTypeDescription
hostnamestringPublic hostname for the Keycloak server. Required when Ingress is enabled.
adminstringHostname for the Admin Console. Defaults to hostname if not set.
strictbooleanDisables dynamic hostname resolution from request headers. Recommended for production.
backchannelDynamicbooleanEnables dynamic backchannel URL resolution. Set to true when applications access Keycloak via a private network.

spec.proxy

Reverse proxy configuration.

FieldTypeDescription
headersstringProxy headers accepted by the server. Set to xforwarded for NGINX Ingress. Misconfiguration may expose security vulnerabilities.

spec.resources

Compute resources for the Keycloak container.

FieldTypeDescription
requests.cpustringCPU request. Recommended minimum: 500m.
requests.memorystringMemory request. Recommended minimum: 1Gi.
limits.cpustringCPU limit.
limits.memorystringMemory limit. Recommended minimum: 2Gi.

spec.additionalOptions

An array of key-value pairs for additional Keycloak server configuration options. Values can be direct strings or references to Secrets.

additionalOptions:
  - name: metrics-enabled
    value: "true"
  - name: log-level
    value: "INFO"
  - name: my-secret-option
    secret:
      name: my-secret
      key: option-value

Refer to the Keycloak All Configuration reference for available option names.

spec.bootstrapAdmin

Configures the initial bootstrap administrator. Used only during initial cluster creation.

FieldTypeDescription
user.secretstringName of the Secret containing username and password keys for the bootstrap admin user.
service.secretstringName of the Secret containing client-id and client-secret keys for the bootstrap admin service account.

spec.cache

Keycloak cache configuration.

FieldTypeDescription
configMapFile.namestringName of the ConfigMap containing the Infinispan cache configuration XML.
configMapFile.keystringKey within the ConfigMap.

spec.features

Enable or disable specific Keycloak feature flags.

features:
  enabled:
    - "token-exchange"
    - "admin-fine-grained-authz"
  disabled:
    - "impersonation"

spec.scheduling

Pod scheduling configuration for Keycloak Pods. Supports the same fields as Kubernetes Pod scheduling:

FieldTypeDescription
affinityAffinityNode and Pod affinity/anti-affinity rules.
tolerations[]TolerationToleration rules for tainted nodes.
topologySpreadConstraints[]TopologySpreadConstraintConstraints for spreading Pods across topology domains.
priorityClassNamestringPriority class name for the Keycloak Pods.

spec.networkPolicy

Controls ingress traffic flow into Keycloak Pods.

FieldTypeDescription
enabledbooleanEnables ingress traffic control. Default: true.
http[]NetworkPolicyPeerSources allowed to access the HTTP endpoint. An empty list allows all sources.
https[]NetworkPolicyPeerSources allowed to access the HTTPS endpoint.
management[]NetworkPolicyPeerSources allowed to access the management endpoint (metrics, health).

spec.livenessProbe / spec.readinessProbe

Probe configuration for the Keycloak container.

FieldTypeDescription
periodSecondsintegerInterval between probe checks. Default: 10.
failureThresholdintegerNumber of consecutive failures before the probe is considered failed. Default: 3.

spec.image

Custom Keycloak container image. Overrides the default image managed by the Operator.

spec:
  image: "quay.io/my-org/my-keycloak:custom-tag"

spec.imagePullSecrets

List of Secrets to use when pulling the Keycloak image from a private registry.

spec:
  imagePullSecrets:
    - name: my-registry-secret

spec.env

Environment variables for the Keycloak container. Use spec.additionalOptions for standard Keycloak configuration options and spec.env for non-standard or container-level variables.

spec:
  env:
    - name: JAVA_OPTS_APPEND
      value: "-Xms512m -Xmx2048m"
    - name: MY_SECRET_VAR
      secret:
        name: my-secret
        key: my-key

Status Conditions

The Operator sets the following conditions on the Keycloak resource status:

Condition TypeDescription
ReadyTrue when all Keycloak instances are running and healthy.
HasErrorsTrue when the Operator encounters an error during reconciliation.
RollingUpdateTrue while a rolling update of the Keycloak Deployment is in progress.