Alauda Build of Keycloak

Manage Realms

A Realm is the primary isolation unit in Keycloak. Each Realm has independent users, clients, roles, and authentication configuration. Alauda Build of Keycloak supports managing Realms both through the Admin Console and declaratively via the KeycloakRealmImport CRD.

TOC

Import a Realm via CRDProcedureUsing Placeholders for SecretsManage Realm Settings via Admin ConsoleAccess Realm SettingsKey Realm SettingsConfigure Token Lifespans

Import a Realm via CRD

The KeycloakRealmImport CRD enables GitOps-friendly, declarative Realm management. When you create a KeycloakRealmImport resource, the Operator triggers an import Job that loads the Realm configuration into the target Keycloak instance.

Procedure

CLI
Web Console

Create a KeycloakRealmImport resource:

apiVersion: k8s.keycloak.org/v2alpha1
kind: KeycloakRealmImport
metadata:
  name: my-realm-import
spec:
  keycloakCRName: example-kc
  realm:
    realm: my-realm
    enabled: true
    displayName: "My Application Realm"
    registrationAllowed: false
    loginWithEmailAllowed: true
    duplicateEmailsAllowed: false
    sslRequired: external
    accessTokenLifespan: 300
    clients:
      - clientId: my-app
        enabled: true
        publicClient: true
        redirectUris:
          - "https://my-app.example.com/*"
        webOrigins:
          - "https://my-app.example.com"

Apply the manifest:

kubectl apply -f realm-import.yaml -n <namespace>

Check the import status:

kubectl get keycloakrealmimport my-realm-import -n <namespace> \
  -o jsonpath='{.status.conditions[?(@.type=="Done")].status}'

When the output is True, the Realm has been imported successfully.

Using Placeholders for Secrets

The spec.placeholders field allows you to inject Secret values into the Realm configuration at import time, avoiding hardcoded credentials in the CR:

spec:
  keycloakCRName: example-kc
  placeholders:
    CLIENT_SECRET:
      secret:
        name: my-client-secret
        key: client-secret
  realm:
    clients:
      - clientId: my-app
        secret: $(CLIENT_SECRET)

Manage Realm Settings via Admin Console

Access Realm Settings

  1. Log in to the Keycloak Admin Console.
  2. Select the target Realm from the top-left dropdown.
  3. Click Realm Settings in the left navigation bar.

Key Realm Settings

SettingDescription
Display NameThe human-readable name shown on the login page
SSL RequiredControls when HTTPS is required. Options: none, external (recommended), all
Login SettingsControls user self-registration, email login, and email uniqueness enforcement
Token SettingsConfigures access token lifespan, refresh token lifespan, and SSO session timeouts
Email SettingsSMTP server configuration for sending verification and notification emails
ThemesCustomizes the login, account, admin, and email templates

Configure Token Lifespans

Token lifespans control how long issued tokens remain valid. Shorter lifespans improve security but require more frequent token refresh operations.

TokenDefaultRecommended (Production)
Access Token Lifespan300 seconds60–300 seconds
SSO Session Idle1800 seconds1800 seconds
SSO Session Max36000 seconds36000 seconds
Refresh Token LifespanSession-boundSession-bound