Alauda Build of Keycloak

Configure Ingress and TLS

This guide describes how to expose a Keycloak instance externally via Kubernetes Ingress with TLS encryption enabled, which is required for production deployments.

TOC

TLS Configuration ModesPrerequisitesStep 1: Create the TLS SecretStep 2: Update the Keycloak CRStep 3: Verify the IngressStep 4: Verify HTTPS AccessConfiguration Reference

TLS Configuration Modes

Alauda Build of Keycloak supports two distinct TLS modes. Choose the one that matches your infrastructure:

ModeFieldDescription
TLS at the Keycloak Podspec.http.tlsSecretKeycloak itself terminates TLS. Traffic between the client and the Pod is encrypted end-to-end.
TLS at the Ingressspec.ingress.tlsSecretThe Ingress controller terminates TLS. Keycloak can serve plain HTTP internally (set spec.http.httpEnabled: true).

This guide demonstrates the Ingress TLS mode (recommended for most Kubernetes environments).

Prerequisites

  • A running Keycloak instance (see Install).
  • A valid TLS certificate and private key for the target hostname.
  • An Ingress controller (for example, NGINX) deployed in the cluster.

Step 1: Create the TLS Secret

Create a Kubernetes TLS Secret from your certificate and private key:

kubectl create secret tls keycloak-tls-secret \
  --cert=tls.crt \
  --key=tls.key \
  -n <namespace>

Verify the Secret was created:

kubectl get secret keycloak-tls-secret -n <namespace>

Step 2: Update the Keycloak CR

Update your Keycloak CR to enable Ingress with TLS and configure the hostname:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  instances: 1
  db:
    vendor: postgres
    host: postgres-db
    usernameSecret:
      name: keycloak-db-secret
      key: username
    passwordSecret:
      name: keycloak-db-secret
      key: password
  http:
    tlsSecret: keycloak-tls-secret
  ingress:
    enabled: true
    className: nginx
    tlsSecret: keycloak-tls-secret
  hostname:
    hostname: keycloak.example.com
  proxy:
    headers: xforwarded
  unsupported:
    podTemplate:
      spec:
        containers:
          - securityContext:
              allowPrivilegeEscalation: false
              runAsNonRoot: true
              capabilities:
                drop:
                  - ALL
              seccompProfile:
                type: RuntimeDefault

Apply the updated manifest:

kubectl apply -f keycloak.yaml -n <namespace>

Step 3: Verify the Ingress

Check that the Ingress resource was created and has the correct hostname:

kubectl get ingress -n <namespace>

Expected output:

NAME               CLASS   HOSTS                   ADDRESS         PORTS     AGE
example-kc-ingress nginx   keycloak.example.com    203.0.113.10    80, 443   1m

Step 4: Verify HTTPS Access

Access the Keycloak Admin Console at https://keycloak.example.com and confirm the connection is secure.

Check that Keycloak is ready:

kubectl get keycloak example-kc -n <namespace>

Configuration Reference

FieldDescription
spec.http.tlsSecretName of the TLS Secret for HTTPS at the Keycloak Pod level
spec.ingress.enabledSet to true to create an Ingress resource
spec.ingress.classNameIngress class name (for example, nginx)
spec.ingress.tlsSecretName of the TLS Secret for the Ingress TLS termination
spec.hostname.hostnameThe public hostname for the Keycloak server
spec.proxy.headersProxy headers accepted by Keycloak. Set to xforwarded for NGINX Ingress.
Proxy Header Configuration

When using a reverse proxy or Ingress controller, you must set spec.proxy.headers correctly. An incorrect configuration may expose Keycloak to security vulnerabilities by trusting spoofed headers.