2022-01-27 13:57:18 +00:00
<#import "/templates/guide.adoc" as tmpl>
<#import "/templates/kc.adoc" as kc>
<#import "/templates/options.adoc" as opts>
<#import "/templates/links.adoc" as links>
<@tmpl.guide
2022-02-02 07:43:35 +00:00
title="Running Keycloak in a container"
2022-01-27 13:57:18 +00:00
summary="Learn how to run Keycloak from a container image"
2022-02-22 15:49:39 +00:00
includedOptions="db db-url db-username db-password features hostname https-key-store-file https-key-store-password health-enabled metrics-enabled">
2022-01-27 13:57:18 +00:00
2022-02-02 07:43:35 +00:00
Keycloak handles containerized environments such as Kubernetes or OpenShift as first-class citizens. This guide describes how to optimize and run the Keycloak container image to provide the best experience running a Keycloak container.
2022-01-27 13:57:18 +00:00
2022-04-08 09:56:47 +00:00
== Creating a customized and optimized container image
The default Keycloak container image ships ready to be configured and optimized.
For the best start up of your Keycloak container, build an image by running the `build` step during the container build.
This step will save time in every subsequent start phase of the container image.
2022-01-27 13:57:18 +00:00
2022-02-02 07:43:35 +00:00
=== Building your optimized Keycloak docker image
2022-02-22 15:49:39 +00:00
The following `Dockerfile` creates a pre-configured Keycloak image that enables the health and metrics endpoints, enables the token exchange feature, and uses a PostgreSQL database.
2022-01-27 13:57:18 +00:00
.Dockerfile:
[source, dockerfile]
----
2022-02-17 10:42:20 +00:00
FROM quay.io/keycloak/keycloak:latest as builder
2022-01-27 13:57:18 +00:00
2022-02-22 15:49:39 +00:00
ENV KC_HEALTH_ENABLED=true
2022-01-27 13:57:18 +00:00
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange
ENV KC_DB=postgres
2022-04-08 09:56:47 +00:00
# Install custom providers
RUN curl -sL https://github.com/aerogear/keycloak-metrics-spi/releases/download/2.5.3/keycloak-metrics-spi-2.5.3.jar -o /opt/keycloak/providers/keycloak-metrics-spi-2.5.3.jar
2022-01-27 13:57:18 +00:00
RUN /opt/keycloak/bin/kc.sh build
2022-02-17 10:42:20 +00:00
FROM quay.io/keycloak/keycloak:latest
2022-04-08 09:56:47 +00:00
COPY --from=builder /opt/keycloak/ /opt/keycloak/
2022-01-27 13:57:18 +00:00
WORKDIR /opt/keycloak
# for demonstration purposes only, please make sure to use proper certificates in production instead
RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
# change these values to point to a running postgres instance
ENV KC_DB_URL=<DBURL>
ENV KC_DB_USERNAME=<DBUSERNAME>
ENV KC_DB_PASSWORD=<DBPASSWORD>
2022-04-07 06:07:12 +00:00
ENV KC_HOSTNAME=localhost
2022-05-05 14:16:01 +00:00
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
2022-01-27 13:57:18 +00:00
----
2022-02-02 07:43:35 +00:00
The build process includes multiple stages:
2022-01-27 13:57:18 +00:00
2022-04-08 09:56:47 +00:00
* The `build` command applies options and includes custom providers to create an optimized image.
* The files generated by the `build` stage are copied into a new image.
2022-02-02 07:43:35 +00:00
* In this runner image, the specific run configuration is applied. That configuration contains a keystore, the environment-specific hostname configuration, and database configuration.
2022-05-05 15:00:30 +00:00
* In the entrypoint, the `kc.sh` enables access to all the distribution sub-commands.
2022-02-02 07:43:35 +00:00
2022-04-08 09:56:47 +00:00
This example uses a multi-staged build to demonstrate the build and run steps. However, you can also build a single-staged docker image by removing the following two lines:
[source, dockerfile]
----
FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/
----
2022-01-27 13:57:18 +00:00
=== Building the docker image
2022-02-02 07:43:35 +00:00
To build the actual docker image, run the following command from the directory containing your Dockerfile:
2022-01-27 13:57:18 +00:00
[source,bash]
----
podman|docker build . -t prebuilt_keycloak
----
2022-02-02 07:43:35 +00:00
=== Starting the optimized Keycloak docker image
2022-01-27 13:57:18 +00:00
To start the image, run:
[source, bash]
----
2022-05-05 14:16:01 +00:00
podman|docker run --name optimized_keycloak -p 8443:8443 \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
prebuilt_keycloak \
start
2022-01-27 13:57:18 +00:00
----
2022-02-02 07:43:35 +00:00
Keycloak starts in production mode, using only secured HTTPS communication, and is available on `https://localhost:8443`.
Notice that the startup log contains the following line:
2022-01-27 13:57:18 +00:00
[source, bash]
----
INFO [org.key.com.Profile] (main) Preview feature enabled: token_exchange
----
2022-02-02 07:43:35 +00:00
This message shows the desired feature is enabled.
2022-01-27 13:57:18 +00:00
2022-02-22 15:49:39 +00:00
Health check endpoints are available at `https://localhost:8443/health`, `https://localhost:8443/health/ready` and `https://localhost:8443/health/live`.
2022-02-02 07:43:35 +00:00
Opening up `https://localhost:8443/metrics` leads to a page containing operational metrics that could be used by your monitoring solution.
2022-01-27 13:57:18 +00:00
2022-02-02 07:43:35 +00:00
== Trying Keycloak in development mode
The easiest way to try Keycloak from a container for development or testing purposes is to use the Development mode.
You use the `start-dev` command:
2022-01-27 13:57:18 +00:00
[source,bash]
----
podman|docker run --name keycloak_test -p 8080:8080 \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
2022-02-17 10:42:20 +00:00
quay.io/keycloak/keycloak:latest \
2022-01-27 13:57:18 +00:00
start-dev
----
2022-02-02 07:43:35 +00:00
Invoking this command starts the Keycloak server in development mode.
2022-01-27 13:57:18 +00:00
2022-02-02 07:43:35 +00:00
This mode should be strictly avoided in production environments because it has insecure defaults.
2022-02-07 15:21:52 +00:00
For more information about running Keycloak in production, take a look at the <@links.server id="configuration-production"/> guide.
2022-01-27 13:57:18 +00:00
== Use auto-build to run a standard keycloak container
2022-02-02 07:43:35 +00:00
In keeping with concepts such as immutable infrastructure, containers need to be re-provisioned routinely.
In these environments, you need containers that start fast, therefore you need to create an optimized image as described in the preceding section.
However, if your environment has different requirements, you can run a standard Keycloak image using the `--auto-build` flag.
For example:
2022-01-27 13:57:18 +00:00
[source, bash]
----
podman|docker run --name keycloak_auto_build -p 8080:8080 \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
2022-02-17 10:42:20 +00:00
quay.io/keycloak/keycloak:latest \
2022-01-27 13:57:18 +00:00
start \
--auto-build \
--db=postgres --features=token-exchange \
--db-url=<JDBC-URL> --db-username=<DB-USER> --db-password=<DB-PASSWORD> \
--https-key-store-file=<file> --https-key-store-password=<password>
----
2022-02-02 07:43:35 +00:00
Running this command starts a Keycloak server that detects and applies the build options first.
In the example, the line `--db=postgres --features=token-exchange` sets the database vendor to PostgreSQL and enables the token exchange feature.
2022-01-27 13:57:18 +00:00
2022-02-02 07:43:35 +00:00
Keycloak then starts up and applies the configuration for the specific environment.
This approach significantly increases startup time and creates an image that is mutable, which is not the best practice.
2022-01-27 13:57:18 +00:00
2022-02-24 17:00:32 +00:00
== Provide initial admin credentials when running in a container
Keycloak only allows to create the initial admin user from a local network connection. This is not the case when running in a container, so you have to provide the following environment variables when you run the image:
[source, bash]
----
# setting the admin username
-e KEYCLOAK_ADMIN=<admin-user-name>
# setting the initial password
-e KEYCLOAK_ADMIN_PASSWORD=change_me
----
Feel free to join the open https://github.com/keycloak/keycloak/discussions/8549[GitHub Discussion] around enhancements of the admin bootstrapping process.
2022-01-27 13:57:18 +00:00
</@tmpl.guide>