Can deployment of Keycloak be automated?
220 views
Skip to first unread message
DP
Apr 3, 2023, 4:42:27 AM4/3/23
to Keycloak User
Hello!
Currently, when I want to set up Keycloak on a new machine, I need to do several things manually, including the following:
1. Adding a custom login theme (putting files into directory /opt/keycloak/themes of the Keycloak container) .
2. Adding JAR files into /opt/keycloak/providers directory.
3. Running ./kc-build.sh script to set up the extensions in /opt/keycloak/providers directory.
4. Things which must be done in the Keycloak GUI
4.1. Add and configure a user federation.
4.2. Create a custom authentication flow (which uses forms from a JAR file in /opt/keycloak/providers directory).
4.3. Set the login theme.
4.4. Configure the SMTP settings for sending e-mails when an account is temporarily disabled.
4.5. Create and configure a client, incl. the root URL and valid redirect URIs.
4.6. Set the authentication flow of the flient to a custom one.
4.7. Configure client scopes.
4.8. Create a realm.
5. Configure HTTPS settings in /opt/keycloak/conf/keycloak.conf.
I want to automate as many of those steps as possible.
It looks like there is a mechanism which allows you to import and export realms (see https://www.keycloak.org/server/importExport ).
Questions
1. Are there other mechanisms apart from realm import/export that allow to automate parts of configuration/installation/upgrade?
2. Are there ways to update the extensions and the theme (contents of /opt/keycloak/provider and /opt/keycloak/themes directories) without manually calling "docker cp ~/themes/mytheme keycloak:/opt/keycloak/themes"?
3. Let's say that the way we deliver upgrades to the customer is via a new version of a Docker image. Are there established ways to update the extensions (JAR files in /opt/keycloak/provider) and configuration (settings done via the Keycloak Web UI) for this scenario?
Thanks in advance
Currently, when I want to set up Keycloak on a new machine, I need to do several things manually, including the following:
1. Adding a custom login theme (putting files into directory /opt/keycloak/themes of the Keycloak container) .
2. Adding JAR files into /opt/keycloak/providers directory.
3. Running ./kc-build.sh script to set up the extensions in /opt/keycloak/providers directory.
4. Things which must be done in the Keycloak GUI
4.1. Add and configure a user federation.
4.2. Create a custom authentication flow (which uses forms from a JAR file in /opt/keycloak/providers directory).
4.3. Set the login theme.
4.4. Configure the SMTP settings for sending e-mails when an account is temporarily disabled.
4.5. Create and configure a client, incl. the root URL and valid redirect URIs.
4.6. Set the authentication flow of the flient to a custom one.
4.7. Configure client scopes.
4.8. Create a realm.
5. Configure HTTPS settings in /opt/keycloak/conf/keycloak.conf.
I want to automate as many of those steps as possible.
It looks like there is a mechanism which allows you to import and export realms (see https://www.keycloak.org/server/importExport ).
Questions
1. Are there other mechanisms apart from realm import/export that allow to automate parts of configuration/installation/upgrade?
2. Are there ways to update the extensions and the theme (contents of /opt/keycloak/provider and /opt/keycloak/themes directories) without manually calling "docker cp ~/themes/mytheme keycloak:/opt/keycloak/themes"?
3. Let's say that the way we deliver upgrades to the customer is via a new version of a Docker image. Are there established ways to update the extensions (JAR files in /opt/keycloak/provider) and configuration (settings done via the Keycloak Web UI) for this scenario?
Thanks in advance
Matthieu Huin
Apr 3, 2023, 5:39:13 AM4/3/23
to DP, Keycloak User
Hello,
Steps 1-3 can be done by creating a custom keycloak image. Here is an example where the extensions are also built with the image: https://github.com/softwarefactory-project/keycloak-filter-provider-users/blob/master/Dockerfile
You can inject custom themes in a similar fashion. Then, you distribute your custom image.
Most of steps 4.X can be automated with calls to kcadm.sh once the container is up. Note that not all API calls are documented but kcadm does support them. I found it useful to first perform the actions in the browser with the network console activated (Ctrl-I) to see what raw API calls were made. It is then relatively straightforward to figure out how to call kcadm to perform similar actions.
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/96860bb9-4313-4800-989c-4b6e43c43227n%40googlegroups.com.
--
Dmitrii Pisarenko
Apr 3, 2023, 6:01:21 AM4/3/23
to Matthieu Huin, Keycloak User
Thank you!
Reply all
Reply to author
Forward
0 new messages