For keycloak custom image how can one not pass the DB Credentials as plain text
81 views
Skip to first unread message
Srinivasa
Feb 2, 2023, 4:48:02 AM2/2/23
to Keycloak User
Hello,
I am trying to deploy the Keycloak version 20.0.3 (Quarkus Distribution) with the help of Keycloak Operator in Kubernetes. We are trying to deploy a custom image with custom themes in Kubernetes. According to the documentation I have to pass the existing Postgres DB Information as environment variables in the Dockerfile in plain text. (Source: https://www.keycloak.org/server/containers)
My question here is is there any way to pass the DB credentials as a Kubernetes secret or in a discreet way, so as not to be visible when this image is published to a remote repository.
Best Regards,
Srinivasa Tadivalasa
Johannes Reppin
Feb 3, 2023, 12:55:33 AM2/3/23
to Keycloak User
Hello,
You only need the DB variables at Runtime.
Run `kc.sh build` to build for the appropriate database backend but
You don't need to see the other dB variables.
This is especially clear since the official docker image doesn't (can't)
Include your database environment variables.
The documentation is a bit unclear for beginners.
Cheers,
Johannes
Gregory Ledray
Feb 3, 2023, 11:11:00 AM2/3/23
to Keycloak User
I only just started using Keycloak a couple months ago, so I'm not an expert.
> You only need the DB variables at Runtime.
The example you linked is nice as part of a "getting started" guide for Keycloak but as you already know isn't good for production. The key is:
> You only need the DB variables at Runtime.
I do NOT include KC_DB_* variables in either the "builder" stage of the dockerfile nor in the main stage with the ENTRYPOINT. For example, both KC_DB_PASSWORD and KC_DB_USERNAME are NOT set in the Dockerfiles.
Both of these variables are set at runtime via runtime environment variables.
On localhost, I have a Docker Compose file which sets variables when docker compose is run:
Both of these variables are set at runtime via runtime environment variables.
On localhost, I have a Docker Compose file which sets variables when docker compose is run:
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloakuser
POSTGRES_PASSWORD: keycloakpassword
In dev and production I set the environment variables in the AWS::ECS::TaskDefinition's ContainerDefinitions such that they're passed in as a secret. I think the equivalent in Kubernetes is: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables
In dev and production I set the environment variables in the AWS::ECS::TaskDefinition's ContainerDefinitions such that they're passed in as a secret. I think the equivalent in Kubernetes is: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables
Reply all
Reply to author
Forward
0 new messages