Michele Orlandi

Developer and architect focused on distributed solutions for the next unprecedented, game-changing, yet-to-be-announced, highly-anticipated hype

View on GitHub
20 March 2025

Deploy Keycloak using a PostgreSQL Database with Persistent Storage on OpenShift and the Red Hat Keycloak Operator

Prerequisites

Ensure you have the following:

  1. An active OpenShift cluster.
  2. The oc command-line tool is installed and configured to communicate with your cluster.
  3. The kubectl command-line tool is installed and configured to communicate with your cluster.
  4. OpenSSL is installed for generating the SSL certificate.

Step 1: Create a PostgreSQL Persistent Database

Use the OpenShift CLI (oc) to create a new PostgreSQL application with persistent storage.

oc new-app postgresql-persistent -p DATABASE_SERVICE_NAME=pgshost -p VOLUME_CAPACITY=2Gi -p POSTGRESQL_USER=preprodpg -p POSTGRESQL_PASSWORD=passw0rd -p POSTGRESQL_DATABASE=keycloak -p POSTGRESQL_VERSION=15-el9

This command will create a PostgreSQL application named postgresql-persistent, setting up the database with the specified parameters.

Step 2: Generate SSL Certificate

Generate a self-signed SSL certificate:

openssl req -subj '/CN=kloakmanager.apps./O=Test Keycloak./C=US' -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

This command creates two files: key.pem (private key) and certificate.pem (public certificate), both valid for 365 days.

Step 3: Create TLS Secret

Create a Kubernetes secret from the certificate and key files:

kubectl create secret tls tls-secret --cert certificate.pem --key key.pem

This command creates a TLS secret named tls-secret that can be used by other resources in your cluster.

Step 4: Create Keycloak Database Secret

Create another secret containing the database username and password:

kubectl create secret generic keycloak-db-secret \
  --from-literal=username=preprodpg \
  --from-literal=password=passw0rd

This secret, named keycloak-db-secret, will be used to store the credentials needed to connect to the Keycloak database.

Step 5: Install Red Hat build of Keycloak Operator

Installation using the OCP console

The operator can also be installed from CLI. In this case it will be installed on the “kloak” namespace

Step 6: Apply Keycloak YAML File

Apply the YAML configuration to deploy Keycloak:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: instance
spec:
  instances: 1
  db:
    vendor: postgres
    host: pgshost
    usernameSecret:
      name: keycloak-db-secret
      key: username
    passwordSecret:
      name: keycloak-db-secret
      key: password
  http:
    tlsSecret: tls-secret
  hostname:
    hostname: kloakmanager.apps.
  proxy:
    headers: xforwarded # double check your reverse proxy sets and overwrites the X-Forwarded-* headers

This command deploys Keycloak based on the configurations in kloak.yaml.

Step 7: Clean Up (Optional)

If needed, clean up all resources related to the PostgreSQL persistent database:

oc delete all,pvc,secrets -l app.kubernetes.io/component=postgresql-persistent

The above command deletes all resources labeled with app.kubernetes.io/component=postgresql-persistent, including Deployments, PersistentVolumeClaims, and Secrets.

Please adjust the commands according to your specific context and requirements. Always ensure you understand what each command does before running it in your environment.

tags: