Advanced configuration
In this guide, you’ll learn how to configure your Keycloak deployment using advanced concepts and options provided by Custom Resources (CR).
Server Configuration details
The serverConfiguration
field of the Keycloak CR allows to pass to Keycloak any available configuration in the form of key-value pairs.
For all the available configuration options, refer to All Configuration.
The values can be expressed as plain text strings or Kubernetes Secret references. e.g:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: example-kc
spec:
...
serverConfiguration:
- name: db
value: postgres # plain text value
- name: db-url-host
value: postgres-db # plain text value
- name: db-username
secret: # Secret reference
name: keycloak-db-secret # name of the Secret
key: username # name of the Key in the Secret
- name: db-password
secret: # secret reference
name: keycloak-db-secret # name of the Secret
key: password # name of the Key in the Secret
Secret References
A Secret Reference can be either a value in serverConfiguration
or the tlsSecret
.
When specifying a Secret Reference, you have to make sure that a Secret containing the referenced keys is present in the same namespace as the CR referencing it. Along with the Keycloak Server Deployment, the operator adds special labels to the referenced Secrets in order to watch for changes.
When a referenced Secret is modified, the operator automatically performs a rolling restart of the Keycloak Deployment to pick up the changes.
Unsupported features
The unsupported
field of the CR contains highly experimental configuration options that are not completely tested and supported.
Pod Template
Pod Template is a raw API representation that is used for the Kubernetes Deployment Template. This field is intended to be used as a temporary workaround if there is no officially supported field at the top level of the CR to cover your use-case. Please consider opening an issue on GitHub to help us make the experience better.
The operator will merge the fields of the provided template with the values generated by the operator for the specific Deployment. Using this feature, you have access to a high level of customizations, but there are no guarantees that the Deployment will work as expected.
As an example you can inject labels, annotations, or even volumes and volume mounts:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: example-kc
spec:
...
unsupported:
podTemplate:
metadata:
labels:
my-label: "keycloak"
spec:
containers:
- volumeMounts:
- name: test-volume
mountPath: /mnt/test
volumes:
- name: test-volume
secret:
secretName: keycloak-additional-secret
Disabling required CR fields
By default, the Keycloak operator is designed to provide you with the best production-ready Deployment of Keycloak with security in mind. Although, for development purposes, you can still disable key security features.
Specifically, you can disable the required fields with a special value INSECURE-DISABLE
:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: example-kc
spec:
...
hostname: INSECURE-DISABLE
tlsSecret: INSECURE-DISABLE