Requirements:
- Docker version 20.10+
- Docker-compose version 1.27+
Steps to run Keycloak in Docker:
1. Login to the Docker registry
Open the terminal window and log into the Docker Repository with the username and password provided when licensing Wyden:
docker login docker.wyden.io
2. Adjust your docker-compose.yml file
Below is a good example:
version: "3.9"
networks:
net:
services:
keycloak:
image: docker.wyden.io/keycloak:10.0.2-AT1-5
environment:
DB_VENDOR: h2
KEYCLOAK_FRONTEND_URL: "https://client.url.com:8444/auth"
CLIENT_KEYCLOAK_USER: mysuperuser
CLIENT_KEYCLOAK_PASSWORD: mysuperpassword
ALGOTRADER_URL: "https://client.url.com"
volumes:
- keycloakdb:/opt/jboss/keycloak/standalone/data/
- /path/to/the/tls.key:/etc/x509/https/tls.key
- /path/to/the/tls.crt:/etc/x509/https/tls.crt
networks:
- net
ports:
- 8444:8444
volumes:
keycloakdb:
where
/path/to/the/tls.crt, /path/to/the/tls.key - path to the TLS certificate and key to use in Keycloak
3. Start the server
To start the docker-compose stack run the next command in the terminal where the docker-compose.yml is located
docker-compose up -d
4. Access Keycloak dashboard
After the Keycloak docker container status becomes healthy, open its Configuration UI:
https://client.url.com:8444/auth/admin/algotrader/console
FAQ
How can I access the master realm?
If there is a need to access the master realm, extend the list of environment variables with KEYCLOAK_USER and KEYCLOAK_PASSWORD. Apply the changes using the docker-compose up command and access the master realm using the mentioned credentials.
How to backup Keycloak?
In the defined earlier implementation, to backup Keycloak make sure the volume attached to the service and all files in it are stored persistently.
But for the production use case, our team recommends to configure MySQL or any other database along with Keycloak
In that case, modify the setup, so the data will be stored in the RDB:
version: "3.9"
networks:
net:
services:
keycloak:
...
environment:
DB_VENDOR: mysql
DB_ADDR: ${KEYCLOAK_DATABASE_HOST}
DB_PORT: 3306
DB_DATABASE: ${KEYCLOAK_DATABASE_NAME}
DB_USER: ${KEYCLOAK_DATABASE_USER}
DB_PASSWORD: ${KEYCLOAK_DATABASE_PASSWORD}
...
How to use self-signed TLS?
To be able to start the application with self-signed TLS, adjust the docker-compose
version: "3.9"
networks:
net:
services:
keycloak:
...
user: root
entrypoint: ["/bin/bash","-c"]
command: ["update-ca-trust && /opt/jboss/startup.sh -b 0.0.0.0"]
volumes:
...
- /path/to/the/tls.crt:/etc/pki/ca-trust/source/anchors/https/tls.crt
Why is Keycloak throwing an error to connect?
In case you observe a connection error similar to the one you see below, or any other
Make sure that
- the keystore (identity.jks) mounted to the application contains the fullchain
- if the certificate is self-signed or uses a custom CA, it is imported into the container truststore, mentioned above
- check there are no firewall rules that block access from the Keycloak container to the Application (algotrader) container
- check that the same request passes from the inside of Keycloak container, using cURL
Why Keycloak TLS is using my certificate and key?
Make sure both files are mounted in the /etc/x509/https/tls.crt and /etc/x509/https/tls.key correspondingly.
Keycloak is designed in a way to expect those files in a certain location and can not be configured in a custom way.
Comments
0 comments
Please sign in to leave a comment.