Deploying Keycloak with Kubernetes
This page describes how to deploy Eggplant IAM in a Kubernetes environment. It includes system and software requirements specific to Kubernetes deployments.
Before proceeding with the installation of Eggplant IAM in Kubernetes containers, you should ensure the engineers in your organization are Certified Kubernetes Administrators (https://www.cncf.io/training/certification/cka/) or have equivalent experience.
Software Recommendations for Eggplant IAM Deployments with Kubernetes
See the Prerequisites page for information about the required hardware and memory for Eggplant IAM.
Eggplant IAM should run in any up to date Kubernetes cluster. The following shows the tested configuration:
| Software | Configuration / Notes |
|---|---|
| Kubernetes cluster | 1.32 |
| Helm | v3.11.1 (Any version of Helm newer than v3.8.0 should work fine) |
| ingress-nginx | 1.11.5 (chart version 4.11.5) Note the installation uses ingress-nginx specific annotations so other ingress controllers can not be used |
Create Custom Values File
The Eggplant IAM installation can be customised by passing in custom values to the Helm installation. The minimal configuration you can supply to get a working installation is to provide the desired admin credentials, hostname for the ingress and an initial user for the Eggplant applications.
auth:
adminUser: admin
adminPassword: [Your_Password]
ingress:
hosts:
- [your_domain]
realmConfigInstaller:
extras:
initial_user:
enabled: true
username: [Username]
password: [Password]
given_name: [Given_Name]
family_name: [Family_Name]
The above values should deploy a PostgreSQL and Keycloak container which would then be accessible via https://your_domain/auth.
Eggplant IAM is used for Authentication and therefore must be accessed over HTTPS to protect credentials. The above example assumes that TLS is configured on the nginx-ingress controller itself.
The initial user configured under realmConfigInstaller.extras.initial_user will be used to configure the users for the Eggplant applications (such as Generator).
Customisation
Admin Credentials from Secret
If preferred you can pass in an existing secret containing the Keycloak admin credentials instead of including the details in the Helm values, by passing in an updated auth section:
auth:
existingSecret: [NAME_OF_SECRET]
existingSecretKey: [KEY_WITHIN_SECRET]
Ingress
The ingress can be further configured to set the ingress class name, supply TLS secret or additional annotations to the ingress rule as per the examples below. The TLS secret must contain keys named tls.crt and tls.key that contain the certificate and private key to use for TLS.
ingress:
className: nginx
hosts:
- [your_domain]
tls:
secretName: your_cert_secret
extraAnnotations:
annotation1: annotation1-value
extraAdminAnnotations:
annotation1: annotation1-value
Eggplant IAM creates two ingress rules, one for regular users and one for administration. The annotations for these can be set separately, allowing for example additional security controls such as IP restrictions to be applied to admin rule.
Database Configuration
The default Helm install will create a PostgreSQL container for use by Eggplant IAM. This can either be customised or disabled and an external database used instead.
To use an external database, the internal database must bed disabled by setting postgresql.enabled=false and then the configuration of the external database can be set values can be set under the global.postgres key. The example below shows setting an external database using an existing secret and key. Alternatively if you want to set the password within the values, the existingSecret and secretKeys can be omitted and the password set under global.postgresql.auth.postgresPassword.
global:
postgresql:
auth:
existingSecret: keycloak
secretKeys:
adminPasswordKey: db_password
host: postres.example.com
port: 5432
username: keycloak
postgresql:
enabled: false
If using the PostgreSQL instance from helm chart, the same configuration options under global.postgresql.auth can be used. Further customisation can be set by following the documentation for the Bitnami helm chart.
Other Configuration Options
For a full list of supported value customisation's please refer to supported helm values.
Deploy Eggplant IAM with Kubernetes
-
Download the required software. Refer to the Software Requirements table above for the list of what you need.
-
Create a custom values file with your preferred configuration (see Create Custom Values File) and save as
eggplant_iam.yaml -
Deploy Eggplant IAM with the default configuration using the command below.
helm upgrade --install --namespace eggplant-iam \ --create-namespace eggplant-iam \ oci://harbor.dai.eggplant.cloud/charts/keycloak \ --version 6.3.103 \ --values eggplant_iam.yaml