Planton logoPlanton

Loading...

Kubernetes Keycloak

Deploys Keycloak on Kubernetes as an identity and access management solution. Provisions a Keycloak instance with configurable container resources, optional namespace creation, and optional external access through ingress with TLS. Keycloak provides single sign-on, identity brokering, user federation, and fine-grained authorization for applications and services.

What Gets Created

When you deploy a KubernetesKeycloak resource, Planton provisions:

  • Kubernetes Namespace — created if createNamespace is true
  • Keycloak Deployment — a Keycloak application instance with:
    • A Keycloak pod running with the configured CPU and memory resources
    • Kubernetes Service for cluster-internal access on port 8080
    • Admin password stored in a Kubernetes Secret ({name}-password)
    • PostgreSQL database password stored in a Kubernetes Secret ({name}-db-password)
  • Ingress Resources (when ingress.enabled is true):
    • External LoadBalancer service ({name}-external-lb) for routing traffic to Keycloak
    • TLS-terminated external access at the configured hostname

Prerequisites

  • A Kubernetes cluster with kubectl configured for access
  • Ingress controller installed in the cluster (only if using ingress)
  • cert-manager or equivalent TLS provider (only if using ingress with HTTPS)

Quick Start

Create a file keycloak.yaml:

apiVersion: kubernetes.planton.dev/v1
kind: KubernetesKeycloak
metadata:
  name: my-keycloak
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: dev.KubernetesKeycloak.my-keycloak
spec:
  namespace:
    value: keycloak-dev
  createNamespace: true

Deploy:

planton apply -f keycloak.yaml

This creates a Keycloak instance with default resources (1 CPU / 1Gi memory limit, 50m CPU / 100Mi memory request) in the keycloak-dev namespace.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
namespaceStringValueOrRefKubernetes namespace for the Keycloak deployment. Use value for a direct string or valueFrom to reference a KubernetesNamespace resource.Required

Optional Fields

FieldTypeDefaultDescription
createNamespaceboolfalseCreate the namespace if it does not exist.
container.resources.limits.cpustring"1000m"CPU limit for the Keycloak container.
container.resources.limits.memorystring"1Gi"Memory limit for the Keycloak container.
container.resources.requests.cpustring"50m"CPU request for the Keycloak container.
container.resources.requests.memorystring"100Mi"Memory request for the Keycloak container.
ingress.enabledboolfalseEnable external access to Keycloak via ingress.
ingress.hostnamestring—Full hostname for external access (e.g., keycloak.example.com). Required when ingress.enabled is true.

Examples

Keycloak with Custom Resources

Increase CPU and memory for a Keycloak instance handling a larger user base:

apiVersion: kubernetes.planton.dev/v1
kind: KubernetesKeycloak
metadata:
  name: auth-keycloak
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: dev.KubernetesKeycloak.auth-keycloak
spec:
  namespace:
    value: auth-services
  createNamespace: true
  container:
    resources:
      limits:
        cpu: "2000m"
        memory: "4Gi"
      requests:
        cpu: "500m"
        memory: "1Gi"

Keycloak with Namespace Reference

Use valueFrom to reference a namespace managed by a separate KubernetesNamespace resource:

apiVersion: kubernetes.planton.dev/v1
kind: KubernetesKeycloak
metadata:
  name: shared-keycloak
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: staging.KubernetesKeycloak.shared-keycloak
spec:
  namespace:
    valueFrom:
      kind: KubernetesNamespace
      metadata:
        name: platform-ns
      fieldPath: spec.name
  container:
    resources:
      limits:
        cpu: "2000m"
        memory: "2Gi"
      requests:
        cpu: "250m"
        memory: "512Mi"

Full-Featured with Ingress

External access over HTTPS for production use:

apiVersion: kubernetes.planton.dev/v1
kind: KubernetesKeycloak
metadata:
  name: prod-keycloak
  labels:
    planton.dev/provisioner: pulumi
    pulumi.planton.dev/organization: my-org
    pulumi.planton.dev/project: my-project
    pulumi.planton.dev/stack.name: prod.KubernetesKeycloak.prod-keycloak
spec:
  namespace:
    value: production
  createNamespace: true
  container:
    resources:
      limits:
        cpu: "4000m"
        memory: "8Gi"
      requests:
        cpu: "1000m"
        memory: "2Gi"
  ingress:
    enabled: true
    hostname: keycloak.example.com

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
namespacestringKubernetes namespace where Keycloak was created
servicestringName of the Kubernetes service for Keycloak
port_forward_commandstringReady-to-run kubectl port-forward command for local access on port 8080
kube_endpointstringCluster-internal endpoint (e.g., my-keycloak.keycloak-dev.svc.cluster.local:8080)
external_hostnamestringExternal HTTPS hostname when ingress is enabled (e.g., https://keycloak.example.com)
internal_hostnamestringInternal HTTPS hostname for private access (e.g., https://internal-keycloak.example.com)

Related Components

  • KubernetesNamespace — pre-create a namespace to reference via valueFrom
  • KubernetesPostgres — deploy PostgreSQL as the backing database for Keycloak
  • KubernetesJenkins — integrate Jenkins CI/CD with Keycloak for authentication

Next article

KubernetesCertificate

KubernetesCertificate Creates a cert-manager Certificate for requesting signed TLS certificates from an Issuer or ClusterIssuer. Each instance manages one Certificate and its corresponding TLS Secret. What Gets Created Certificate -- cert-manager Certificate CR in the specified namespace TLS Secret -- Kubernetes Secret containing the signed certificate and private key (created by cert-manager) Prerequisites cert-manager installed on the cluster (via KubernetesCertManager) A configured Issuer or...
Read next article
Presets
1 ready-to-deploy configurationView presets →