Use built-in database

The following steps show how to setup Keycloak with the built-in database.

The default built-in database is a single-replica PostgreSQL instance using Bitnami’s PostgreSQL Helm chart. We don’t need to configure anything unless you need to derive from the defaults. You can override those Helm values in helm_values.postgresql.

Requirements

commodore
pwgen
vault

Configure component parameters if deriving from defaults.

keycloak:
  helm_values:
    postgresql: {} # Override built-in database values if needed

Generate and store secrets in Vault

key="clusters/kv/${TENANT_ID}/${CLUSTER_ID}/keycloak"

vault kv put -cas=0 "${key}" admin-password=$(pwgen -s 32 1) db-password=$(pwgen -s 32 1)

Compile and push the cluster catalog

Enable Backups

The component supports backups for the built-in database through K8up. The following steps show how to enable them.

To use this backup feature, the component-backup-k8up needs to be installed on the cluster.

Enable backups in component parameters
```
keycloak:
  k8up:
    enabled: true
```

Generate and store repository secret in Vault

key="clusters/kv/${TENANT_ID}/${CLUSTER_ID}/keycloak"

vault kv patch "${key}" k8up-repo-password=$(pwgen -s 32 1)

Get the access and secret key of your S3 provider and store them in Vault

s3_access_key=YOUR_ACCESS_KEY
s3_secret_key=YOUR_SECRET_KEY
key="clusters/kv/${TENANT_ID}/${CLUSTER_ID}/keycloak"

vault kv patch "${key}" k8up-s3-accesskey=${s3_access_key} k8up-s3-secretkey=${s3_secret_key} k8up-repo-password=$(pwgen -s 32 1)

On most clusters you should be able to reuse the global backup credentials set up during cluster creation. Just add a reference to the credentials in Vault to the K8up S3 configuration and you can skip this step.

keycloak:
  k8up:
    enabled: true
    s3:
      accesskey: '?{vaultkv:${cluster:tenant}/${cluster:name}/global-backup/access-key}'
      secretkey: '?{vaultkv:${cluster:tenant}/${cluster:name}/global-backup/secret-key}'