Keycloak 25 Operator deployment in Docker Swarm and Compose

Configuring the server
1

Hello,

I’ve been trying to build a highly available Docker Swarm deployment with Docker Compose and external database service.

One thing I cannot figure out is the HA concept and what is really needed.
I have an external load balancer system in front of my deployment which is distributing the connections with “sticky-sessions” enabled as documented.
I’ve understood that Operator would distribute for example the oAuth sessios information for users, so they are not required to login again if there’s a valid token. But is this really the only reason for Operator? This seems like a lot of work for simple thing that a shared database would do? Which i already in place…

I’ve read form documentation that vaguely says that Keycloak has builtin Infinispan operator inplace which should do the HA stuff in the background when the nodes are in the same network. I’ve also configured an overlay network for keylcoak containers in the Docker Swarm.
When looking and my container logs I cannot validate that this is happening since all containers are saying that “no members discovered after 2005 ms: creating cluster as coordinator”.

So I tried to use Keycloak Operator. Which just doesn’t seem to be fit for Docker? All guides and examples are using Kubernetes, but in my case we would need the Docker version.

Is there anyone who has bene able to create Keycloak Operator in Docker Compose/Swarm environment?

Best regards,
Masa

2

Hey Masa, can you share your docker-compose file? Otherwise, did you take a look here: Adventures with Docker Swarm and Keycloak Clustering - #7 by dvt114 ?

3

Hello,

Thanks for quick reply. That was a new thread for me. I’ll look that up asap.

Here’s my current docker-compose file with modified contents between <> characters.

services:
  keycloak:
    deploy:
      replicas: 2
    image: quay.io/keycloak/keycloak:latest
    extra_hosts:
      - "<<myservicefqdn>>:127.0.0.1"
    environment:
      KC_HOSTNAME: <<myservicefqdn>>
      KC_HOSTNAME_PORT: 8443
      KC_DB: mariadb
      KC_DB_URL: jdbc:mariadb://<<ipaddress>>:<<port>>/<<databasename>>?characterEncoding=UTF-8
      KC_DB_USERNAME: <<dbusername>>
      KC_DB_PASSWORD: <<dbpassword>>
      KEYCLOAK_ADMIN: <<kcusername>>
      KEYCLOAK_ADMIN_PASSWORD: <<kcpassword>>
      KC_HEALTH_ENABLED: "true"
      KC_METRICS_ENABLED: "true"
      KC_HTTPS_CERTIFICATE_FILE: "/mycerts/certfile.crt"
      KC_HTTPS_CERTIFICATE_KEY_FILE: "/mycerts/certfile.key"
      KC_HTTPS_PROTOCOLS: "TLSv1.2,TLSv1.3"
      KC_HTTPS_PORT: "8443"
      KC_HTTP_ENABLED: "true"
      KC_HTTP_PORT: 8080
      KC_LOG_LEVEL: info
    healthcheck:
      test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/8443"]
      interval: 15s
      timeout: 60s
      retries: 2
    command:
      start --spi-theme-static-max-age=-1 --spi-theme-cache-themes=false --spi-theme-cache-templates=false
    ports:
      - 8443:8443
      - 8080:8080
    volumes:
      - /etc/pki:/mycerts
      - /srv/keycloak/themes:/opt/keycloak/themes
    networks:
      - backend

networks:
  backend:
    driver: overlay
    attachable: true
    ipam:
      config:
        - subnet: 10.200.200.0/24