Keycloak Operator¶
A GitOps-friendly Kubernetes operator for managing Keycloak instances, realms, and OAuth2/OIDC clients declaratively.
Why Use This Operator?¶
vs. Official Keycloak Operator¶
- β True Multi-Tenancy: Cross-namespace realm and client provisioning
- β GitOps Native: Namespace grant lists instead of manual secret distribution
- β Declarative Authorization: RBAC + namespace grants, no separate token system
- β Built for Production: Rate limiting, drift detection, admission webhooks
- β Comprehensive Status: Rich status fields with observedGeneration tracking
vs. Manual Keycloak Management¶
- β No Admin Console Access: Everything through Kubernetes CRDs
- β Drift Detection: Automatic detection of manual changes
- β Automated Credentials: Client secrets managed as Kubernetes secrets
- β Full Observability: Prometheus metrics, structured logging
π Quick Start (3 Helm Charts)¶
Deploy a complete Keycloak setup with database, operator, realm, and client:
# 1. Deploy PostgreSQL (CloudNativePG)
helm install cnpg cloudnative-pg/cloudnative-pg \
--namespace cnpg-system --create-namespace
# 2. Install operator + Keycloak instance
helm install keycloak-operator keycloak-operator/keycloak-operator \
--namespace keycloak-system --create-namespace \
--set keycloak.enabled=true \
--set keycloak.database.cnpg.enabled=true
# 3. Create realm (in your app namespace)
helm install my-realm keycloak-operator/keycloak-realm \
--namespace my-app --create-namespace \
--set realmName=my-app \
--set instanceRef.name=keycloak \
--set instanceRef.namespace=keycloak-system \
--set 'clientAuthorizationGrants={my-app}'
# 4. Create OAuth2 client
helm install my-client keycloak-operator/keycloak-client \
--namespace my-app \
--set clientId=my-app \
--set realmRef.name=my-realm \
--set 'redirectUris={https://my-app.example.com/callback}'
π Complete Quick Start Guide β
β¨ Key Features¶
- π Secure by Default - Kubernetes RBAC controls all access, no separate auth system
- π¦ GitOps Ready - Declarative CRDs with full status reporting and drift detection
- π― Multi-Tenant - Cross-namespace realm and client provisioning with namespace grants
- β‘ Production Ready - Rate limiting, admission webhooks, HA support with CloudNativePG
- π Observable - Prometheus metrics, structured logging, comprehensive status conditions
- π Drift Detection - Automatic detection and remediation of configuration drift
ποΈ Architecture¶
The operator manages three core resources:
ββββββββββββββββ βββββββββββββββββββ ββββββββββββββββββββ
β Keycloak ββββββΆβ KeycloakRealm ββββββΆβ KeycloakClient β
β (Instance) β β (Identity) β β (OAuth2/OIDC) β
ββββββββββββββββ βββββββββββββββββββ ββββββββββββββββββββ
- Keycloak: Identity server instance with PostgreSQL database
- KeycloakRealm: Identity domain containing users, roles, and settings
- KeycloakClient: OAuth2/OIDC applications with automated credentials
π Documentation¶
Getting Started¶
- Quick Start Guide - Get running in 10 minutes
- Architecture Overview - How the operator works
- Security Model - Authorization and access control
Configuration¶
- KeycloakRealm Reference - Complete realm options
- KeycloakClient Reference - Complete client options
- Identity Providers - Integrate Google, GitHub, Azure AD, etc.
Operations¶
- Admission Webhooks - Validation and resource quotas
- Drift Detection - Orphan detection and remediation
- Observability - Metrics, logging, and monitoring
- Troubleshooting - Common issues and solutions
Development¶
- Development Guide - Contributing to the project
- Decision Records - Architecture decisions and rationale
π Security & Authorization¶
The operator uses Kubernetes RBAC for all authorization - no separate token system.
Realm Creation¶
Any user with RBAC permission to create KeycloakRealm resources can create realms. Control this with standard Kubernetes RoleBindings:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: realm-creator
namespace: my-app
rules:
- apiGroups: ["vriesdemichael.github.io"]
resources: ["keycloakrealms"]
verbs: ["create", "update", "patch"]
Client Creation¶
Clients require namespace authorization from the realm. Realm owners grant access via clientAuthorizationGrants:
apiVersion: vriesdemichael.github.io/v1
kind: KeycloakRealm
metadata:
name: my-realm
spec:
clientAuthorizationGrants:
- dev-team-namespace
- staging-namespace
Only namespaces in the grant list can create clients in that realm.
π Full Security Model Documentation β
π Status & Observability¶
All resources provide comprehensive status information:
status:
phase: Ready
conditions:
- type: Ready
status: "True"
reason: ReconciliationSucceeded
message: "Realm is healthy and synchronized"
observedGeneration: 5
realmId: "a1b2c3d4-5678-90ab-cdef-1234567890ab"
internalUrl: "http://keycloak.keycloak-system.svc:8080/realms/my-app"
publicUrl: "https://keycloak.example.com/realms/my-app"
π Drift Detection¶
The operator continuously monitors for: - Orphaned Resources - Realms/clients in Keycloak not tracked by CRs - Configuration Drift - Manual changes to Keycloak resources - Missing Resources - CRs referencing deleted Keycloak objects
π Drift Detection Guide β
π¦ Admission Webhooks¶
Validate resources before they reach etcd:
- β
Immediate error feedback on kubectl apply
- β
Enforce resource quotas (max realms per namespace)
- β
Validate cross-resource references
- β
Prevent invalid configurations
π Admission Webhooks Guide β
π€ Contributing¶
Contributions welcome! See the Development Guide for: - Setting up your development environment - Running tests - Submitting pull requests - Architecture decision records (ADRs)
π License¶
MIT License - see LICENSE for details.