HPE Community
Docker Container Integration
1819796 Members
3106 Online
109607 Solutions
New Discussion юеВ

Migration of docker based keycloak configuration into kubernetes

 
userfolkz
New Member

тАО02-15-2023 11:37 PM - last edited on тАО02-16-2023 06:54 AM by

тАО02-15-2023 11:37 PM - last edited on тАО02-16-2023 06:54 AM by

Migration of docker based keycloak configuration into kubernetes

I am developing an microservice based application. Currently the Docker runs all services. One of this services is keycloak. I need an advice how to migrate my configuration (especially keycloak) to kubernetes.

Application

The application consists of a frontend code (JavaScript) running in browser and the following backend components:

  1. frontend responsible for delivering of frontend code to the user browser and running on port 8080 (https)

  2. backend responsible for delivering business data and running on port 8085 (https)

  3. keycloak responsible for authentification/authorization and running on port 8143 (https)

  4. nginx working as reverse proxy for internal Docker network (i.e. for all services above). The following host based rules are used:

    • keycloak.external -> keycloak
    • frontend.external -> frontend
    • backend.external -> backend

The application workflow:

The user authentificates itself in frontend. For this purpose the frontend re-use keycloak login dialog (keycloak is running in backend as one of components). Afterwards the frontend uses the Json Web Token provided by keycloak for authorization vs backend components in order to extract required information and to present it in browser.

Docker development configuration

Currently I development all components on my laptop using containers for all backend components. I have added the following entries into /etc/hosts

127.0.0.1 keycloak.external
127.0.0.1 frontend.external
127.0.0.1 backend.external

My docker-compose file look likes:

version: '3.5'
services:
  keycloak:
    image: keycloak
    container_name: keycloak
    secrets:
      - keycloak-server-crt
      - keycloak-server-key
      - source: keycloak-realm-conf
        target: /opt/keycloak/data/import/app-realm.json
    networks:
      default:
        aliases:
          - keycloak.external
    expose:
      - 8143
    command:
      - "start-dev"
      - "--import-realm"
      - "--http-enabled=false"
      - "--https-port=8143"
      - "--https-client-auth=none"
      - "--hostname-url=https://keycloak.external:8143"
      - "--hostname-strict-backchannel=true"
      - "--hostname-admin-url=https://keycloak.external:8143"
      - "--https-certificate-file=/run/secrets/keycloak-server-crt"
      - "--https-certificate-key-file=/run/secrets/keycloak-server-key"
      - "--proxy reencrypt"
      - "--hostname-port=8143"
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin

  backend:
    image: backend
    container_name: backend
    secrets:
        target: /usr/local/backend/certs/server.crt
      - source: backend-server-key
        target: /usr/local/backend/certs/server.key
    expose:
      - 8085
    environment:
      
      # keycloak settings
      KEYCLOAK_AUTH_URL: "https://keycloak.external:8143"
      KEYCLOAK_REALM: "APP"
      KEYCLOAK_CLIENT_ID: "backend"
      KEYCLOAK_SECRET: XXXXXX

  frontend:
    image: frontend
    container_name: frontend
    secrets:
      - source: frontend-server-crt
        target: /etc/nginx/certs/server.crt
      - source: frontend-server-key
        target: /etc/nginx/certs/server.key
    expose:
      - 8080
    environment:
      KEYCLOAK_AUTH_URL: "https://keycloak.external:8143"
      KEYCLOAK_REALM: "APP"
      KEYCLOAK_CLIENT_ID: "frontend"

  nginxproxy:
    image: nginx:latest
    container_name: nginxproxy
    ports:
      - "8143:8143"
      - "8085:8085"
      - "8080:8080"
    secrets:
      - source: nginxproxy-conf
        target: /etc/nginx/conf.d/default.conf
      - source: keycloak-server-crt
        target: /etc/nginx/certs/keycloak.external.crt
      - source: keycloak-server-key
        target: /etc/nginx/certs/keycloak.external.key
      - source: backend-server-crt
        target: /etc/nginx/certs/backend.crt
      - source: backend-server-key
        target: /etc/nginx/certs/backend.key
      - source: frontend-server-crt
        target: /etc/nginx/certs/frontend.crt
      - source: frontend-server-key
        target: /etc/nginx/certs/frontend.key
networks:
  default:
    name: my-network
    driver: bridge
    ipam:
      config:
        - subnet: 172.177.0.0/16

secrets:
......

 

networks:
  default:
    aliases:
      - keycloak.external

What is the best way to migrate my development configuration to kubernetes?

I can imagine that the keycloak url issue can be solved by usage of fixed ServiceIP XX.XX.XX.XX in keycloak Service and consequential usage of hostAliases in backend. Please verify

hostAliases:

- ip: "XX.XX.XX.XX"
    hostnames:
    - "keycloak.external"

 

0 Kudos
Reply
2 REPLIES 2
Mahesh202
HPE Pro

тАО02-16-2023 05:25 AM

тАО02-16-2023 05:25 AM

Re: Migration of docker based keycloak configuration into kubernetes

Hi userfolkz

To migrate your microservice-based application to Kubernetes, you will need to create Kubernetes manifests for each of your services and configure them to work together. Here are the general steps you should follow:

1. Create Docker images of your frontend, backend, keycloak, and nginx services and push them to a Docker registry.
2. Define a Kubernetes cluster, either on-premises or in the cloud. You can use a managed Kubernetes service like Amazon EKS, Google Kubernetes Engine, or Azure Kubernetes Service, or set up your own cluster with tools like kubeadm, kops, or kubespray.
3. Create Kubernetes manifests for each of your services. This includes deployment manifests, service manifests, and optionally, ingress manifests if you want to expose your services to the internet. value: backendCreate a Kubernetes Service manifest for each service to provide a stable IP address and DNS name for the service.
4. Optionally, create ingress manifests to allow external access to your services. Here is an example of an ingress manifest for the frontend service:
5. Optionally, create ingress manifests to allow external access to your services. Here is an example of an ingress manifest for the frontend service:
6. Deploy your Kubernetes manifests to the cluster using kubectl apply.
7. Update the frontend code to use the new DNS names and IP addresses for your services. For example, you would update the KEYCLOAK_AUTH_URL environment variable in the frontend deployment manifest to use the new DNS name of the Keycloak service.
Regarding your specific question about the keycloak URL, you are correct that you can use a fixed ServiceIP and hostAliases to map the old DNS name to the new IP address in the backend deployment manifest. However, I would recommend using the new DNS name instead, as it is more flexible and easier to maintain in the long term.

Hope this helps.!!

Regards
Mahesh



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
Sunitha_Mod
Moderator

тАО06-27-2023 03:10 AM

тАО06-27-2023 03:10 AM

Re: Migration of docker based keycloak configuration into kubernetes

Hello @userfolkz,

Let us know if you were able to resolve the issue.

If you have no further query and you are satisfied with the answer then kindly mark the topic as Solved so that it is helpful for all community members.



Thanks,
Sunitha G
I'm an HPE employee.
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.