Keycloak Operator Component
Identity and Access Management (IAM) solution using Keycloak Operator for Kubernetes-native deployment. Manages realms, clients, users, and LDAP federation.
Architecture
Keycloak Server - IAM platform with SSO
Operator CRDs - Keycloak, KeycloakRealmImport
Realms - Multi-tenant isolation
Clients - OAuth2/OIDC applications
Users - Identity management
Quick Reference
| Attribute |
Example |
Default |
Effect |
namespace REQ |
keycloak |
- |
Kubernetes namespace |
admin_username |
admin |
admin |
Console admin user |
admin_password |
changeme |
- |
Console admin password |
db_host |
postgres-rw |
- |
External PostgreSQL host |
db_name |
keycloak |
keycloak |
Database name |
db_user |
keycloak |
- |
Database username |
db_password |
secret |
- |
Database password |
Link Variables
| Variable |
Link Type |
Purpose |
__prometheus |
prometheus-keycloak |
Metrics scraping via ServiceMonitor |
__apisix |
apisix-keycloak |
Gateway routing for console |
__client |
(sub-component) |
OAuth2/OIDC client registration |
__user_keycloak |
(sub-component) |
User creation in realm |
__sub_ldap |
(sub-component) |
LDAP federation configuration |
__sub_client |
(sub-component) |
Client sub-component |
Sub-Components
| Type |
Purpose |
Key Attributes |
| client |
OAuth2/OIDC application |
client_id, client_secret, redirect_uris |
| user_keycloak |
User account |
username, email, password, roles |
| ldap |
LDAP/AD federation |
ldap_url, bind_dn, user_dn |
Generated Files
| File |
Condition |
Contains |
| keycloak.yaml |
Always |
Keycloak CR definition |
| realm.yaml |
Always |
KeycloakRealmImport CR |
| master-realm.yaml |
Always |
Master realm config |
| keycloak-deployment.yaml |
Always |
Operator deployment |
| monitoring.yaml |
__prometheus |
ServiceMonitor for metrics |
| crds/*.yml |
Always |
Operator CRD definitions |
| secret/cloud.env |
Always |
Client configurations |
Ports
| Port |
Purpose |
Protocol |
| 8080 |
HTTP (console + API) |
HTTP |
| 8443 |
HTTPS (console + API) |
HTTPS |
| 9000 |
Metrics endpoint |
HTTP |
Endpoint Paths
/admin/master/console - Admin console
/realms/{realm} - Realm endpoint
/realms/{realm}/protocol/openid-connect/token - Token endpoint
/realms/{realm}/protocol/openid-connect/auth - Authorization
/realms/{realm}/protocol/openid-connect/userinfo - User info
/metrics - Prometheus metrics (port 9000)
Technical Info
Operator Version: 26.1.4
CRDs: Keycloak, KeycloakRealmImport
Ports: 8080 (HTTP), 8443 (HTTPS), 9000 (metrics)