source: https://upload.wikimedia.org/wikipedia/commons/a/ac/Testudo_formation.jpg

Deploy Keycloak to Kubernetes cluster on GCP

I created this guide because when I tried to search for the solution I couldn’t find it. I thought this would be trivial. But it turns out it was not. I’m not going to go into all the dead end streets I hit along the way I will just give the solution.

First we need to create the VPC. I want to show the full configuration so some steps might not be for you case. But what you will need is a reserved range. So if you are working with existing network make sure you perform step number 2.

//create a VPC
gcloud compute networks create auth-network-2 --subnet-mode custom --bgp-routing-mode regional
//reserve address space for the db
gcloud beta compute addresses create mysql-range-2 --global --purpose=VPC_PEERING --addresses=10.1.0.0 --prefix-length=16 --network=auth-network-2
//add the firewall rule
gcloud compute firewall-rules create allowe-connect-to-db --direction=ingress --network auth-network-2 --allow tcp:3306,tcp:3307 --source-ranges 10.0.0.0/8 --destination-ranges=10.1.0.0/16
//create a subnet for the cluster
gcloud compute networks subnets create kyclock-subnet-2 --network=auth-network-2 --range=10.2.0.0/16 --region europe-west4 --enable-flow-logs --enable-private-ip-google-access

Next we have to set up or IAM account. This is needed to create connection. Make sure that you have Cloud SQL API enabled.

//create service account
gcloud iam service-accounts create keycloak-master
//add key and save it to a file
gcloud iam service-accounts keys create key.json --iam-account keycloak-master@forexsignals-404f2.iam.gserviceaccount.com
//grant cloud sql viewer to the service account
gcloud projects add-iam-policy-binding forexsignals-404f2 --member serviceAccount:keycloak-master@forexsignals-404f2.iam.gserviceaccount.com --role roles/cloudsql.viewer
//grant cloud sql client to the service account
gcloud projects add-iam-policy-binding forexsignals-404f2 --member serviceAccount:keycloak-master@forexsignals-404f2.iam.gserviceaccount.com --role roles/cloudsql.client

Third because I want to show how Keycloak in the cluster mode we need to have a shared db instance. And this time we are going to use the console. I want to take advantage of a beta feature, and it not yet available from the gcloud tool. first we have to create instance. This is the physical machine that will host our database.

Next screen chose ‘ MySQL Development’ it is the cheapest option. Then set the instance id, root password, and region/zone (make sure that the cluster will run on the same region, that you created the private VPC and reserved range). What is important is to mark the Connectivity to Private IP. It is a beta feature but thanks to it you don’t have to expos it to the internet and then block traffic using firewall. Google documentation also suggest that it’s faster. Inside the database will get the adders from the range that you specified earlier. via the VPC network peering. Make sure you select proper network and IP range.

First click connect and after it is connected you can hit create button. After it’s created create database and name it auth_db.

The rest is fairly straightforward.

//pull the image to your container registry, not really necessary but i thought that I will have to modify the image
docker pull jboss/keycloak:4.5.0.Final
docker tag jboss/keycloak:4.5.0.Final eu.gcr.io/forexsignals-404f2/keycloak:4.5.0.Final
docker push eu.gcr.io/forexsignals-404f2/keycloak:4.5.0.Final
//create the cluster
gcloud container clusters create keycloak-cluster --num-nodes=1 --machine-type=n1-standard-2 --network=auth-network-2 --subnetwork=kyclock-subnet-2 --zone europe-west4-c --enable-autoscaling --max-nodes=1 --min-nodes=1 --enable-ip-alias --scopes=https://www.googleapis.com/auth/sqlservice
//get credentials
gcloud container clusters get-credentials keycloak-cluster --zone europe-west4-c --project forexsignals-404f2
//create secret with the service account
kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=key.json
//create the user on the instance
gcloud sql users create keycloak --host=% --instance=auth-instance-1 --password=keycloak
//create secret with db credentials
kubectl create secret generic cloudsql-db-credentials --from-literal=username=keycloak --from-literal=password=keycloak
//create secret with keycloak admin credentials
kubectl create secret generic admin-credentials --from-literal=username=admin --from-literal=password=pass321
//create the deployment (file in the section at the bottom)
kubectl apply -f keycloak-deployemnt.yaml
//scale the deployment so you can see cluster forming
kubectl scale --replicas=2 deployment/keycloak

If all goes according to plan you will see message that two nods form a cluster.

You can exposing it to the internet by running

kubectl expose deployment keycloak --type=LoadBalancer --port 80 --target-port 8080

Files