I am running keycloak v23.x in Kubernets. This is the configuration:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: external-idp
spec:
instances: 1
db:
vendor: oracle
url: jdbc:oracle:thin:XXXXXX
schema: NSB
usernameSecret:
name: keycloak-db-secret
key: KC_DB_USERNAME
passwordSecret:
name: keycloak-db-secret
key: KC_DB_PASSWORD
http:
tlsSecret: external-idp-tls-secret
httpEnabled: true
hostname:
hostname: dev-external-idp.bankinvest.dk
strict: false
strictBackchannel: false
unsupported:
podTemplate:
spec:
containers:
- name: keycloak
resources:
requests:
memory: "1048M"
limits:
memory: "1048M"
env:
- name: KC_PROXY
value: edge
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
value: admin1234
When I try to login to the admin console, I get the error unknown user/password.
I know the env. variable KC_PROXY works, so why not the other two? The documentation says that if you set the admin user and password an administrator will be created at startup.
Those instructions are fine when deploying keycloak "manually" -- e.g., by following these instructions. However, you're using the keycloak operator, which according to the documentation:
When deploying Keycloak, the operator generates an arbitrary initial admin username and password and stores those credentials as a basic-auth Secret object in the same namespace as the CR.
To fetch the initial admin credentials, you have to read and decode the Secret. The Secret name is derived from the Keycloak CR name plus the fixed suffix -initial-admin. To get the username and password for the example-kc CR, enter the following commands:
kubectl get secret example-kc-initial-admin -o jsonpath='{.data.username}' | base64 --decode kubectl get secret example-kc-initial-admin -o jsonpath='{.data.password}' | base64 --decode
It is likely the operator overrides the values for KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD, even when using a custom pod template.