Search code examples
kuberneteskeycloakamazon-ekskeycloak-rest-api

Keycloak Admin password with external rds database

I have created a keyclock deployment/pod using the below yaml in my EKS kubernetes cluster. The keycloak is connected to external postgres rds database. I created the admin user and password during initial setup using kubernetes secrets. Now if someone updates the admin password from keycloak console/UI , what will be the impact of -

  1. The pod get deleted and restarted .
  2. The keycloak deployment gets deleted and recreated using the same yaml having same database configs.
  3. Updating the password value in secret and rerun the same deployment yaml. Can login from new password?

In the above cases will the inital password takes presedence or the admin password in database ?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
spec:
  selector:
    matchLabels:
      app: keycloak
  replicas: 1
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
      - image: quay.io/keycloak/keycloak:20.0.3
        name: keycloak
        args: ["start-dev"]
        env:
        - name: KEYCLOAK_ADMIN
          value: "admin"
        - name: KEYCLOAK_ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-keycloak-secret
              key: keycloakpassword
        - name: KC_STORAGE
          value: "jpa"
        - name: KC_DB_DRIVER
          value: "org.postgresql.Driver"
        - name: KC_DB
          value: "postgres"
        - name: KC_DB_URL
          valueFrom:
            secretKeyRef:
              name: db-keycloak-secret
              key: dburl
        - name: KC_DB_URL_DATABASE
          value: "keycloak_db"
        - name: KC_DB_URL_PORT
          value: "5432"
        - name: KC_DB_USERNAME
          value: "qakeycloak"
        - name: KC_DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-keycloak-secret
              key: dbpassword
        - name: KC_HTTP_RELATIVE_PATH
          value: "/keycloak"
        - name: KC_HOSTNAME_STRICT_HTTPS
          value: "false"
        - name: KC_HOSTNAME_STRICT_BACKCHANNEL
          value: "true"
        - name: KC_HOSTNAME_STRICT
          value: "false"
        - name: KC_PROXY
          value: "edge"
        - name: KC_HTTP_ENABLED
          value: "true"
        ports:
          - containerPort: 8080
Solution

  • Updating the admin password from keycloak console/UI, the impact will be -

    1. The keycloak deployment gets deleted and recreated using the same yaml having same database configs. Ans - Keycloak will preserve what is currenlty stored in database i.e the changes made from the console. When you redeploy the keycloak deployment, it tries to create the admin user again but gives with error (Failed to add user 'admin' to realm 'master': user with username exists). Thus the initial admin password set from the k8s yaml cannot update the admin users password to old password. The admin user will work with the updated password only.

    Updating the password value in secret and rerun the same deployment yaml. Can login from new password?

    • no . The passwrd stored in the database will be used as admin password.