Configuring dockerized Keycloak by CLI commands

Question

I'm trying to configure a dockerized Keycloak server like creating a realm from CLI command in the Dockerfile:

FROM quay.io/keycloak/keycloak:11.0.0

# Create realm "realm_borrar" on keycloak
RUN /opt/jboss/keycloak/bin/kcadm.sh create realms -s realm=my_new_realm -s enabled=true -o --server http://localhost:8080/auth --realm master --user admin --password admin

The result of docker build -f ... is:

Logging into http://localhost:8080/auth as user admin of realm master
Failed to send request - Connect to localhost:8080 [localhost/127.0.0.1] failed: Connection refused (Connection refused)

If I run the container (created with the same Dockerfile but removing the RUN sentence) and I execute the same CLI command (kcadm.sh ....) it works.

What should be the proper way to config Keycloak in the Dockerfile?

Thanks.

ntg · Answer 1 · 2021-05-19T11:44:34.777

Here is an example on how to do it for ubuntu...

At a terminal, run Keycloak as a dockerfile, e.g.:

docker run --name keycloak -p 8484:8080 -e DB_VENDOR=h2 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:11.0.0

At another terminal, run the CLI commands you need as exec commands for the container, e.g. for kcadm.sh get realms do:

docker exec -it keycloak /opt/jboss/keycloak/bin/kcadm.sh get realms --server http://localhost:8080/auth --realm master --user admin --password admin

If you want to run everything on the same terminal, use -d (detach) on the first docker command.

For create realms using a file, map the directory of the file inside keycloack when running (mapping files directly should also work in theory) e.g.:

    docker run --name keycloak -p 8484:8080 -d -e DB_VENDOR=h2 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -v host_abs_path:/cfg jboss/keycloak:11.0.0 
    #wait for keycloak to start...
    sleep 10
    docker exec -it keycloak /opt/jboss/keycloak/bin/kcadm.sh create realms --server http://localhost:8080/auth --realm master --user admin --password admin -f /cfg/my_realms.json

score 1 · Answer 2 · answered Oct 22 '20 at 19:53

1

Obviously, Keycloak must be running and it must be connected to the DB, when you want to add realm. And that's not a case when you are building Docker image. It can be done only when container is running, so use startup scripts.

https://hub.docker.com/r/jboss/keycloak/

A custom script can be added by creating your own Dockerfile:

FROM keycloak COPY custom-scripts/ /opt/jboss/startup-scripts/

answered Oct 22 '20 at 19:53

Jan Garaj

25,598
3
38
59

I guess that startup scripts will be executed any time the container is initialized so restarting it the configuration would be repeated, i. e. if the script creates a realm and I stop and restart the container the realm would be created again (suposing that keycloak allows the same realm). – Paco Abato Oct 23 '20 at 05:24
@PacoAbato so why you don't include also business logic into the script: create realm only if realm doesn't exist – Jan Garaj Oct 23 '20 at 05:28
I have just read that containers should not be stoped and resumed but destroyed and again created for new https://stackoverflow.com/a/62563081/2595658 I will try your solution in a while, thanks. – Paco Abato Oct 23 '20 at 05:33
2

I managed to execute startup scripts but commands like `/opt/jboss/keycloak/bin/kcadm.sh create realms ` keep on failing. I guess I must use embedded commands like `/subsystem=keycloak-server/:write-attribute(name=web-context,value=myContext)` but can't find which attributes would do the work for adding a realm for example. – Paco Abato Oct 23 '20 at 12:25

Configuring dockerized Keycloak by CLI commands

2 Answers2