Setting up Keycloak with Docker, nginx and Let's Encrypt

In previous post I discussed an approach to create the test DigitalOcean droplet via the terraform and install required packages (Docker) for the proof of concept environments.

Today I will talk about the next steps - we’re going to setup the Keycloak, not just using the Docker command line, but with docker-compose, nginx and it’s Let’s Encrypt companion.

“Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.” (documentation).

In the next posts I will show you how to use it for seamless authentication in Nagios, Racktables or Zabbix, but first let’s set it up:

  1. Step one - create the new droplet.
  • clone the kariedo/keycloak-terraform-example;
  • adjust the external IP and SSH key fingerprint in terraform.tfvars;
  • load the DigitalOcean API token into TF_VAR_do_token variable:
export TF_VAR_do_token="APItokenFromDigitalOceanControlPanel"
  • create the environment:
terraform init
terraform apply

terraform will:

  • create the new ‘keycloak-id’ droplet;
  • create the new firewall rules to allow only TCP ports 80 and 443 (HTTP&HTTPS) from the Internet (+ SSH from your external IP);
  • install Docker, Git packages;
  • add centos user to docker group so you can manage the Docker from the non-root user;
  • add 2G swap;
  1. Step two - create A record with newly made droplet IP. In Demo I created the

  2. Step three - spin up the Keycloak with docker-compose code.

  • clone the kariedo/keycloak-docker-compose-example;
  • adjust docker-compose.yml configuration:
    • POSTGRES_PASSWORD should be unique and match the DB_PASSWORD;
    • KEYCLOAK_PASSWORD should be unique and at least 12 characters long;
    • VIRTUAL_HOST and LETSENCRYPT_HOST with the domain name from step 2;
    • LETSENCRYPT_EMAIL with your email address (see why this important);
  • spin up the containers:
docker-compose up

docker-compose will:

  • create nginx load balancer container called nginx-lb;
  • create nginx config generator container called nginx-config-generator using awesome project jwilder/docker-gen;
  • create nginx Let’s Encrypt companion container called letsencrypt-nginx-proxy-companion (kudos also to Jason Wilder);
  • create Keycloak and PostgreSQL containers using official images;

Initial start takes 2-3 minutes (to generate certificates and populate the PostgreSQL database).

  1. Step 4 - after the initial start you should stop the containers and remove the admin user injection configuration:
  • stop the docker-compose (press CTRL+C);
  • comment out the lines with KEYCLOAK_USER and KEYCLOAK_PASSWORD;