Chart version: 0.6.0
Api version: v1
App version: 3.4.3.Final
Open Source Identity and Access Management For Modern Applicati...
Chart Type
Set me up:
helm repo add center
Install Chart:
helm install keycloak center/incubator/keycloak
Versions (0)


NOTE: This chart has been DEPRECATED. Please use stable/keycloak.

Keycloak is an open source identity and access management for modern applications and services.


$ helm repo add incubator
$ helm install incubator/keycloak


This chart bootstraps a Keycloak StatefulSet on a Kubernetes cluster using the Helm package manager. It provisions a fully featured Keycloak installation. For more information on Keycloak and its capabilities, see its documentation.

Prerequisites Details

The chart has an optional dependency on the PostgreSQL chart. By default, the PostgreSQL chart requires PV support on underlying infrastructure (may be disabled).

Installing the Chart

To install the chart with the release name keycloak:

$ helm install --name keycloak incubator/keycloak

Uninstalling the Chart

To uninstall/delete the keycloak deployment:

$ helm delete keycloak


The following table lists the configurable parameters of the Keycloak chart and their default values.

Parameter Description Default
init.image.repository Init image repository alpine
init.image.tag Init image tag 3.6
init.image.pullPolicy Init image pull policy IfNotPresent
keycloak.replicas The number of Keycloak replicas 1
keycloak.image.repository The Keycloak image repository jboss/keycloak
keycloak.image.tag The Keycloak image tag 3.4.3.Final
keycloak.image.pullPolicy The Keycloak image pull policy IfNotPresent
keycloak.image.pullSecrets Specify image pull secrets nil (does not add image pull secrets to deployed pods)
keycloak.username Username for the initial Keycloak admin user keycloak
keycloak.password Password for the initial Keycloak admin user. If not set, a random 10 characters password is created ""
keycloak.extraEnv Allows the specification of additional environment variables for Keycloak []
keycloak.extraVolumeMounts Add additional volumes mounts, e. g. for custom themes []
keycloak.extraVolumes Add additional volumes, e. g. for custom themes []
keycloak.podDisruptionBudget Pod disruption budget {}
keycloak.resources Pod resource requests and limits {}
keycloak.affinity Pod affinity
keycloak.nodeSelector Node labels for pod assignment {}
keycloak.tolerations Node taints to tolerate []
keycloak.securityContext Security context for the pod {runAsUser: 1000, fsGroup: 1000, runAsNonRoot: true}
keycloak.preStartScript Custom script to run before Keycloak starts up
keycloak.livenessProbe.initialDelaySeconds Liveness Probe initialDelaySeconds 120
keycloak.livenessProbe.timeoutSeconds Liveness Probe timeoutSeconds 5
keycloak.readinessProbe.initialDelaySeconds Readiness Probe initialDelaySeconds 30
keycloak.readinessProbe.timeoutSeconds Readiness Probe timeoutSeconds 1
keycloak.cli.nodeIdentifier WildFly CLI script for setting the node identifier See values.yaml
keycloak.cli.logging WildFly CLI script for logging configuration See values.yaml
keycloak.cli.reverseProxy WildFly CLI script for reverse proxy configuration See values.yaml
keycloak.cli.discovery WildFly CLI script for cluster discovery See values.yaml
keycloak.cli.custom Additional custom WildFly CLI script ""
keycloak.service.annotations Annotations for the Keycloak service {}
keycloak.service.labels Additional labels for the Keycloak service {}
keycloak.service.type The service type ClusterIP
keycloak.service.port The service port 80
keycloak.service.nodePort The node port used if the service is of type NodePort ""
keycloak.ingress.enabled if true, an ingress is created false
keycloak.ingress.annotations annotations for the ingress {}
keycloak.ingress.path if true, an ingress is created /
keycloak.ingress.hosts a list of ingress hosts []
keycloak.ingress.tls a list of IngressTLS items []
keycloak.persistence.deployPostgres If true, the PostgreSQL chart is installed true
keycloak.persistence.existingSecret Name of an existing secret to be used for the database password (if keycloak.persistence.deployPostgres=false). Otherwise a new secret is created ""
keycloak.persistence.existingSecretKey The key for the database password in the existing secret (if keycloak.persistence.deployPostgres=false) password
keycloak.persistence.dbVendor One of H2, POSTGRES, or MYSQL (if deployPostgres=false) H2
keycloak.persistence.dbName The name of the database to connect to (if deployPostgres=false) keycloak
keycloak.persistence.dbHost The database host name (if deployPostgres=false) mykeycloak
keycloak.persistence.dbPort The database host port (if deployPostgres=false) 5432
keycloak.persistence.dbUser The database user (if deployPostgres=false) keycloak
keycloak.persistence.dbPassword The database password (if deployPostgres=false) keycloak
postgresql.postgresUser The PostgreSQL user (if keycloak.persistence.deployPostgres=true) keycloak
postgresql.postgresPassword The PostgreSQL password (if keycloak.persistence.deployPostgres=true) ""
postgresql.postgresDatabase The PostgreSQL database (if keycloak.persistence.deployPostgres=true) keycloak
test.image.repository Test image repository unguiculus/docker-python3-phantomjs-selenium
test.image.tag Test image tag v1
test.image.pullPolicy Test image pull policy IfNotPresent

Specify each parameter using the --set key=value[,key=value] argument to helm install.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install --name keycloak -f values.yaml incubator/keycloak

Database Setup

By default, the PostgreSQL chart is deployed and used as database. Please refer to this chart for additional PostgreSQL configuration options. If PostgreSQL is disabled, Keycloak uses an embedded H2 database which is only suitable for testing with a single replica.

Using an External Database

The Keycloak Docker image supports PostgreSQL and MySQL. The password for the database user is read from a Kubernetes secret. It is possible to specify an existing secret that is not managed with this chart. The key in the secret the password is read from may be specified as well (defaults to password).


    # Disable deployment of the PostgreSQL chart
    deployPostgres: false

    # Optionally specify an existing secret
    existingSecret: "my-database-password-secret"
    existingSecretKey: "password-key in-my-database-secret"

    dbVendor: POSTGRES # for MySQL use "MYSQL"

    dbName: keycloak
    dbHost: mykeycloak
    dbPort: 5432 # 5432 is PostgreSQL's default port. For MySQL it would be 3306
    dbUser: keycloak

    # Only used if no existing secret is specified. In this case a new secret is created
    dbPassword: keycloak

See also: * *

Configuring additional environment variables:

      value: : DEBUG
      value: DEBUG
    - name: CACHE_OWNERS:

WildFly Configuration

WildFly can be configured via its command line interface (CLI). This chart uses the official Keycloak Docker image and customizes the installation running CLI scripts at server startup.

In order to make further customization easier, the CLI commands are separated by their concerns into smaller scripts. Everything is in values.yaml and can be overridden. Additional CLI commands may be added via keycloak.cli.custom, which is empty by default.

High Availability and Clustering

For high availability, Keycloak should be run with multiple replicas (keycloak.replicas > 1). WildFly uses Infinispan for caching. These caches can be replicated across all instances forming a cluster. If keycloak.replicas > 1, the WildFly CLI script keycloak.cli.discovery adds JGroups’ JDBC_PING for cluster discovery and Keycloak is started with --server-config standalone-ha.xml.

Why StatefulSet?

The chart sets node identifiers to the system property which is in fact the pod name. Node identifiers must not be longer than 23 characters. This can be problematic because pod names are quite long. We would have to truncate the chart’s fullname to six characters because pods get a 17-character suffix (e. g. -697f8b7655-mf5ht). Using a StatefulSet allows us to truncate to 20 characters leaving room for up to 99 replicas, which is much better. Additionally, we get stable values for which can be advantageous for cluster discovery.