Enabling external Postgresql database support requires creating keycloak-db-secret in the following form
(note that values are Base64 encoded, see Kubernetes Secrets manual):
keycloak-db-secret SecretapiVersion: v1
kind: Secret
data:
POSTGRES_DATABASE: cm9vdA==
POSTGRES_EXTERNAL_ADDRESS: MTcyLjE3LjAuMw==
POSTGRES_EXTERNAL_PORT: NTQzMg==
POSTGRES_HOST: a2V5Y2xvYWstcG9zdGdyZXNxbA==
POSTGRES_PASSWORD: ZXhhbXBsZS1rZXljbG9hay1lTWFQ
POSTGRES_SUPERUSER: dHJ1ZQ==
POSTGRES_USERNAME: ZXhhbXBsZS1rZXljbG9hay1WbGdU
metadata:
labels:
app: keycloak
name: keycloak-db-secret
namespace: keycloak
type: OpaqueThere are two properties specifically responsible for specifying external database hostname or IP address and its port:
-
POSTGRES_EXTERNAL_ADDRESS - an IP address (or a Hostname) or the external database. This address needs to be resolvable from Kubernetes cluster perspective.
-
POSTGRES_EXTERNAL_PORT - (Optional) A database port.
The other properties should to be set as follows:
-
POSTGRES_DATABASE- Database name to be used. -
POSTGRES_HOST- The name of theServiceused to communicate with a database. Typicallykeycloak-postgresql. -
POSTGRES_USERNAME- Database username -
POSTGRES_PASSWORD- Database password -
POSTGRES_SUPERUSER- Indicates, whether backups should assume running as super user. Typicallytrue.
The other properties remain the same for both operating modes (hosted Postgresql and an external one).
The Keycloak Custom Resource also needs to be updated to turn the external database support on.
Here’s an example:
Keycloak Custom Resource with external database supportapiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
labels:
app: sso
name: example-keycloak
namespace: keycloak
spec:
externalDatabase:
enabled: true
instances: 1Keycloak Operator allows you to use an external Postgresql database by modifying keycloak-postgresql Endpoints object.
Typically, this object is maintained by Kubernetes, however it might be used to connect to an external service. See
OpenShift manual for
more details.