Migration of docker based keycloak configuration into kubernetes

Yii 1.1 General Discussion
1

I need an advice how to migrate my configuration (especially keycloak) to kubernetes.

Application

The application consists of a frontend code (JavaScript) running in browser and the following backend components:

  1. frontend responsible for delivering of frontend code to the user browser and running on port 8080 (https)
  2. backend responsible for delivering business data and running on port 8085 (https)
  3. keycloak responsible for authentification/authorization and running on port 8143 (https)
  4. nginx working as reverse proxy for internal Docker network (i.e. for all services above). The following host based rules are used:
  • keycloak.external → keycloak
  • frontend.external → frontend
  • backend.external → backend

The application workflow:

The user authentificates itself in frontend. For this purpose the frontend re-use keycloak login dialog (keycloak is running in backend as one of components). Afterwards the frontend uses the Json Web Token provided by keycloak for authorization vs backend components in order to extract required information and to present it in browser.

Docker development configuration

Currently I development all components on my laptop using containers for all backend components. I have added the following entries into /etc/hosts

127.0.0.1 keycloak.external
127.0.0.1 frontend.external
127.0.0.1 backend.external

My docker-compose file look likes:

version: '3.5'
services:
  keycloak:
    image: keycloak
    container_name: keycloak
    secrets:
      - keycloak-server-crt
      - keycloak-server-key
      - source: keycloak-realm-conf
        target: /opt/keycloak/data/import/app-realm.json
    networks:
      default:
        aliases:
          - keycloak.external
    expose:
      - 8143
    command:
      - "start-dev"
      - "--import-realm"
      - "--http-enabled=false"
      - "--https-port=8143"
      - "--https-client-auth=none"
      - "--hostname-url=https://keycloak.external:8143"
      - "--hostname-strict-backchannel=true"
      - "--hostname-admin-url=https://keycloak.external:8143"
      - "--https-certificate-file=/run/secrets/keycloak-server-crt"
      - "--https-certificate-key-file=/run/secrets/keycloak-server-key"
      - "--proxy reencrypt"
      - "--hostname-port=8143"
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin

  backend:
    image: backend
    container_name: backend
    secrets:
        target: /usr/local/backend/certs/server.crt
      - source: backend-server-key
        target: /usr/local/backend/certs/server.key
    expose:
      - 8085
    environment:
      
      # keycloak settings
      KEYCLOAK_AUTH_URL: "https://keycloak.external:8143"
      KEYCLOAK_REALM: "APP"
      KEYCLOAK_CLIENT_ID: "backend"
      KEYCLOAK_SECRET: XXXXXX

  frontend:
    image: frontend
    container_name: frontend
    secrets:
      - source: frontend-server-crt
        target: /etc/nginx/certs/server.crt
      - source: frontend-server-key
        target: /etc/nginx/certs/server.key
    expose:
      - 8080
    environment:
      KEYCLOAK_AUTH_URL: "https://keycloak.external:8143"
      KEYCLOAK_REALM: "APP"
      KEYCLOAK_CLIENT_ID: "frontend"

  nginxproxy:
    image: nginx:latest
    container_name: nginxproxy
    ports:
      - "8143:8143"
      - "8085:8085"
      - "8080:8080"
    secrets:
      - source: nginxproxy-conf
        target: /etc/nginx/conf.d/default.conf
      - source: keycloak-server-crt
        target: /etc/nginx/certs/keycloak.external.crt
      - source: keycloak-server-key
        target: /etc/nginx/certs/keycloak.external.key
      - source: backend-server-crt
        target: /etc/nginx/certs/backend.crt
      - source: backend-server-key
        target: /etc/nginx/certs/backend.key
      - source: frontend-server-crt
        target: /etc/nginx/certs/frontend.crt
      - source: frontend-server-key
        target: /etc/nginx/certs/frontend.key
networks:
  default:
    name: my-network
    driver: bridge
    ipam:
      config:
        - subnet: 172.177.0.0/16

secrets:
......

The above configuration relies on the fact, that the browser access keycloak via https://keycloak.external:8143 and the backend use the same url. In order to make it possible from internal Docker network alias is defined in the docker-compose.yaml, i.e.

networks:
  default:
    aliases:
      - keycloak.external

What is the best way to migrate my development configuration to kubernetes?

I can imagine that the keycloak url issue can be solved by usage of fixed ServiceIP XX.XX.XX.XX in keycloak Service and consequential usage of hostAliases in backend.

hostAliases:

- ip: "XX.XX.XX.XX"
    hostnames:
    - "keycloak.external"