# Exercise 4: Setup Keycloak These setup instractions are based on [Keycloak - Guide - Keycloak on Kubernetes](https://www.keycloak.org/getting-started/getting-started-kube). The instructions go into installing an Ingress for Keycloak. But we have Istio installed and we will be using the Istio Ingress to access Keycloak externally. The original `keycloak.yaml` is modified and the `NodePort` has been removed. Note: This is a "ephemeral" installation of Keycloak, there is no database used for persistance. Sufficient for a workshop but not suitable for production use! ## Step 1: Deploy Keycloak ```bash cd $ROOT_FOLDER/IKS kubectl apply -f keycloak.yaml ``` ## Step 2: Wait until the Keycloak Pod is started ```bash kubectl get pods ``` ## Step 3: Access Keycloak Get the Keycloak URL and open the URL in your browser: ```bash echo "https://"$INGRESSURL"/auth" ``` Note: This will work because we created a VirtualService in the previous exercise that maps the `/auth` URI to the Keycloak service. ## Step 4: Try to logon to Keycloak * Click on `Administration Console`. ![](/files/-MFGFeYk_Pdf0wbPceIK) * Login In with username `admin` and password `admin`. ![](/files/-MFGFeYlilUsLvIs6-IG) ## Step 5: Create realm For the workshop we need our pre-configured realm, we will create the realm using a bash script. * Verify your existing environment varibles ```bash cd $ROOT_FOLDER/IKS echo $MYCLUSTER echo $INGRESSURL echo $INGRESSSECRET ``` * Execute the bash script ```bash bash keycloak-create-realm.sh ``` Example output: ```bash ------------------------------------------------------------------------ The realm is created. Open following link in your browser: https://harald-uebele-k8s-fra05-********************-0001/auth/admin/master/console/#/realms/quarkus ------------------------------------------------------------------------ ``` ## Step 6: Verify the newly created realm Try to create an access token, this requires the $INGRESSURL environment variable to be set: ```bash curl -d "username=alice" -d "password=alice" -d "grant_type=password" -d "client_id=frontend" https://$INGRESSURL/auth/realms/quarkus/protocol/openid-connect/token | sed -n 's|.*"access_token":"\([^"]*\)".*|\1|p' ``` > *Note:* The image shows you in Kiali that we access Keycloak throuh our `istio-ingressgateway`. *This is not a part of your hands-on tasks.* ![](/files/-MUrkW4gPbeOj9ErJjM6) > Congratulations, you have successfully completed the `Setup Application environment`. Awesome :star: ## Optional steps to verify the configuration ### STEP 1: Verify the name `quarkus`of the imported realm ![](/files/-MFGFeYmmyotaaxGL7To) ### STEP 2: Verify the imported realm settings ![](/files/-MFGFeYnnL6WRMS0_QgK) ### STEP 3: Press `view all users` You should see following users: `admin`, `alice`, `jdoe` ![](/files/-MFGFeYorWj-47_JlBWV) ### STEP 4: Verify the role mapping ![](/files/-MUsDghU5WI35OjPrwNb) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ibm-developer.gitbook.io/get-started-with-security-for-your-java-microservi/setup-the-ibm-cloud-application-environment/setup_keycloak.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.