This guide describes how to install the Keycloak Operator in a Kubernetes or OpenShift cluster.
The recommended way to install the Keycloak Operator in Kubernetes environments is to use the Operator Lifecycle Manager (OLM).
Make sure OLM is installed in your environment. For details, see Installing OLM.
Be sure that you have cluster-admin permission or an equivalent level of permissions granted by an administrator.
The following procedure describes how to install the Keycloak Operator. However, for general instructions on installing Operators using OLM, see Install your operator with OLM. In the default Catalog, the Keycloak Operator is named keycloak-operator
. Make sure to use the fast
channel to find the operator.
Perform this procedure on an OpenShift cluster.
Open the OpenShift Container Platform web console.
In the left column, click Home, Operators, OperatorHub.
Search for "keycloak" on the search input box.
Select the Keycloak Operator from the list of results.
Follow the instructions on the screen.
Make sure you are installing from the fast channel:
You may select to either have the Operator watch the namespace where it is installed, or to watch a single namespace of your choosing.
You can install the Operator on a vanilla Kubernetes cluster by using kubectl
commands:
Install the CRDs by entering the following commands:
kubectl apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/26.0.7/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
kubectl apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/26.0.7/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
Install the Keycloak Operator deployment by entering the following command:
kubectl apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/26.0.7/kubernetes/kubernetes.yml
The Operator will watch the namespace where it is installed. You may optionally select a namespace with the -n
option.
It is currently not fully supported for the operator to watch multiple or all namespaces. In circumstances where you want to watch multiple namespaces, you can install multiple operators.
If you do this please be aware:
all Operators share the CRDs (Custom Resource Definitions) as they are installed cluster wide.
CRD revisions from newer Operator versions won’t introduce breaking changes except for the eventual removal of fields that have been well deprecated. Thus newer CRDs are generally backward compatible.
the CRDs installed last will be the ones in use. This applies to OLM installations as well where the Operator version, that is installed as the last, also installs and overrides the CRDs if they exists in the cluster already.
older CRDs may not be forwards compatible with new fields used by newer operators. When using OLM it will check if your custom resources are compatible with the CRDs being installed, so the usage of new fields can prevent the simultaneous installation of older operator versions.
fields introduced by newer CRDs will not be supported by older Operators. Older Operator will fail to handle CRs that use such new fields with an error deserializing an unrecognized field.
It is therefore recommended in a multiple Operator install scenario that you keep versions aligned as closely as possible to minimize the potential problems with different versions.