Identity Set Up
Purpose
This stage configures Keycloak for authentication and authorisation.
The Management Node establishes zero-trust connectivity with Keycloak.
Keycloak is responsible for issuing and validating identity tokens used for secure communication.
You will:
- Run Keycloak
- Configure authentication
- Prepare identity services for use by the Management Node
Stage 3 – Set up Keycloak
How to complete this stage
You will:
- Pull and run a compatible Keycloak version
- Configure Keycloak using Docker Compose
- Ensure it is reachable by the Management Node
- Prepare it for MTLS-secured connectivity
Approach and rationale
The Management Node uses Keycloak to implement authentication and authorisation.
Earlier versions of Keycloak (e.g. 21.0.2) do not support Java 21.
A compatible version must be used.
Keycloak may be run either:
- In a Docker container (recommended)
- As a local server (reference only)
This stage prepares Keycloak for secure integration with the Management Node.
3.1a Deploy Keycloak with Docker Compose (Recommended)
Navigate to the Docker folder:
Check that the folder contains keystore.jks, truststore.jks, localhost.p12, localhost.crt and localhost.key files.
Start Keycloak and the Keycloak Postregesql database with Docker Compose:
Allow Keycloak to start (approximately 30 seconds) then confirm that it is running:
3.1b Keycloak in Docker container (Alternative)
Set the preferred Keycloak version:
Pull the Keycloak Docker image:
Review the configuration:
Run Keycloak in development mode:
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:${KC_VERSION} start-dev