Create Keycloak deployment with imported realm configuration

Question

I am trying to create a Keycloak deployment having its configuration imported from a local file located at ./import/realm.json.

Folder structure:

• keycloak-deploy.yml
• import/realm.json

However, when applying the deployment I get this error:

 FATAL [org.keycloak.services] (ServerService Thread Pool -- 59) Error during startup: java.lang.RuntimeException: java.io.FileNotFoundException: /import/realm.json (No such file or directory)

This is the deployment (keycloak-deploy.yml) I'm trying to create:

apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: keycloak-deployment
  name: keycloak-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak-deployment
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: keycloak-deployment
    spec:
      containers:
      - image: jboss/keycloak:latest
        name: keycloak
        env:
          - name: KEYCLOAK_USER
            value: admin
          - name: KEYCLOAK_PASSWORD
            value: superSecret
          - name: KEYCLOAK_IMPORT
            value: /import/realm.json
        ports:
          - containerPort: 8081
        readinessProbe:
          httpGet:
            path: /auth/realms/master
            port: 8081
        resources: {}
status: {}

I'm a beginner with Kubernetes so any help is apreciated, thanks !

Answer 1

I followed what was said in the comments (thanks @Andrew Skorkin). It worked like this:

• deployment & service:

apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: keycloak-deployment
  name: keycloak-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak-deployment
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: keycloak-deployment
    spec:
      containers:
      - image: jboss/keycloak:latest
        name: keycloak
        env:
          - name: KEYCLOAK_USER
            value: admin
          - name: KEYCLOAK_PASSWORD
            value: superSecret
          - name: KEYCLOAK_IMPORT
            value: /import/realm.json
        ports:
          - name: http
            containerPort: 8081
        volumeMounts:
          - name: keycloak-volume
            mountPath: /import
        readinessProbe:
          httpGet:
            path: /auth/realms/master
            port: 8081
          initialDelaySeconds: 30
          timeoutSeconds: 30
        resources: {}
      volumes:
        - name: keycloak-volume
          configMap:
            name: keycloak-configmap
status: {}
---
apiVersion: v1
kind: Service
metadata:
  name: keycloak-service
spec:
  selector:
    app: keycloak-service
  ports:
    - protocol: TCP
      port: 8081
      targetPort: 8081

• config map:

apiVersion: v1
data:
  realm.json: |
    {json_content}
kind: ConfigMap
metadata:
  name: keycloak-configmap

json_content contains the realm.json data. I exported the data from a working keycloak instance (made with docker-compose).

Answer 2

Extending the solution of "Happy Songs":

My 2 cents, as I switched to a newer Keycloak Version using Quarkus (and I did not use the env KEYCLOAK_IMPORT).

kind: Deployment
image: quay.io/keycloak/keycloak:20.0.2
args: ["start-dev --import-realm"]
          volumeMounts:
            - name: keycloak-volume
              mountPath: /opt/keycloak/data/import

According to the documentation the mount path on containers is: /opt/keycloak/data/import. See here: https://www.keycloak.org/server/importExport

kind: ConfigMap
data:
  jhipster-realm.json: |
    {
      "id": "jhipster",
      "realm": "jhipster",
      "notBefore": 0,

In earlier keycloak examples I needed to use the ID of the realm as filename. So the filename xyz.json matches the "id": xyz. Not sure if this is still necessary.

Btw: When exporting, the passwords will not be exported.