Skip to main content
Cloud server with Keycloak
Last update:

Cloud server with Keycloak

Keycloak is an open source platform for managing user authentication and authorization in applications and implementing Single-Sign On.

You can create a cloud server with an off-the-shelf Keycloak application.

Create a cloud server with Keycloak

For Keycloak to work, the cloud server must be accessible from the Internet. To do this, you need to create a public IP address, a private subnet and prepare it for IP address connection — you can do this when creating the server. To configure the server when creating it, you need to specify user data — user configuration parameters of the operating system.

After the server is created, a free TLS certificate from Let's Encrypt® will be automatically issued for the domain you specify. To issue the certificate, you need to add an A record for the domain and specify the public IP address of the server in the record value. The domain can be added to Selectel DNS hosting.

You can create a cloud server with Keycloak standard configuration with automatic creation of a PostgreSQL database on the server or connect a created cloud PostgreSQL database.

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Click Create Server.

  3. In the Name and Location block:

    3.1 In the Name field, enter the name of the server. This will be set as the host name in the operating system.

    3.2 In the Region and Pool fields, select the region and pool segment in which the server will be created. The list of available server configurations and resource costs depends on the pool segment. Once the server is created, the pool segment cannot be changed.

  4. In the Source block, select the source from which the server will be created.

    Click the default source name, open the Applications tab, select Cloud Keycloak <version>, and click Select.

  5. In the Configuration block, select a server configuration of 2 vCPUs, RAM of 4 GB or more, and boot disk size of 30 GB or more:

    • fixed configuration — rulers in which the ratio of resources is fixed;
    • or an arbitrary configuration in which any resource ratio can be specified.

    The configurations use different processors depending on the line and pool segment.

    5.1 To select a fixed configuration, click Fixed, open the tab with the desired ruler and select the configuration.

    5.2 To select an arbitrary configuration, click Arbitrary, specify the number of vCPUs and the RAM size.

    5.3 To select a local disk as the server boot disk, check the Local SSD NVMe disk checkbox . To select a network disk as the boot disk, do not check the checkbox.

    The amount of RAM allocated to the server may be less than the amount specified in the configuration — the operating system kernel reserves some RAM depending on the kernel version and distribution. You can check the allocated amount on the server with sudo dmesg | grep Memory.

    After the server is created, you can change the configuration.

  6. If you did not check the Local SSD NVMe disk checkbox in step 5.3., the first specified network disk will be used as the server boot disk. In the Disks:

    6.1. In the Disk Type field, select the type of network boot disk.

    6.2 Specify the size of the network boot disk in GB or TB. Observe the maximum size limits for network disks.

  7. Optional: Add additional network disks to the server. In the Disks:

    7.1. In the Disk Type field, select the network disk type.

    7.2 Specify the size of the network disk in GB or TB. Observe the maximum size limits of the network disks.

    7.3 To add another additional disk, click Add, select the disk type and specify its size.

    When you add an additional disk, the first additional disk is automatically mounted for application data, including PostgreSQL (when used locally).

  8. In the Network block, connect an existing private subnet with the cloud router or create a new one:

    8.1 Click Private Subnet.

    8.2. In the Public IP Address for Internet Access field, select New Public IP Address.

    8.3. Expand the block with private subnet settings.

    8.4. In the Subnet field, select an existing subnet.

    8.5. In the Private IP field, specify the private IP address of the server. The public IP address will be automatically connected to the private address.

  9. Select security groups to filter traffic on server ports. Without security groups, traffic will not be allowed. If there is no block, port security is disabled on the server network . With traffic filtering disabled, all traffic will be allowed.

  10. In the Access block:

    10.1 Place an SSH key on the server for secure connection.

    To add a new SSH key to the cloud platform, click Add SSH Key, enter the key name, paste the public SSH key in OpenSSH format, and click Add.

    If an SSH key is added to the cloud platform, select the existing key in the SSH Key field.

    10.2 Optionally: in the Password for "root" field, copy the password of the root user (a user with unlimited rights to all actions on the system). Save the password in a safe place and do not pass it on in public.

  11. In the Advanced Settings block:

    11.1 Optional: If you plan to create multiple servers and want to increase the fault tolerance of your infrastructure, add a server to a placement group. To create a new group, click Create Group, enter a group name, and select a placement policy on different hosts:

    • preferably soft-anti-affinity. The system will try to place servers on different hosts. If there is no suitable host when creating a server, it will be created on the same host;
    • anti-affinity is mandatory. Servers in a group must be located on different hosts. If there is no suitable host when creating a server, the server will not be created.

    If a group has been created, select a placement group in the Placement Group field.

    11.2 Optional: add server tags to add additional information or filter servers in the list. Operating system and configuration tags are automatically added. To add a new tag, enter a tag in the Tags field.

  12. In the Automation block, in the User data field, insert the script that will be executed when the system boots:

    #cloud-config

    write_files:
    - path: "/opt/gomplate/values/user-values.yml"
      permissions: "0644"
      content: |
        keycloakDomain: "<example.com>"
        keycloakAdminEmail: "<root@example.com>"
        keycloakAdminUser: "<administrator_name>"
        keycloakAdminPassword: "<administrator_password>"
        keycloakAdminIP: "<ip_address>"
        keycloakPostgresDB: "<database_name>"
        keycloakPostgresUser: "<database_user_name>"
        keycloakPostgresPassword: "<database_user_password>"

    Specify:

    • <example.com> — domain to access Keycloak. For the domain, you must add an A record and specify the public IP address you specified in step 8 in the record value. If the domain is added to Selectel DNS hosting (actual), use the instructions Add a resource record. After the server is created, a TLS certificate from Let's Encrypt® will be automatically issued for the domain;
    • <root@example.com> — Keycloak administrator email to create an account and receive Let's Encrypt® notifications;
    • <administrator_name> — Keycloak administrator name;
    • <administrator_password> — Keycloak administrator password;
    • <ip_address> — The IP address where the Keycloak panel will be accessible. If you want to allow access to all IP addresses, specify 0.0.0.0/0;
    • <database_name> — PostgreSQL database name;
    • <database_user_name> — PostgreSQL database user name;
    • <database_user_password> — PostgreSQL database user password.

  13. Check the price of the cloud server.

  14. Click Create.