Keycloak

Keycloak is an open source platform for managing user authentication and authorization in applications and implementing Single-Sign On.

You can create a cloud server with a ready-made Keycloak application.

Create a cloud server with Keycloak

For Keycloak to work, the cloud server must be accessible from the Internet. To do this, you need to create a public IP address, a private subnet and prepare it for IP address connection — you can do this when creating the server. To configure the server when creating it, you need to specify user data — user configuration parameters of the operating system.

Once the server is created, a free one will be automatically released TLS Certificate from Let's Encrypt® for the domain you specify. To issue a certificate, you must add an A record for the domain and specify the public IP address of the server in the record value. The domain can be add to Selectel DNS hosting (actual).

You can create a cloud server with Keycloak standard configuration with automatic creation of PostgreSQL database on the server or connect the created PostgreSQL cloud database.

В control panels go to Cloud platform → Servers.
Click Create a server.
In the block Name and location:

3.1 In the field Name enter the server name. This will be set as the host name in the operating system.

3.2 In the fields Region и Poole select region and pool segmentThe pool segment determines the list of available server configurations and the cost of resources. The list of available server configurations and the cost of resources depends on the pool segment. Once the server is created, the pool segment cannot be changed.
In the block Source select the source from which the server will be created.

Click on the default source name, open the tab Appendicesselect Cloud Keycloak <version> and press Select.
In the block Configuration select server configuration from 2 vCPUs, RAM from 4 GB and boot disk size from 30 GB:
- fixed configuration — rulers in which the ratio of resources is fixed;
- or arbitrary configuration, where any resource ratio can be specified.
The configurations use different processors depending on the lineup and pool segment.

5.1. To select a fixed configuration, press FixedOpen the tab with the desired ruler and select the configuration.

5.2 To select an arbitrary configuration, press Arbitrary, specify the number of vCPUs and the size of RAM.

5.3. To select the following as the server boot disk local diskand check the box Local SSD NVMe disk. To select a boot disk as the boot disk network diskdon't check the box.

The amount of RAM that is allocated to the server may be less than specified in the configuration — the operating system kernel reserves some RAM depending on the kernel version and distribution. You can check the allocated amount on the server using the command sudo dmesg | grep Memory.

Once the server is created, you can reconfigure.
If you have not checked the checkbox Local SSD NVMe disk in step 5.3, the first specified network disk will be used as the server boot disk. In the block Disks:

6.1 In the field Disk type select network boot disk type.

6.2 Specify the size of the network boot disk in GB or TB. Take into account network disk limits to the maximum size.
Optional: add additional network drives of the server. In the block Disks:

7.1 In the field Disk type select network drive type.

7.2 Specify the size of the network disk in GB or TB. Take into account network disk limits to the maximum size.

7.3 To add another additional drive, press AddSelect the type of disk and specify its size.

When you add an additional disk, the first additional disk is automatically mounted for application data, including PostgreSQL (when used locally).
In the block Network create a private subnet and a static public IP address. In the Subnetwork select Private + 1 public IP. A private network will be automatically created nat, private subnet, router. router-nat and a public IP address.

If a private subnet and a cloud router connected to an external network are created, in the field Subnetwork select Private + 1 public IPin the field Private subnet select the created subnet, in the Private IP specify the private IP address of the server. If a public IP address is created, click Connect existing and select a public IP address.
In the block Access:

9.1 Place on the server SSH key for the project for a secure connection.

To add a new SSH key for a project to the cloud platform, click Add an SSH keyenter the key name, insert the public SSH key in OpenSSH format, and click Add.

If an SSH key is added to the cloud platform, in the field SSH key select an existing key.

The SSH key is only available in the pool in which it is hosted.

9.2 Optionally: in the field Password for "root" copy the user's password root (a user with unlimited rights to all system operations). Save the password in a safe place and do not share it in public.
In the block Additional settings:

10.1 Optionally: if you plan to create multiple servers and want to increase the fault tolerance of your infrastructure, add a server in the placement group. To create a new group, press Create a group, enter a group name, and select a policy for hosting on different hosts:
- preferably soft-anti-affinity. The system will try to place servers on different hosts. If there is no suitable host when creating a server, it will be created on the same host;
- anti-affinity is mandatory. Servers in a group must be located on different hosts. If there is no suitable host when creating a server, the server will not be created.
If the group is created, in the field Accommodation group select a placement group.

10.2 Optional: add tags servers to add additional information or filter the servers in the list. Operating system and configuration tags are automatically added. To add a new tag, in the Tags enter tag.
In the block Automation in the field User data insert a script that will be executed when the system boots:
- Creating a database on the server
- Connecting an existing cloud database
#cloud-config write_files: - path: "/opt/gomplate/values/user-values.yml" permissions: "0644" content: | keycloakDomain: "<example.com>" keycloakAdminEmail: "<root@example.com>" keycloakAdminUser: "<administrator_name>" keycloakAdminPassword: "<administrator_password>" keycloakAdminIP: "<ip_address>" keycloakPostgresDB: "<database_name>" keycloakPostgresUser: "<database_user_name>" keycloakPostgresPassword: "<database_user_password>"
Specify:
- <example.com> — domain to access Keycloak. For the domain, you must add an A record and specify the public IP address you specified in step 8 in the record value. If the domain added to Selectel DNS hosting (actual)use the instruction manual. Add a resource record. After the server is created, a TLS certificate from Let's Encrypt® will be automatically issued for the domain;
- <root@example.com> — Keycloak administrator email to create an account and receive Let's Encrypt® notifications;
- <administrator_name> — the name of the Keycloak administrator;
- <administrator_password> — Keycloak's admin password;
- <ip_address> — The IP address that will be used to access the Keycloak panel. If you want to allow access to all IP addresses, specify 0.0.0.0/0;
- <database_name> — PostgreSQL database name;
- <database_user_name> — PostgreSQL database user name;
- <database_user_password> — PostgreSQL database user password.
#cloud-config write_files: - path: "/opt/gomplate/values/user-values.yml" permissions: "0644" content: | keycloakDomain: "<example.com>" keycloakAdminEmail: "<root@example.com>" keycloakAdminUser: "<administrator_name>" keycloakAdminPassword: "<administrator_password>" keycloakAdminIP: "<ip_address>" keycloakPostgresDB: "<database_name>" keycloakPostgresUser: "<database_user_name>" keycloakPostgresPassword: "<database_user_password>" useExternalDB: "true" externalDBHost: "<host>" externalDBPort: "<port>"
Specify:
- <example.com> — domain to access Keycloak. For the domain, you must add an A record and specify the public IP address you specified in step 8 in the record value. If the domain added to Selectel DNS hosting (actual)use the instruction manual. Add a resource record. After the server is created, a TLS certificate from Let's Encrypt® will be automatically issued for the domain;
- <root@example.com> — Keycloak administrator email to create an account and receive Let's Encrypt® notifications;
- <administrator_name> — the name of the Keycloak administrator;
- <administrator_password> — Keycloak's admin password;
- <ip_address> — The IP address that will be used to access the Keycloak panel. If you want to allow access to all IP addresses, specify 0.0.0.0/0;
- <database_name> — the name of the PostgreSQL cloud database. You can look in control panels under Cloud platform → Databases → cluster page → tab Databases;
- <database_user_name> — the user name of the PostgreSQL cloud database. You can look in control panels under Cloud platform → Databases → cluster page → tab Databases → database card → field Base owner;
- <database_user_password> — password of the PostgreSQL cloud database user. The password is not stored in the control panel — if you lose it, change the password;
- useExternalDB: true — parameter to use the cloud database;
- <host> — DNS address of the PostgreSQL cloud database. You can look in control panels under Cloud platform → Databases → cluster page → tab Settings → block Node addresses and statuses → tab DNS addresses;
- <port> — port to connect to the cloud database.
Check the price of the cloud server.
Click Create.