# EntandoKeycloakServer Custom Resource Definition

The EntandoKeycloakServer CRD instructs the Entando Operator to deploy the Keycloak Community OIDC provider, or its equivalent commercial product, Red Hat SSO. Once a Keycloak server has been deployed, subsequent EntandoApp and EntandoPlugin deployments can use it as an OIDC provider. The Entando Operator will automatically create OIDC clients for these deployments in the Keycloak server. If you already have a Keycloak instance that you want to use, skip this custom resource and use the keycloak-admin-secret as specified in the Connect to External Keycloak tutorial.

# Example EntandoKeycloakServer Definition

kind: "EntandoKeycloakServer"
apiVersion: "entando.org/v1alpha1"
  name: "test-keycloak"
  namespace: "keycloak-namespace"
  imageName: "entando/entando-keycloak"
  dbms: "postgresql"
  ingressHostName: "test-keycloak."
  entandoImageVersion: "7.0.0"
  tlsEnabled: false
  replicas: 1

# Specifications

Spec Name Description
spec.adminSecretName The name of an Opaque Secret that contains the 'username' and 'password' keys, giving the operator admin access to a Keycloak server. This is used when the provisioning strategy is UseExternal.
spec.customImage Name used to provide a custom image.
spec.dbms MySQL, PostgreSQL, or embedded (default).
spec.environmentVariables A map of environment variables to pass to the Keycloak Docker image.
spec.frontEndUrl The URL used to access Keycloak from web applications. If the UseExternal provisioning strategy has been selected, this should be the base URL of the external SSO service you would like to connect to.
spec.ingressHostName The hostname of the Kubernetes ingress to be created for Keycloak.
spec.replicas The number of replicas to be made available to the deployment of this Keycloak server.
spec.resourceRequirements The minimum and maximum resource allocations for the Keycloak server container.
spec.serviceAccountToUse Optional service account used to run the Keycloak pod.
spec.standardImage One of the standard images for Keycloak provided by Entando. The value can be either keycloak or redhat-sso.
spec.tlsSecretName A standard TLS Secret that is applied to the Keycloak ingress. Note that this property is optional and overrides the standard Kubernetes TLS Secret (opens new window) that will be used for the resulting ingress. This is only required if the globally configured TLS Secret (opens new window) for the operator is absent.