Deploy Keycloak
Last updated: March 27, 2026
Keycloak is an open-source Identity and Access Management solution. With the lowcloud Helm Release, you deploy Keycloak in your Kubernetes cluster – including an embedded PostgreSQL database, Ingress support, and optional Realm import.
Chart Registry: oci://registry-1.docker.io/cloudpirates/keycloak
The Helm Release is provided and maintained by Cloud Pirates.
Prerequisites
- A lowcloud account with an active cluster
- Access to the lowcloud Dashboard
Quick Start
Minimal configuration to get Keycloak up and running:
keycloak:
adminUser: admin
adminPassword: your-secure-password
hostname: https://auth.example.com
proxyHeaders: xforwarded
postgres:
enabled: true
auth:
password: your-db-password
keycloak.proxyHeaders: xforwarded when running Keycloak behind an nginx Ingress or any other reverse proxy. Without this setting, redirects and token validation will not work correctly.Configuration
The most important configuration options at a glance:
| Parameter | Description | Default |
|---|---|---|
keycloak.adminUser | Keycloak admin username | admin |
keycloak.adminPassword | Admin password (or use existingSecret) | — |
keycloak.hostname | Public URL of the Keycloak instance | — |
keycloak.proxyHeaders | Proxy header mode (xforwarded or forwarded) | — |
keycloak.production | Production mode (start) or dev mode | true |
postgres.enabled | Enable embedded PostgreSQL | true |
postgres.auth.password | Password for the embedded database | — |
ingress.enabled | Enable Ingress | false |
ingress.className | Ingress class (e.g. nginx) | — |
cache.stack | Cache mode (local or ispn for multi-replica) | local |
Step-by-Step Guide
1. Add the service
In the lowcloud Dashboard, navigate to Add Service and select Helm Release. Search for the Keycloak registry in the popup:
oci://registry-1.docker.io/cloudpirates/keycloak
Select the desired version. "latest" is a good choice in most cases.
2. Configure values
Give the service a meaningful name (e.g. keycloak). Then adjust the values:
keycloak:
adminUser: admin
adminPassword: your-secure-password
hostname: https://auth.example.com
proxyHeaders: xforwarded
postgres:
enabled: true
auth:
password: your-db-password
ingress:
enabled: true
className: nginx
hosts:
- host: auth.example.com
paths:
- path: /
pathType: Prefix
3. Start deployment
Open the created service and click Deploy. Wait until the label in the Dashboard switches to "Deployed". Keycloak will then be accessible at the configured hostname URL.
Advanced Values
For production use, a complete configuration with persistence, resource limits, and TLS is recommended:
keycloak:
adminUser: admin
adminPassword: your-secure-password
hostname: https://auth.example.com
proxyHeaders: xforwarded
production: true
postgres:
enabled: true
auth:
password: your-db-password
primary:
persistence:
enabled: true
size: 10Gi
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
ingress:
enabled: true
className: nginx
hosts:
- host: auth.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: auth-tls
hosts:
- auth.example.com
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: '2'
memory: 1Gi
Realm Import
You can automatically import a realm on startup. Store your realm configuration as a Kubernetes Secret and reference it:
realm:
import: true
existingSecret: my-realm-secret
The Secret must contain a key realm.json with the realm JSON content.
External Database
If you want to use an existing PostgreSQL instance, disable the embedded database and configure the external connection:
postgres:
enabled: false
database:
type: postgres
host: my-postgres-service
port: '5432'
name: keycloak
username: keycloak
password: your-db-password