Skip to content

README.md

Latest commit

 

History

History
117 lines (84 loc) · 3.87 KB

README.md

File metadata and controls

117 lines (84 loc) · 3.87 KB

Keycloak on AKS with Postgres and Protected Webpage

Overview

This project provisions an Azure Kubernetes Service (AKS) cluster using Terraform, and deploys a Keycloak identity provider, a Postgres database, and a static web server. The web page is protected by Keycloak authentication. All application configuration is managed via Ansible, and the entire workflow is automated with GitHub Actions.

Architecture

graph TD
    A[GitHub Actions] -->|Terraform| B[Azure AKS Cluster]
    B --> C[Keycloak Pod]
    B --> D[Postgres Pod]
    B --> E[Web Server Pod]
    E -->|Protected by| C
    C --> D
    F[User] -->|Access| E
    F -->|Login| C
Loading
  • AKS: Hosts all application containers.
  • Keycloak: Provides authentication and authorization.
  • Postgres: Backend database for Keycloak.
  • Web Server: Serves static content, protected by Keycloak.
  • Ingress: Routes external traffic to services.

Components & Justification

Why these components?

  • AKS: Managed Kubernetes, easy scaling, Azure integration, and secure.
  • Keycloak: Open-source, robust identity and access management.
  • Postgres: Reliable, open-source database, well-supported by Keycloak.
  • NGINX (web server): Lightweight, perfect for serving static content.
  • Terraform: Industry-standard for infrastructure as code.
  • Ansible: Idempotent, agentless configuration management.
  • GitHub Actions: Seamless CI/CD integration with GitHub.

Why not other components?

  • No Azure App Service/Container Instances: AKS is more flexible for orchestrating multiple containers and advanced networking.
  • No managed Postgres: For demo purposes, in-cluster Postgres is simpler; for production, use Azure Database for PostgreSQL.

Images Used

  • Keycloak: quay.io/keycloak/keycloak:22.0.1
  • Postgres: postgres:15
  • Web: nginx:alpine

Network Configuration

  • Azure VNet/Subnet: Isolates AKS and its workloads.
  • Kubernetes Services: Internal communication between pods.
  • Ingress: Exposes web and Keycloak endpoints securely.

Container Environment Choice

  • Kubernetes (AKS): Orchestrates containers, provides scaling, self-healing, and easy integration with Azure services.

Getting Started

Prerequisites

1. Clone the Repository

git clone https://github.com/yourusername/yourrepo.git
cd yourrepo

2. Set up Azure Credentials

  • Create a Service Principal and add its credentials as GitHub Secrets:
    • AZURE_CLIENT_ID
    • AZURE_CLIENT_SECRET
    • AZURE_SUBSCRIPTION_ID
    • AZURE_TENANT_ID

3. Deploy via GitHub Actions

  • Push to main or trigger the Deploy Infrastructure and Apps workflow in the Actions tab.

4. Access the Application

  • After deployment, find the Ingress or LoadBalancer IP in the Azure portal or via: 
    kubectl --kubeconfig=keycloak-on-aks/ansible/kubeconfig get ingress
  • Visit the web page in your browser. You should be redirected to Keycloak for authentication.

5. Destroy the Environment

  • Trigger the Destroy Infrastructure workflow in GitHub Actions to tear down all resources.

Possible Extensions & Benefits

  • Use Azure Database for PostgreSQL: Managed, scalable, and more secure.
  • Enable HTTPS on Ingress: Secure traffic with TLS certificates.
  • Add monitoring/logging: Integrate with Prometheus, Grafana, or Azure Monitor.
  • Autoscaling: Enable horizontal pod autoscaling for high availability.
  • External Secrets: Integrate with Azure Key Vault for secret management.
  • CI/CD for app updates: Automate web content or Keycloak realm updates.

License

MIT