diff --git a/src/frontend/src/content/docs/integrations/security/keycloak.mdx b/src/frontend/src/content/docs/integrations/security/keycloak.mdx index 3d8d603e8..8aa13c768 100644 --- a/src/frontend/src/content/docs/integrations/security/keycloak.mdx +++ b/src/frontend/src/content/docs/integrations/security/keycloak.mdx @@ -190,7 +190,7 @@ await builder.build().run(); ### Add Keycloak resource with parameters @@ -273,7 +273,106 @@ await builder.build().run(); -The realm import files are mounted at `/opt/keycloak/data/import` in the Keycloak container. Realm import files are JSON files that represent the realm configuration. +The realm import files are copied to `/opt/keycloak/data/import` in the +Keycloak container. Realm import files are JSON files that represent the realm +configuration. + + + +#### Production alternatives for realm seeding + +For production environments, consider these alternatives to seed your Keycloak +instance: + +**Custom Keycloak image**: Bake realm files into a custom image. Apply +`WithDockerfile` to the Keycloak resource instead of replacing `AddKeycloak` +with `AddContainer`: + +```dockerfile title="keycloak/Dockerfile" +FROM quay.io/keycloak/keycloak:25.0.0 +COPY ./realms/*.json /opt/keycloak/data/import/ +``` + + + +```csharp title="AppHost.cs" +var builder = DistributedApplication.CreateBuilder(args); + +var keycloak = builder.AddKeycloak("keycloak", 8080) + .WithDockerfile("./keycloak"); + +var apiService = builder.AddProject("apiservice") + .WithReference(keycloak) + .WaitFor(keycloak); + +builder.Build().Run(); +``` + + +```typescript title="apphost.mts" +import { createBuilder } from './.aspire/modules/aspire.mjs'; + +const builder = await createBuilder(); + +const keycloak = await builder.addKeycloak("keycloak", 8080); +await keycloak.withDockerfile("./keycloak"); + +const apiService = await builder.addProject("apiservice", "../ApiService/ApiService.csproj"); +await apiService.withReference(keycloak); +await apiService.waitFor(keycloak); + +await builder.build().run(); +``` + + + + + + +```text title="Directory layout" +AppHost.cs +keycloak/ + Dockerfile + realms/ + demo-realm.json +``` + + + + +```text title="Directory layout" +apphost.mts +keycloak/ + Dockerfile + realms/ + demo-realm.json +``` + + + + + + +**Initialization service**: Create a separate initialization service or job +that uses the [Keycloak Admin REST API](https://www.keycloak.org/docs-api/latest/rest-api/index.html) +or [Keycloak Admin Client](https://www.nuget.org/packages/Keycloak.AuthServices.Sdk.Admin) +to create and configure realms, clients, and users when the Keycloak instance +first starts. + +**Infrastructure as Code**: Use tools like Terraform with the +[Keycloak provider](https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs) +to manage realm configuration separately from your application deployment. ### Export telemetry to OTLP collector @@ -316,7 +415,8 @@ This enables Keycloak to send traces, metrics, and logs to the Aspire dashboard, ### Hosting integration health checks -The Keycloak hosting integration doesn't currently support health checks, nor does it automatically add them. +The Keycloak hosting integration automatically adds an HTTP health check +against the management endpoint's `/health/ready` path. ## Client integration