Skip to content

Instantly share code, notes, and snippets.

@axdotl

axdotl/keycloak-export-import-k8s.md

Last active October 30, 2023 08:43
Show Gist options
  • Save axdotl/c1f97e62c18294e8de550fa5d2ac4661 to your computer and use it in GitHub Desktop.
Save axdotl/c1f97e62c18294e8de550fa5d2ac4661 to your computer and use it in GitHub Desktop.
Download ZIP
Keycloak Export in Kubernetes
Raw
keycloak-export-import-k8s.md

Perform Keycloak Export and Import on Kubernetes

  • Setup Keycloak in non-HA mode (replica 1)
  • Disable UserFederation
  • You might have to increase the resource limits to avoid that pod beeing killed by memory or CPU limits

See Keycloak Documentation for more details.

Export

Trigger export (called from pod keycloak-0):

kubectl exec -it keycloak-0 bash

/opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/opt/jboss/keycloak-export -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES -Dkeycloak.migration.usersPerFile=100 -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777 -Djboss.management.https.port=7776

After succesful export keylcoak finish startup.

WFLYSRV0025: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in 86826ms

Shutdown by pressing Ctrl+C

Copy files (on local machine):

mkdir kc-export
cd kc-export
kubectl cp keycloak-0:/opt/jboss/keycloak-export .

See: https://stackoverflow.com/a/47198081/7290164

Import

Copy files from local machine to pod:

cd kc-export
kubectl cp . keycloak-0:/opt/jboss/keycloak-export

Connect to pod and trigger import for a specific realm:

kubectl exec -it keycloak-0 bash

/opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/opt/jboss/keycloak-export -Dkeycloak.migration.usersExportStrategy=DIFFERENT_FILES -Dkeycloak.migration.usersPerFile=100 -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777 -Djboss.management.https.port=7776 -Dkeycloak.migration.realmName=<my-realm-name>

After succesful import keylcoak finish startup.

WFLYSRV0025: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in 86826ms

Shutdown by pressing Ctrl+C

@bkranendonk
Copy link

bkranendonk commented Jun 22, 2022
edited
Loading

Thanks for this.

I had some trouble with the WildFly Undertow webserver port which was bound on the same port as the 'normal' running Keycloak process in the background.

I fixed this issue by adding -Djboss.socket.binding.port-offset=100

This offsets all used TCP/IP ports by 100, including the Undertow port.

Additional info for Bitnami image users:

Add add -c=standalone-ha.xml to your export command. Bitnami uses this config file for the database resource.

Source: https://stackoverflow.com/posts/71668421

@reachtoamrita
Copy link

reachtoamrita commented Jan 25, 2023
edited
Loading

Thanks for this. When I export the realm, I am seeing the client secret is masked for clientAuthenticatorType as "client-jwt". Did you also face this problem. Is there any way to export the client secret also.

image

@leifjones
Copy link

I’m sure that’s a deliberate security measure. It may be accessible through the UI or another CLI approach, but it’s likely possible to configure that in the new step (wherever it’s being imported) manually.

@krafcima
Copy link

krafcima commented Mar 2, 2023

@axdotl thanks a lot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment