keycloak-docker-production/docker-compose.yml at main · IAMDevBox/keycloak-docker-production · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Keycloak 26.x Production Docker Compose
# Single-node setup with PostgreSQL, health checks, and security hardening
#
# Full tutorial: https://www.iamdevbox.com/posts/keycloak-docker-compose-production-deployment-guide/
#
# Usage:
#   1. Copy .env.example to .env and set passwords
#   2. docker compose up -d
#   3. Access Keycloak at http://localhost:8080

services:
  postgres:
    image: postgres:16-alpine
    container_name: keycloak-postgres
    restart: unless-stopped
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: ${DB_PASSWORD}
    command:
      - "postgres"
      - "-c"
      - "shared_buffers=256MB"
      - "-c"
      - "effective_cache_size=768MB"
      - "-c"
      - "work_mem=4MB"
      - "-c"
      - "maintenance_work_mem=64MB"
      - "-c"
      - "max_connections=50"
      - "-c"
      - "random_page_cost=1.1"
      - "-c"
      - "effective_io_concurrency=200"
      - "-c"
      - "log_min_duration_statement=500"
    networks:
      - internal
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U keycloak -d keycloak"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: "1.0"

  keycloak:
    image: quay.io/keycloak/keycloak:26.1
    container_name: keycloak
    command: start --optimized
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      # Database
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: ${DB_PASSWORD}
      KC_DB_POOL_INITIAL_SIZE: 25
      KC_DB_POOL_MIN_SIZE: 25
      KC_DB_POOL_MAX_SIZE: 25
      # Hostname (change to your domain)
      KC_HOSTNAME: ${KC_HOSTNAME:-https://auth.example.com}
      KC_HTTP_ENABLED: "true"
      KC_PROXY_HEADERS: xforwarded
      # Observability
      KC_HEALTH_ENABLED: "true"
      KC_METRICS_ENABLED: "true"
      # Admin (first run only)
      KC_BOOTSTRAP_ADMIN_USERNAME: admin
      KC_BOOTSTRAP_ADMIN_PASSWORD: ${ADMIN_PASSWORD}
      # Single-node cache
      KC_CACHE: local
      # Security hardening
      KC_FEATURES_DISABLED: ${KC_FEATURES_DISABLED:-impersonation}
      # Load shedding
      KC_HTTP_MAX_QUEUED_REQUESTS: 1000
      # Logging
      KC_LOG_LEVEL: info
      KC_LOG_CONSOLE_OUTPUT: json
      # JVM
      JAVA_OPTS_KC_HEAP: >-
        -XX:MaxRAMPercentage=70
        -XX:InitialRAMPercentage=50
        -XX:MaxHeapFreeRatio=30
    ports:
      - "${KC_HTTP_PORT:-8080}:8080"
    networks:
      - frontend
      - internal
    healthcheck:
      test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/9000 && echo -e 'GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q '\"status\": \"UP\"'"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s
    deploy:
      resources:
        limits:
          memory: 2G
          cpus: "2.0"
        reservations:
          memory: 1G

volumes:
  pgdata:

networks:
  frontend:
    driver: bridge
  internal:
    driver: bridge
    internal: true