Keycloak
If you already have a Keycloak instance running, consider using that and proceed with installing MongoDB. See also Pre-Installation Tasks on which configuration values of your Keycloak installation you need to gather for the installation of IBM Financial Services Workbench.
Official Documentation
Keycloak - Documentation (9.0.3)
Install Keycloak Operator from the OperatorHub
As a cluster administrator, install the Keycloak operator from the OperatorHub to the namespace foundation :
- In the OpenShift web console navigate to the Operators → OperatorHub page 
- Filter by keyword: Keycloak 
- Select the operator: Keycloak (Community) provided by Red Hat 
- Read the information about the operator and click Install 
- On the Create Operator Subscription page: - Select option A specific namespace on the cluster with namespace - foundation
- Select an Update Channel (if more than one is available) 
- Select Automatic approval strategy 
- Click Subscribe 
 
- After the Subscription's upgrade status is Up to date, navigate in the web console to the Operators → Installed Operators page 
- Select the Keycloak Operator and verify that the content for the Overview tab of the Operators → Operator Details page is displayed 
Create the Keycloak Instance
Create the Keycloak CRD instance in the namespace foundation:
- Navigate in the web console to the Operators → Installed Operators page 
- Select the Keycloak Operator 
- Navigate to the Keycloak tab of the Operators → Operator Details page 
- Click Create Keycloak 
- In the Keycloak Operator → Create Keycloak page - Enter the resource definition (See Example Keycloak Configuration) 
- Click on Create 
 
- Verify that in the Keycloak tab the newly created foundation-keycloak CRD instance is displayed 
Example Keycloak Configuration
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  name: foundation-keycloak
  labels:
    app: sso
  namespace: foundation
spec:
  instances: 1
  extensions:
    - >-
      https://github.com/aerogear/keycloak-metrics-spi/releases/download/1.0.4/keycloak-metrics-spi-1.0.4.jar
  externalAccess:
    enabled: falseexternalAccess.enabled must be set to false and the public route itself must be created. If the property is set to true for the Keycloak configuration, the operator creates a route that can result in all requests on .apps.{CLUSTER_DOMAIN} being routed to the Keycloak service.Create Public Route for Keycloak
Create a public route keycloak-external as follows, with {CLUSTER_DOMAIN} set to your cluster domain:
kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: keycloak-external
  namespace: foundation
  labels:
    app: keycloak
spec:
  host: keycloak-foundation.{CLUSTER_DOMAIN}
  to:
    kind: Service
    name: keycloak
    weight: 100
  port:
    targetPort: keycloak
  tls:
    termination: reencrypt
    insecureEdgeTerminationPolicy: None
  wildcardPolicy: NoneRetrieve Credentials
You can retrieve the credentials for connecting to the Keycloak by looking for a Kubernetes secret named credential-foundation-keycloak :
oc -n foundation get secret credential-foundation-keycloak -o jsonpath='{.data.ADMIN_USERNAME}' | base64 -d; echo
oc -n foundation get secret credential-foundation-keycloak -o jsonpath='{.data.ADMIN_PASSWORD}' | base64 -d; echoRetrieve Certificates
The certificates are needed later during installation (truststore.trustmap.identity), so please download and save them temporarily.
KEYCLOAK_HOST=`oc -n foundation get route keycloak-external -ojsonpath={.spec.host}`
echo | openssl s_client -showcerts -connect $KEYCLOAK_HOST:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > keycloak-fullchain.pemVerify the Keycloak Installation
When the Keycloak installation is complete, make sure that you can access Keycloak with the retrieved credentials and the URL specified by the route.host parameter in the values.yaml file of the route you just created in section Create public route for Keycloak.
oc -n foundation get route keycloak-external