Introducing our new CEO Don Johnson - Read More

bitnami/keycloak

Verified Publisher

By VMware

Updated 2 days ago

Bitnami container image for Keycloak

Image
API Management
Security
105

10M+

Bitnami package for Keycloak

What is Keycloak?

Keycloak is a high performance Java-based identity and access management solution. It lets developers add an authentication layer to their applications with minimum effort.

Overview of Keycloak Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.

TL;DR

docker run --name keycloak bitnami/keycloak:latest

Warning: This quick setup is only intended for development environments. You are encouraged to change the insecure default credentials and check out the available configuration options in the Configuration section for a more secure deployment.

Why use Bitnami Images?

  • Bitnami closely tracks upstream source changes and promptly publishes new versions of this image using our automated systems.
  • With Bitnami images the latest bug fixes and features are available as soon as possible.
  • Bitnami containers, virtual machines and cloud images use the same components and configuration approach - making it easy to switch between formats based on your project needs.
  • All our images are based on minideb -a minimalist Debian based container image that gives you a small base container image and the familiarity of a leading Linux distribution- or scratch -an explicitly empty image-.
  • All Bitnami images available in Docker Hub are signed with Notation. Check this post to know how to verify the integrity of the images.
  • Bitnami container images are released on a regular basis with the latest distribution packages available.

Looking to use Keycloak in production? Try VMware Tanzu Application Catalog, the commercial edition of the Bitnami catalog.

How to deploy Keycloak in Kubernetes?

Deploying Bitnami applications as Helm Charts is the easiest way to get started with our applications on Kubernetes. Read more about the installation in the Bitnami Keycloak Chart GitHub repository.

Why use a non-root container?

Non-root container images add an extra layer of security and are generally recommended for production environments. However, because they run as a non-root user, privileged tasks are typically off-limits. Learn more about non-root containers in our docs.

Only latest stable branch maintained in the free Bitnami catalog

Starting December 10th 2024, only the latest stable branch of any container will receive updates in the free Bitnami catalog. To access up-to-date releases for all upstream-supported branches, consider upgrading to Bitnami Premium. Previous versions already released will not be deleted. They are still available to pull from DockerHub.

Please check the Bitnami Premium page in our partner Arrow Electronics for more information.

Supported tags and respective Dockerfile links

Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags in our documentation page.

You can see the equivalence between the different tags by taking a look at the tags-info.yaml file present in the branch folder, i.e bitnami/ASSET/BRANCH/DISTRO/tags-info.yaml.

Subscribe to project updates by watching the bitnami/containers GitHub repo.

Get this image

The recommended way to get the Bitnami keycloak Docker Image is to pull the prebuilt image from the Docker Hub Registry.

docker pull bitnami/keycloak:latest

To use a specific version, you can pull a versioned tag. You can view the list of available versions in the Docker Hub Registry.

docker pull bitnami/keycloak:[TAG]

If you wish, you can also build the image yourself by cloning the repository, changing to the directory containing the Dockerfile and executing the docker build command. Remember to replace the APP, VERSION and OPERATING-SYSTEM path placeholders in the example command below with the correct values.

git clone https://github.com/bitnami/containers.git
cd bitnami/APP/VERSION/OPERATING-SYSTEM
docker build -t bitnami/APP:latest .

Configuration

Environment variables

Customizable environment variables

NameDescriptionDefault Value
KEYCLOAK_MOUNTED_CONF_DIRDirectory for including custom configuration files (that override the default generated ones)${KEYCLOAK_VOLUME_DIR}/conf
KC_RUN_IN_CONTAINERKeycloak kc.sh contexttrue
KEYCLOAK_ADMINKeycloak administrator useruser
KEYCLOAK_ADMIN_PASSWORDKeycloak administrator passwordbitnami
KEYCLOAK_HTTP_RELATIVE_PATHSet the path relative to "/" for serving resources./
KEYCLOAK_HTTP_PORTHTTP port8080
KEYCLOAK_HTTPS_PORTHTTPS port8443
KEYCLOAK_BIND_ADDRESSBind address$(hostname --fqdn)
KEYCLOAK_HOSTNAMEKeycloak hostnamenil
KEYCLOAK_HOSTNAME_ADMINKeycloak admin hostnamenil
KEYCLOAK_HOSTNAME_STRICTDisables dynamically resolving the hostname from request headersfalse
KEYCLOAK_INIT_MAX_RETRIESMaximum retries for checking that the database works10
KEYCLOAK_CACHE_TYPEDefines the cache mechanism for high-availability.ispn
KEYCLOAK_CACHE_STACKApply a specific cache stacknil
KEYCLOAK_CACHE_CONFIG_FILEPath to the cache config filenil
KEYCLOAK_EXTRA_ARGSAdd extra startup parameters to keycloaknil
KEYCLOAK_ENABLE_STATISTICSEnable metrics for the databasefalse
KEYCLOAK_ENABLE_HEALTH_ENDPOINTSEnable health endpointsfalse
KEYCLOAK_ENABLE_HTTPSEnable SSL certificatesfalse
KEYCLOAK_HTTPS_TRUST_STORE_FILEPath to the SSL truststore filenil
KEYCLOAK_HTTPS_TRUST_STORE_PASSWORDPassword for decrypting the truststore filenil
KEYCLOAK_HTTPS_KEY_STORE_FILEPath to the SSL keystore filenil
KEYCLOAK_HTTPS_KEY_STORE_PASSWORDPassword for decrypting the keystore filenil
KEYCLOAK_HTTPS_USE_PEMSet to true to configure HTTPS using PEM certificatesfalse
KEYCLOAK_HTTPS_CERTIFICATE_FILEPath to the PEM certificate filenil
KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILEPath to the PEM key filenil
KEYCLOAK_SPI_TRUSTSTORE_FILEPath to the Keycloak SPI truststore filenil
KEYCLOAK_SPI_TRUSTSTORE_PASSWORDPassword for decrypting the SPI truststore filenil
KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICYHostqname verification policy for SPI connection over HTTPS/TLSnil
KEYCLOAK_LOG_LEVELKeycloak log levelinfo
KEYCLOAK_LOG_OUTPUTKeycloak log outputdefault
KEYCLOAK_ROOT_LOG_LEVELKeycloak root log levelINFO
KEYCLOAK_PROXY_HEADERSKeycloak reverse proxy headersnil
KEYCLOAK_PRODUCTIONRun in production modefalse
KEYCLOAK_EXTRA_ARGS_PREPENDEDRun with flags which are applied directly to keycloak executablenil
KEYCLOAK_DATABASE_VENDORDatabase vendorpostgresql
KEYCLOAK_DATABASE_HOSTDatabase backend hostnamepostgresql
KEYCLOAK_DATABASE_PORTDatabase backend port5432
KEYCLOAK_DATABASE_USERDatabase backend usernamebn_keycloak
KEYCLOAK_DATABASE_NAMEDatabase namebitnami_keycloak
KEYCLOAK_DATABASE_PASSWORDDatabase backend passwordnil
KEYCLOAK_DATABASE_SCHEMAPostgreSQL database schemapublic
KEYCLOAK_JDBC_PARAMSExtra JDBC connection parameters for the database (e.g.: sslmode=verify-full&connectTimeout=30000)nil
KEYCLOAK_JDBC_DRIVERJDBC driver to set in the connection string for the databasepostgresql
KEYCLOAK_DAEMON_USERKeycloak daemon user when running as rootkeycloak
KEYCLOAK_DAEMON_GROUPKeycloak daemon group when running as rootkeycloak

Read-only environment variables

NameDescriptionValue
BITNAMI_VOLUME_DIRDirectory where to mount volumes./bitnami
JAVA_HOMEJava installation directory/opt/bitnami/java
KEYCLOAK_BASE_DIRKeycloak base directory/opt/bitnami/keycloak
KEYCLOAK_BIN_DIRKeycloak bin directory$KEYCLOAK_BASE_DIR/bin
KEYCLOAK_PROVIDERS_DIRKeycloak Wildfly extensions directory$KEYCLOAK_BASE_DIR/providers
KEYCLOAK_LOG_DIRKeycloak bin directory$KEYCLOAK_PROVIDERS_DIR/log
KEYCLOAK_TMP_DIRKeycloak tmp directory$KEYCLOAK_PROVIDERS_DIR/tmp
KEYCLOAK_DOMAIN_TMP_DIRKeycloak tmp directory$KEYCLOAK_BASE_DIR/domain/tmp
WILDFLY_BASE_DIRWildfly base directory/opt/bitnami/wildfly
KEYCLOAK_VOLUME_DIRPath to keycloak mount directory/bitnami/keycloak
KEYCLOAK_CONF_DIRKeycloak configuration directory$KEYCLOAK_BASE_DIR/conf
KEYCLOAK_DEFAULT_CONF_DIRKeycloak default configuration directory$KEYCLOAK_BASE_DIR/conf.default
KEYCLOAK_INITSCRIPTS_DIRPath to keycloak init scripts directory/docker-entrypoint-initdb.d
KEYCLOAK_CONF_FILEName of the keycloak configuration file (relative path)keycloak.conf
KEYCLOAK_DEFAULT_CONF_FILEName of the keycloak configuration file (relative path)keycloak.conf
Extra arguments to Keycloak startup

In case you want to add extra flags to the Keycloak use the KEYCLOAK_EXTRA_ARGS variable. Example:

docker run --name keycloak \
  -e KEYCLOAK_EXTRA_ARGS="-Dkeycloak.profile.feature.scripts=enabled" \
  bitnami/keycloak:latest

Or, if you need flags which are applied directly to keycloak executable, you can use KEYCLOAK_EXTRA_ARGS_PREPENDED variable. Example:

docker run --name keycloak \
  -e KEYCLOAK_EXTRA_ARGS_PREPENDED="--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true" \
  bitnami/keycloak:latest
Initializing a new instance

When the container is launched, it will execute the files with extension .sh located at /docker-entrypoint-initdb.d.

In order to have your custom files inside the docker image you can mount them as a volume.

docker run --name keycloak \
  -v /path/to/init-scripts:/docker-entrypoint-initdb.d \
  bitnami/keycloak:latest

Or with docker-compose

keycloak:
  image: bitnami/keycloak:latest
  volumes:
    - /path/to/init-scripts:/docker-entrypoint-initdb.d
TLS Encryption

The Bitnami Keycloak Docker image allows configuring HTTPS/TLS encription. This is done by mounting in /opt/bitnami/keycloak/certs two files:

  • keystore: File with the server keystore
  • truststore: File with the server truststore

Note: find more information about how to create these files at the Keycloak documentation.

Apart from that, the following environment variables must be set:

  • KEYCLOAK_ENABLE_HTTPS: Enable TLS encryption using the keystore. Default: false.
  • KEYCLOAK_HTTPS_KEY_STORE_FILE: Path to the keystore file (e.g. /opt/bitnami/keycloak/certs/keystore.jks). No defaults.
  • KEYCLOAK_HTTPS_TRUST_STORE_FILE: Path to the truststore file (e.g. /opt/bitnami/keycloak/certs/truststore.jks). No defaults.
  • KEYCLOAK_HTTPS_KEY_STORE_PASSWORD: Password for accessing the keystore. No defaults.
  • KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD: Password for accessing the truststore. No defaults.
  • KEYCLOAK_HTTPS_USE_PEM: Set to true to configure HTTPS using PEM certificates'. Default: false.
  • KEYCLOAK_HTTPS_CERTIFICATE_FILE: Path to the PEM certificate file (e.g. /opt/bitnami/keycloak/certs/tls.crt). No defaults.
  • KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE: Path to the PEM key file (e.g. /opt/bitnami/keycloak/certs/tls.key). No defaults.
SPI TLS truststore

The Bitnami Keycloak Docker image supports configuring a truststore for HTTP/TLS connection with Keycloak SPIs.

  • KEYCLOAK_SPI_TRUSTSTORE_FILE: Path to the Keycloak SPI truststore file (e.g. /opt/bitnami/keycloak/certs-spi/truststore.jks). No defaults.
  • KEYCLOAK_SPI_TRUSTSTORE_PASSWORD: Password for decrypting the SPI truststore file. No defaults.
  • KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY: Hostname verification policy for SPI connection over HTTPS/TLS
Adding custom themes

In order to add new themes to Keycloak, you can mount them to the /opt/bitnami/keycloak/themes folder. The example below mounts a new theme.

version: '2'
services:
  postgresql:
    image: docker.io/bitnami/postgresql:latest
    environment:
      - ALLOW_EMPTY_PASSWORD=yes
      - POSTGRESQL_USERNAME=bn_keycloak
      - POSTGRESQL_DATABASE=bitnami_keycloak
    volumes:
      - 'postgresql_data:/bitnami/postgresql'
  keycloak:
    image: docker.io/bitnami/keycloak:latest
    ports:
      - "80:8080"
    environment:
      - KEYCLOAK_CREATE_ADMIN_USER=true
    depends_on:
      - postgresql
    volumes:
      - './mynewtheme:/opt/bitnami/keycloak/themes/mynewtheme'
volumes:
  postgresql_data:
    driver: local
Enabling statistics

The Bitnami Keycloak container can activate different set of statistics (database, jgroups and http) by setting the environment variable KEYCLOAK_ENABLE_STATISTICS=true.

Enabling health endpoints

The Bitnami Keycloak container can activate several endpoints providing information about the health of Keycloak, by setting the environment variable KEYCLOAK_ENABLE_HEALTH_ENDPOINTS=true. See the official documentation for more information about these endpoints.

Full configuration

The image looks for configuration files in the /bitnami/keycloak/conf/ directory, this directory can be changed by setting the KEYCLOAK_MOUNTED_CONF_DIR environment variable.

docker run --name keycloak \
    -v /path/to/keycloak.conf:/bitnami/keycloak/conf/keycloak.conf \
    bitnami/keycloak:latest

Or with docker-compose

keycloak:
  image: bitnami/keycloak:latest
  volumes:
    - /path/to/keycloak.conf:/bitnami/keycloak/conf/keycloak.conf:ro

After that, your changes will be taken into account in the server's behaviour.

Notable Changes

19-debian-11-r4
  • TLS environment variables have been renamed to match upstream.
    • KEYCLOAK_ENABLE_TLS was renamed as KEYCLOAK_ENABLE_HTTPS.
    • KEYCLOAK_TLS_KEYSTORE_FILE was renamed as KEYCLOAK_TLS_KEY_STORE_FILE.
    • KEYCLOAK_TLS_TRUSTSTORE_FILE was renamed as KEYCLOAK_TLS_TRUST_STORE_FILE.
    • KEYCLOAK_TLS_KEYSTORE_PASSWORD was renamed as KEYCLOAK_TLS_KEY_STORE_PASSWORD.
    • KEYCLOAK_TLS_TRUSTSTORE_PASSWORD was renamed as KEYCLOAK_TLS_TRUST_STORE_PASSWORD.
  • HTTPS/TLS can now be configured using PEM certificates.
  • Added support to add SPI truststore file.
17-debian-10

Keycloak 17 is powered by Quarkus and to deploy it in production mode it is necessary to set up TLS. To do this you need to set KEYCLOAK_PRODUCTION to true and configure TLS

Using docker-compose.yaml

Please be aware this file has not undergone internal testing. Consequently, we advise its use exclusively for development or testing purposes. For production-ready deployments, we highly recommend utilizing its associated Bitnami Helm chart.

If you detect any issue in the docker-compose.yaml file, feel free to report it or contribute with a fix by following our Contributing Guidelines.

Contributing

We'd love for you to contribute to this container. You can request new features by creating an issue or submitting a pull request with your contribution.

Issues

If you encountered a problem running this container, you can file an issue. For us to provide better support, be sure to fill the issue template.

License

Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Docker Pull Command

docker pull bitnami/keycloak
Bitnami