Configuration Management with Keycloak and Docker (CI/CD-Pipeline)

Hello community

I have a question about CI/CD with Keycloak and Docker.

I have done a proof of concept verification on my localhost, which allows me to build and deploy Keycloak automatically with Jenkins inside a docker swarm. Everything is based on Docker. I set up a DEV and REL environment. For my PoC, I am using mariaDB. All configuration changes are first made on the DEV environment. For example I set up a new authentication flow to enable WebAuthn. The configuration was first made via admin console (UI) to check if all is working fine. This new configuration is stored into the mariaDB.

Now I want to automate this new configuration. In my case I am using the Admin REST API. I setup a bash script, which is called after every container startup (startup-script -> see DockerHub docs for keycloak). The problem was that the Admin REST API is of course only available, if Keycloak is up and running. In this case my script is waiting (loop which checks the connectivity via netcat) until the Keycloak REST API is available.

This bash script is running different Admin REST-API calls and checks if the configuration on the environment is already present or not (the script is creating Realms, Clients, Scopes etc.). If one configuration is missing (maybe a client is missing) then it is newly created by the REST call. If the whole configuration is already there, all the REST calls will be skipped. If I remove all data from the Database (rm -rf * in mariaDB dir), the whole configuration (realms, clients etc.) is created again with my script, after the container was started up successfully.

But in the end I guess this is not the best way to deal with this, because after every startup the configuration will be checked with my bash script. For larger migrations it is also more error-prone and the engineering effort for the script is high with every configuration adjustment. And in my opinion, this should also not happen after the container startup, the configuration should be change before startup. But the API is not accessible before the startup of Keycloak…

I was reading about the Keycloak export/import function. Maybe this function could be helpful at my case. But I don’t see one point with this function. If I export the database from my DEV environment and I want to import the data to my REL environment, I don’t want to overwrite all the users. Because every environment has a different set of users (maybe there are more environment like integration, test, production etc.) So how do you deal with this point?

In my case I only want to export all the configuration from DEV (except the users) and import this to the REL environment (without overwriting or importing all the users from DEV). Do you have any suggestions? Is there a possible way to do this with the export/import function? How do you integration Keycloak with a CI/CD Pipeline?

I appreciate every advice from you.