Keycloak 19 Quarkus in Docker behind Nginx

Recently I decided to try to prepare demo of production version of Keycloak in the latest Quarkus release running with Docker and Postgres behing reverse proxy. There is not much information on the Internet on how to properly prepare such a configuration, but based on the documentation it is not too difficult.

Below I am presenting an example production configuration for docker-compose tool.

version: '3'

services:
  postgres:
    image: postgres:latest
    container_name: keycloak-db
    restart: always
    volumes:
      - /opt/docker-volumes/keycloak/postgresql:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    networks:
      - keycloak-network
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    restart: always
    environment:
      KC_DB: postgres
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password
      KC_DB_SCHEMA: public
      KC_DB_URL_DATABASE: keycloak
      KC_DB_URL_HOST: keycloak-db
      KC_HOSTNAME: keycloak.services.org.pl
      KC_HTTPS_CLIENT_AUTH: request
      KC_HTTPS_CERTIFICATE_FILE: /opt/keycloak/conf/server.crt.pem
      KC_HTTPS_CERTIFICATE_KEY_FILE: /opt/keycloak/conf/server.key.pem
      KC_HTTPS_PORT: 443
      KC_HTTPS_PROTOCOLS: TLSv1.3,TLSv1.2
      KC_PROXY: reencrypt
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      PROXY_ADDRESS_FORWARDING: "true"
      KC_FEATURES:
        authorization
        account2
        account-api
        admin-fine-grained-authz
        admin2
        docker
        impersonation
        openshift-integration
        scripts
        token-exchange
        web-authn
        client-policies
        ciba
        map-storage
        par
        declarative-user-profile
        dynamic-scopes
        client-secret-rotation
        step-up-authentication
        recovery-codes
        update-email
        preview
    entrypoint: /opt/keycloak/bin/kc.sh start --auto-build
    volumes:
      - /etc/letsencrypt/live/services.org.pl/fullchain.pem:/opt/keycloak/conf/server.crt.pem
      - /etc/letsencrypt/live/services.org.pl/privkey.pem:/opt/keycloak/conf/server.key.pem
    ports:
      - 127.0.0.1:8443:443      
    depends_on:
      - postgres
    networks:
      - keycloak-network

networks:
  keycloak-network:
    driver: bridge

Notes:

1. Keycloak on startup recommends to start kc.sh with --optimized option instead --auto-build however, this led to the No suitable driver found for jdbc: postgresql error.
2. I've used certificates used by nginx (reverse proxy), it's recommended to generate dedicated in real production environment.
3. I've enabled all possible Keycloak fetures (KC_FEATURES ), it's irecommended to keep up with just what is needed. More details about features can be found here https://www.keycloak.org/server/features
4. I was surprised since i could't login on the first time, in Quarkus version the /auth path is removed from URL, so either you will re-introduce it or update URL (not recommended) in the clients.  More details https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed

Reading recommendations:

• Keycloak's Wildfly to Quarkus version migration guide: https://www.keycloak.org/migration/migrating-to-quarkus
• Official Keycloak guidelines https://www.keycloak.org/guides