Install Keycloak Using Docker Compose

Want a straight, detailed walkthrough of getting Keycloak running under Docker Compose? This is it.

Keycloak is open-source software that handles single sign-on, identity, and access management for modern applications and services.

TIP

Architecture Context

Choose self-hosted Keycloak when your architecture requires an on-premises identity provider with full control over authentication flows, SAML/OIDC configuration, and user federation. Auth0 or Okta provide managed alternatives with faster setup and built-in compliance certifications. Self-hosting is justified when data residency rules prohibit external identity providers or when per-user SaaS pricing becomes prohibitive at scale.

NOTE

Supply chain posture

The template pins all three upstream images (Traefik, PostgreSQL, Keycloak) to immutable @sha256:... digests in .env.example, rebuilds weekly via CI to catch upstream drift, and carries an OpenSSF Scorecard badge. See the repo’s SECURITY.md for the disclosure policy and the production checklist in the README before exposing this to real users.

TIP

Tested on every push

The deployment-verification workflow runs end-to-end backup/restore tests on every push, every pull request, and weekly. The tests boot the full compose stack and exercise backup creation, integrity (gunzip -t), restore roundtrip, and prune logic. If you deploy this template literally and hit an issue, the green CI run is the evidence that the template itself works — most “doesn’t work” cases trace to DNS propagation, firewall rules, or hostname mismatches.

💾 You can find the repository used in this guide on GitHub.

NOTE

Traefik is our reverse proxy. It pulls cryptographic certificates from Let’s Encrypt for your domain names and routes incoming requests to the right service based on the domain.

CAUTION

To obtain cryptographic certificates, you will need A-type records in the external DNS zone, which point to the IP address of your server where Traefik is installed. If you have created these records recently, you should wait before starting the installation of the services. Full replication of these records between DNS servers can take from a few minutes to 48 hours or even longer in rare cases.

IMPORTANT

Docker Engine and Docker Compose must be installed on the server.

For a step-by-step guide on installing Docker Engine on Ubuntu Server, see Install Docker Engine and Docker Compose on Ubuntu Server

IMPORTANT

OpenSSH must be installed on the server, and port 22 must be open to be able to connect to the server using the SSH protocol.

Need OpenSSH? Install it with:

1
sudo apt install openssh-server

NOTE

To connect to the server from a Windows system, you can use tools like PuTTY or MobaXterm.

NOTE

This guide walks you through connecting to a server with the iTerm2 terminal emulator on macOS.

CAUTION

You will need to open the following TCP ports for access to the services:

• TCP port 80 - to obtain a free cryptographic certificate through the Let’s Encrypt certification center.
• TCP port 443 - to access the Keycloak web interface.

Connect to the server where Keycloak is going to live.

First, the networks. Keycloak and Traefik each get their own.

Traefik’s network:

1
docker network create traefik-network

And Keycloak’s:

1
docker network create keycloak-network

Now clone the repository. It carries the configuration files, and with them everything Keycloak needs to run:

1
git clone https://github.com/heyvaldemar/keycloak-traefik-letsencrypt-docker-compose.git

Move into the directory you just cloned:

1
cd keycloak-traefik-letsencrypt-docker-compose

The repository ships a .env.example template with documented variables and change_me_* placeholders for credentials. The real .env file is gitignored. Copy the template to make your own:

1
cp .env.example .env

Open .env and swap the placeholders for real values. You need to fill in:

• TRAEFIK_ACME_EMAIL — your email for Let’s Encrypt renewal notices.

• TRAEFIK_HOSTNAME and KEYCLOAK_HOSTNAME — your real domain names. Both must resolve to this server’s public IP for the Let’s Encrypt TLS-ALPN challenge to succeed.

• KEYCLOAK_DB_PASSWORD — PostgreSQL password. Generate with:

  1
  openssl rand -base64 24 | tr -d '/+=' | head -c 32
  

• KEYCLOAK_ADMIN_PASSWORD — Keycloak bootstrap admin password. Same generation command.

• TRAEFIK_BASIC_AUTH — BCrypt hash for the Traefik dashboard login. Generate with:

  1
  docker run --rm httpd:2.4 htpasswd -nbB traefikadmin 'YOUR_STRONG_PASSWORD' | sed 's/\$/\$\$/g'
  

IMPORTANT

The .env file must be in the same directory as keycloak-traefik-letsencrypt-docker-compose.yml.

TIP

Fail-fast protection

The compose file uses ${VAR:?...} syntax for every required variable. If any placeholder is left unchanged or any required variable is empty, docker compose up fails immediately with a clear error — you cannot accidentally deploy the stack with placeholder credentials.

Start Keycloak:

1
docker compose -f keycloak-traefik-letsencrypt-docker-compose.yml -p keycloak up -d

Now open the management panel. From your workstation, go to https://keycloak.heyvaldemar.net. That domain is mine. Use your own, the one that points at the IP of your Traefik server, and Traefik forwards the request to Keycloak.

NOTE

You need to specify the domain name of the service, previously defined in the .env file.

Click the “Administration Console” button. Sign in with the KEYCLOAK_ADMIN_USERNAME and KEYCLOAK_ADMIN_PASSWORD you set in .env.

CAUTION

Rotate the bootstrap admin

The bootstrap admin is intended to get you into the Keycloak UI on first start. Once inside, create your real admin users (ideally through Keycloak’s user federation or a second-factor-protected account), then disable or delete the bootstrap admin from the Keycloak UI. Leaving the bootstrap admin active in production is the single most common misconfiguration in self-hosted Keycloak deployments.

Traefik has its own panel. From your workstation, go to https://traefik.keycloak.heyvaldemar.net. Again, that one is mine, so point your own domain at the IP of your Traefik server.

NOTE

You need to specify the domain name of the service, previously defined in the .env file.

Authenticate with the Traefik dashboard credentials. The username (traefikadmin by default) and the plaintext password you passed to htpasswd when you generated the TRAEFIK_BASIC_AUTH BCrypt hash — not the hash itself. Browsers send the plaintext; Traefik verifies it against the stored BCrypt.

TIP

What to do next

The Traefik dashboard is basic-auth-protected but basic auth is basic. For production, consider restricting the dashboard router to specific source IPs via Traefik’s IPAllowList middleware, or skip exposing it publicly and rely on docker compose logs. The full production checklist is in the repository README.