Mastering Keycloak Configuration with GitOps and keycloak-config-cli

current image in my mind.

In the realm of Identity and Access Management (IAM), Keycloak stands out as a powerful, open-source solution. Yet, managing its configuration—especially in complex, multi-tenant environments—can quickly become a significant bottleneck. Manual changes through the UI, often referred to as “Click-Ops” lead to inconsistent environments, lack of auditability, and high operational overhead. Multi-tenant SaaS applications face a critical challenge: how to efficiently and securely onboard hundreds or thousands of customers, each requiring their own isolated identity management space. Manual “Click-Ops” in Keycloak simply doesn’t scale, as managing multiple realms for tenants degrades performance and increases complexity. Enter the KTA (Keycloak Tenant Accelerator) a comprehensive demonstration of how GitOps principles combined with the keycloak-config-cli tool can transform tenant onboarding. This approach automates what was once a manual bottleneck, turning it into a fully automated, auditable, and scalable Configuration as Code (CaC) process. By leveraging a GitOps workflow, every configuration change is version-controlled and traceable, enabling teams to deploy consistent Keycloak setups across environments with confidence.

1. The Legacy Challenge: “Click-Ops” in keycloak and versioning.

Managing Keycloak manually is a common starting point, but it presents several challenges that grow with your application's scale.

• Lack of Versioning: There is no easy way to track who changed what and when. Rolling back a problematic change is a difficult and error-prone process.

• Environment Inconsistency: Replicating a configuration exactly from a development environment to a production environment is nearly impossible, leading to the dreaded "it works on my machine" syndrome.

• Scalability Issues: Manually onboarding new tenants or services is a time-consuming, repetitive task that doesn't scale.

Keycloak's Admin Console with a tedious, multi-step process of manually creating and configuring realms.

These problems highlight the need for a more systematic, automated, and auditable approach to managing Keycloak's configuration

2. Keycloak-config-cli: your Key to Declarative Keycloak Management.

This is where the open-source adorsys/keycloak-config-cli tool becomes essential. It's a Java-based command-line utility designed to manage Keycloak's configuration declaratively.

• Core Philosophy: The tool operates on a simple but powerful principle:

  the state of your Keycloak realm should match the state defined in your configuration files.

  You define everything—realms, clients, roles, users, authentication flows—in YAML or JSON files, and the CLI takes care of making the necessary API calls to Keycloak to make it so.

• Key Feature:

  • Idempotent Execution: You can run the CLI with the same configuration file multiple times, and it will only apply changes if there's a drift between your file and the Keycloak state.

  • Configuration as Code (CaC): By storing your YAML/JSON files in Git, you get full versioning, peer reviews for changes (Pull Requests), and a complete audit history.

  • Powerful Variable Substitution: The tool allows you to use variables in your configuration files, making it perfect for creating reusable templates. It can substitute values from environment variables, property files, and more.

  • No Restarts Needed: Changes are applied live to Keycloak via its Admin API, meaning no downtime is required.

3. The KTA Project: Automated Tenant Onboarding at Scale

The Keycloak Tenant Accelerator (KTA) project demonstrates exactly how a real SaaS company can automate the complete lifecycle of tenant onboarding. Let's imagine a project management SaaS called "ConnectFlow" that needs to onboard companies like "x-company" as isolated tenants.

• The Business Challenge: When any new tenant signs up for ConnectFlow's services, they need; Their own isolated identity realm ({{TENANT_ID}}), Secure web and API clients ({{TENANT_ID}}-webapp, {{TENANT_ID}}-api), Role-based access control (tenant_admin, tenant_user), Custom security policies and branding, An initial administrator account to get started.

• Doing this manually for each new customer is unsustainable. The KTA model automates this entire process.

• Architecture Deep Dive: From Signup to Running Realm. The workflow demonstrated in the KTA project follows these steps

  • Tenant Signup API: A new tenant fills out a signup form, which hits the Flask backend at /api/tenants/signup

  • Configuration Generation: The backend reads the master tenant-template.yaml, substitutes tenant specific values, and generates {{TENANT_ID}}.yaml

  • GitOps Trigger: The new configuration file is automatically committed and pushed to the Git repository

  • CI/CD Activation: GitHub Actions detects the new file and triggers the deployment pipeline

  • Instant Result: The tenant's dedicated realm is created and ready for their team to use

  This entire process takes minutes, not hours or days of manual configuration.

4. The Template-Driven Approach: Configuration as Code at Scale

The power of the KTA system lies in its template-driven approach to generating tenant configurations. Instead of manually creating each tenant's setup, everything starts with a master blueprint. The master template (_templates/tenant-template.yaml) defines the complete structure of a Keycloak realm using placeholder variables.

• How the Template System Works: When a tenant with ID "acme_corp" and name "ACME Corporation" signs up, the template becomes:

• Notice how every element is scoped to the specific tenant:

  • Realm isolation: Each {{TENANT_ID}} realm is completely separate from other tenants

  • Custom applications: {{TENANT_ID}}-webapp and {{TENANT_ID}}-api belong only to that tenant

  • Tenant-aware tokens: JWT tokens include tenant_id: "{{TENANT_ID}}" claims for application-level authorization

  • Security policies: Each tenant can have their own paxssword requirements and session timeouts

This level of isolation ensures that each tenant's users, applications, and data remain completely separate from other tenants on the same Keycloak server.

5. CI/CD Pipeline: From Configuration to Deployment

Our Actions workflow automates the entire process from tenant configuration changes to deployment in Keycloak. This ensures consistency and reliability across all tenant deployments.

The Pipeline in Detail:

• Configuration Detection:

  Monitors changes in keycloak-configs/tenants/*.yaml files to trigger the deployment process.

• Validation Process:

  Validates YAML syntax and tenant configuration structure before proceeding.

• Deployment Orchestration

  Handles the configuration application through Keycloak Config CLI with proper error handling

This automation yields powerful results, enabling seamless tenant management:

tool logs demonstrating successful realm creation and updates

Example CI setup for Production.

This setup provides a robust foundation for managing multiple tenants through version control. The pipeline ensures that configuration changes are properly validated and applied, with automatic rollback in case of failures.

6. Evolution: Keycloak Organizations - The Future of Multi-Tenancy

The Organization Revolution:

While the realm-per-tenant approach demonstrated above provides excellent isolation, Keycloak 26+ introduces a game-changing feature: Organizations This native multi-tenancy solution offers a more scalable and efficient approach to managing multiple tenants within a single realm.

Realm-per-Tenant vs Organizations: A Comprehensive Comparison:

The KTA system manage Keycloak Organizations using a fully declarative, GitOps-driven workflow. This approach abandons direct API calls for organization creation in favor of the same powerful keycloak-config-cli methodology used for realm-per-tenant management. The result is a single, consistent, and auditable process for all multi-tenancy models..

This new architecture is simpler and more robust. The backend's only role is to render a complete configuration file from a template and commit it to Git. The CI/CD pipeline handles the deployment declaratively.

kta organization: Declarative GitOps Flow

The core of this new approach is a set of self-contained configuration files to reprensent your desire state, this is purely owesome.

1. The Organizations Realm Template (_templates/organizations-realm-template.yaml)

First, a base realm is defined to host all organizations. This is a one-time setup.

2. The Jinja2 Organization Template (_templates/organization-template.yaml.j2)

This is the master blueprint for a single organization. It's a .j2 file, signifying it as a Jinja2 template, which prevents conflicts with YAML linters. The backend renders this template to produce a complete YAML file.

3. The Generated configuration (organizations/acme-corp.yaml)

When a user signs up, the backend generates a complete, self-contained YAML file like this. Note that it specifies the target realm (kta-organizations) and contains all necessary organization details.

4. CI/CD Pipeline (.github/workflows/apply-organizations-config.yml)

The GitHub Actions workflow is now extremely streamlined. It triggers on a push to the organizations directory and executes a single script.

5. Summary of new approach

• This purely declarative GitOps workflow provides immense benefits:

  • Single Source of Truth: The Git repository is the undisputed source of truth for all organization configurations.

  • Audibility: Every change is a Git commit, providing a complete history of who changed what and when.

  • Consistency: The same script and container are used for deployment everywhere, eliminating environment drift.

  • Simplicity: The logic is straightforward and easy to understand, with no complex merging or direct API calls in shell scripts.

6. When to Use Organization vs Realm-per-Tenant

7. Migration Strategy: KTA methodology + Organizations

The KTA project demonstrates how organizations can gradually migrate from realm-per-tenant to Organizations:

8. Demonstration Resources

To implement this solution in your environment, refer to these key resources:

Setup and Installation

• [Keycloak Docker Setup Guide]

• [Keycloak Config CLI Repository]

Configuration Examples

• [Kta implimentation example]

• Keycloak Realm Configuration Guide

• [GitHub Actions Workflow Examples]

• [Docker Compose Documentation]

9. Future Enhancements, Performance and Scalability Considerations

Multi-Environment Support, advance valiation, monitoring and reporting

• Environment-specific configuration templates

• Automated environment detection and configuration switching

• Integration with cloud provider secrets management

• Custom validation rules for tenant configurations

• Deployment status notifications

• Performance metrics collection

• Caching strategies for repeated configurations

• Incremental updates vs. full deployments

10. Best Practices and Practical Tips

• Version Control

  • Use semantic versioning for configurations Maintain a changelog Implement review processes for configuration changes

• Security

  • Regular security audits Principle of least privilege Secure storage of sensitive configurations

  Example secure configuration:

• Maintenance

  • Regular backup procedures Monitoring and alerting setup Documentation updates

11. Additional Resources and Further Reading

For those interested in exploring further, here are some valuable resources:

• What is ClickOps, and How Can You Prevent It?: https://blog.equinix.com/blog/2022/12/01/what-is-clickops-and-how-can-you-prevent-it/

• Fairness in multi-tenant systems: https://aws.amazon.com/builders-library/fairness-in-multi-tenant-systems/

• keycloak configuration change management discussion: https://github.com/keycloak/keycloak/discussions/19782

• All keycloak Configuration: https://www.keycloak.org/server/all-config

• Configuration as code: https://www.keycloak.org/server/all-config

• Keycloak 26.x documentation: https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-26-1-0

• what is GitOps: https://about.gitlab.com/topics/gitops/

10. Conclusion

The implementation of automated Keycloak tenant configuration using GitHub Actions represents a significant advancement in managing multi-tenant environments. This solution not only streamlines the deployment process but also ensures consistency, security, and scalability. By following the best practices and considering future enhancements, organizations can build a robust and efficient tenant management system.

Thanks for sticking with me till the end, and I hope this deep dive inspires you to explore new ways to modernize your own projects! Feel free to contribute to the project, share your experiences, or reach out with questions. Together, we can continue to improve and evolve the way we manage identity and access in our applications.