Skip to content

Document WithRealmImport production limitation and alternatives #379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Document WithRealmImport production limitation and alternatives #379

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
415638c
Initial plan
Copilot Feb 6, 2026
07e4869
Add production limitation warning and alternatives for Keycloak WithR…
Copilot Feb 6, 2026
812ec84
Revert unrelated aspire-integrations.json changes
Copilot Feb 6, 2026
29e08ce
Add import-realm argument to custom Keycloak image example
Copilot Feb 6, 2026
e8cfd91
Clarify that startup args are configured in AppHost
Copilot Feb 6, 2026
49983b1
Add note about using specific version tag instead of latest
Copilot Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions src/frontend/src/content/docs/integrations/security/keycloak.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,42 @@ var apiService = builder.AddProject<Projects.ApiService>("apiservice")

The realm import files are mounted at `/opt/keycloak/data/import` in the Keycloak container. Realm import files are JSON files that represent the realm configuration.

<Aside type="caution">
The `WithRealmImport` method is designed for local development only and **is
not supported in production deployments** (such as when using `aspire
deploy`). The method relies on mounting local directories as volumes, which
is not available in most production container orchestration environments.
</Aside>

#### Production alternatives for realm seeding

For production environments, consider these alternatives to seed your Keycloak instance:

- **Custom Keycloak image**: Build a custom container image that includes your realm configuration files. The realm JSON files can be baked into the image at build time:

```dockerfile title="Dockerfile"
FROM quay.io/keycloak/keycloak:latest
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dockerfile example uses FROM quay.io/keycloak/keycloak:latest, which pins your Keycloak base image to the mutable latest tag and introduces a supply-chain risk if that image is compromised or changes unexpectedly. An attacker who compromises or replaces the latest tag in the remote registry could affect your builds or running containers without any change on your side. Use a specific, trusted Keycloak version tag or image digest for the base image to ensure reproducible and auditable builds.

Copilot uses AI. Check for mistakes.
COPY ./realms/*.json /opt/keycloak/data/import/
```

<Aside type="note">
For production environments, replace `latest` with a specific Keycloak
version tag (e.g., `25.0.0`) or image digest to ensure reproducible builds
and avoid unexpected changes when the `latest` tag is updated.
</Aside>

Then update your AppHost to use the custom image and configure it to import realms on startup:

```csharp title="C# — AppHost.cs"
var keycloak = builder.AddContainer("keycloak", "your-registry/keycloak-with-realms", "latest")
.WithHttpEndpoint(port: 8080, targetPort: 8080)
.WithArgs("start", "--import-realm");
```

- **Initialization service**: Create a separate initialization service or job that uses the [Keycloak Admin REST API](https://www.keycloak.org/docs-api/latest/rest-api/index.html) or [Keycloak Admin Client](https://www.nuget.org/packages/Keycloak.AuthServices.Sdk.Admin) to programmatically create and configure realms, clients, and users when the Keycloak instance first starts.

- **Infrastructure as Code**: Use tools like Terraform with the [Keycloak provider](https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs) to manage realm configuration as code, separate from your application deployment.

### Export telemetry to OTLP collector

Keycloak containers can export telemetry to your OTLP collector using the `WithOtlpExporter` method:
Expand Down