Skip to content

Document WithRealmImport production limitation and alternatives#379

Open
Copilot wants to merge 6 commits intomainfrom
copilot/update-keycloak-realm-import-docs
Open

Document WithRealmImport production limitation and alternatives#379
Copilot wants to merge 6 commits intomainfrom
copilot/update-keycloak-realm-import-docs

Conversation

Copy link
Contributor

Copilot AI commented Feb 6, 2026
edited
Loading

Documentation Update for Keycloak WithRealmImport() Limitation

  • Explore repository and locate Keycloak documentation file
  • Review current documentation structure
  • Add production limitation note to WithRealmImport() section
  • Add production alternatives section with three approaches
  • Build and verify documentation changes
  • Take screenshots of updated documentation
  • Clean up unrelated file changes
  • Address code review feedback
  • Add note about using specific version tags instead of latest
  • Final verification

Changes Made

Updated /src/frontend/src/content/docs/integrations/security/keycloak.mdx to:

  1. Added Caution callout explicitly stating that WithRealmImport() is not supported in production deployments (such as when using aspire deploy) because it relies on mounting local directories as volumes

  2. Added Production alternatives section with three complete, actionable approaches:

    • Custom Keycloak image: Build a container image with realm JSON files baked in, with clear instructions on configuring startup arguments in AppHost
    • Initialization service: Use Keycloak Admin REST API or Admin Client to programmatically configure realms
    • Infrastructure as Code: Use Terraform with the Keycloak provider

  3. Added note about version pinning: Added an Aside note recommending to replace latest with a specific Keycloak version tag (e.g., 25.0.0) or image digest for production to ensure reproducible builds and avoid unexpected changes

Each alternative includes complete code examples with proper configuration and links to relevant documentation.

Resolves

This PR addresses the issue where developers spend hours trying to get WithRealmImport() working in production without realizing it's not supported. The updated documentation now clearly states this limitation upfront and provides practical alternatives.

Screenshots

Caution message:
Caution message

Production alternatives with version note:
Production alternatives with version note

Original prompt

This section details on the original issue you should resolve

<issue_title>Missing Keycloak documentation regarding realm imports in production</issue_title>
<issue_description>After spending 4 hours attempting to get WithRealmImport() to work when running aspire deploy, @davidfowl informed that it's not supported in production. The documentation does not state this anywhere.

Fowler and I agreed that this should be explicitly stated, and most probably in the section specifically regarding Realm importing:
https://aspire.dev/integrations/security/keycloak/#add-keycloak-resource-with-realm-import

It would also be nice if the documentation suggested alternatives on how to seed Keycloak (i.e. service or baking realm JSON into image).</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 4 commits February 6, 2026 12:49
@IEvangelist
Add production limitation warning and alternatives for Keycloak WithR…
07e4869 
…ealmImport

Co-authored-by: IEvangelist <7679720+IEvangelist@users.noreply.github.com>
@IEvangelist
Revert unrelated aspire-integrations.json changes
812ec84 
Co-authored-by: IEvangelist <7679720+IEvangelist@users.noreply.github.com>
@IEvangelist
Add import-realm argument to custom Keycloak image example
29e08ce 
Co-authored-by: IEvangelist <7679720+IEvangelist@users.noreply.github.com>
@IEvangelist
Clarify that startup args are configured in AppHost
e8cfd91 
Co-authored-by: IEvangelist <7679720+IEvangelist@users.noreply.github.com>
Copilot AI changed the title [WIP] Update documentation for Keycloak realm imports in production Document WithRealmImport production limitation and alternatives Feb 6, 2026
Copilot AI requested a review from IEvangelist February 6, 2026 12:53
@IEvangelist
Copy link
Member

IEvangelist commented Feb 6, 2026

Hey @pfo-omicsstudio, please have a look at this. Does it make sense, is it accurate?

@IEvangelist IEvangelist marked this pull request as ready for review February 6, 2026 12:57
@IEvangelist IEvangelist requested a review from eerhardt as a code owner February 6, 2026 12:57
Copilot AI review requested due to automatic review settings February 6, 2026 12:57
Copilot AI reviewed Feb 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses a critical documentation gap by documenting that the WithRealmImport() method is for local development only and does not work in production deployments. The PR adds a caution callout and provides three practical production alternatives with code examples, helping developers avoid spending hours debugging a limitation that wasn't previously documented.

Changes:

  • Added a caution callout explaining that WithRealmImport() is development-only due to volume mounting constraints
  • Added a "Production alternatives for realm seeding" subsection with three approaches (custom Keycloak image, initialization service, and Infrastructure as Code)
  • Included code examples and external documentation links for each alternative

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/frontend/src/content/docs/integrations/security/keycloak.mdx
- **Custom Keycloak image**: Build a custom container image that includes your realm configuration files. The realm JSON files can be baked into the image at build time:

```dockerfile title="Dockerfile"
FROM quay.io/keycloak/keycloak:latest
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dockerfile example uses FROM quay.io/keycloak/keycloak:latest, which pins your Keycloak base image to the mutable latest tag and introduces a supply-chain risk if that image is compromised or changes unexpectedly. An attacker who compromises or replaces the latest tag in the remote registry could affect your builds or running containers without any change on your side. Use a specific, trusted Keycloak version tag or image digest for the base image to ensure reproducible and auditable builds.

Copilot uses AI. Check for mistakes.
@pfo-omicsstudio
Copy link

pfo-omicsstudio commented Feb 6, 2026

Hey @pfo-omicsstudio, please have a look at this. Does it make sense, is it accurate?

Yeah, that's pretty great! Might be worth mentioning that bind volumes in general are not supported in prod? Unsure, but Fowler mentioned that to me in the Discord, and I found that insight pretty valuable.

Also, one question I would have after reading this - what about future versions? Is it always going to be like this, or are there plans for supporting it in the future? Maybe a short sentence or two addressing this.

@pfo-omicsstudio
Copy link

pfo-omicsstudio commented Feb 6, 2026
edited
Loading

I also noticed the AddKeycloak method configures a bunch of defaults for the resource, so the sample code:

var keycloak = builder.AddContainer("keycloak", "your-registry/keycloak-with-realms", "latest")
    .WithHttpEndpoint(port: 8080, targetPort: 8080)
    .WithArgs("start", "--import-realm");

is a bit misleading, since it suggests an equivalent setup, but omits the defaults AddKeycloak applies (endpoints/env/health checks/etc.), so it's not actually the same configuration.

I know this is out of scope for this specific documentation issue, but being able to call AddKeycloak with a custom dockerfile would solve this.

EDIT:
OK my bad, you can actually do that, and I feel like the documentation should suggest that instead:

var keycloak = builder
    .AddKeycloak("keycloak", adminPassword: keycloakAdminPassword)
    .WithDockerfile("./keycloak");

with this directory layout:

├── AppHost.cs
...
├── keycloak
│   ├── Dockerfile
│   └── realms
│       └── demo-realm.json

and the same Dockerfile you already have.

@IEvangelist
Copy link
Member

IEvangelist commented Feb 9, 2026

Hey @copilot, please address review feedback - for the latest tag, simply add a note.

@IEvangelist
Add note about using specific version tag instead of latest
49983b1 
Co-authored-by: IEvangelist <7679720+IEvangelist@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 9, 2026
edited
Loading

Hey @copilot, please address review feedback - for the latest tag, simply add a note.

Added a note after the Dockerfile example recommending to replace latest with a specific Keycloak version tag (e.g., 25.0.0) or image digest for production environments to ensure reproducible builds and avoid unexpected changes. (49983b1)

Version note

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • telemetry.astro.build
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/aspire.dev/aspire.dev/src/frontend/node_modules/.bin/../astro/astro.js dev (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@pfo-omicsstudio
Copy link

pfo-omicsstudio commented Feb 10, 2026

Hey @copilot, please address review feedback - for the latest tag, simply add a note.

I think you ought to take a closer look yourself...
Copilot did not address my feedback at all. It's still misleading.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@IEvangelist IEvangelist Awaiting requested review from IEvangelist IEvangelist is a code owner

@eerhardt eerhardt Awaiting requested review from eerhardt eerhardt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@IEvangelist IEvangelist

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing Keycloak documentation regarding realm imports in production

3 participants

@IEvangelist @pfo-omicsstudio