Keycloak Docker Compose Generator

After generating your configuration:

1. Save docker-compose.yml to your project directory
2. If using a proxy, save the proxy config file alongside it
3. Run docker-compose up -d to start the services
4. Access Keycloak at http://localhost:8080 (or your configured domain)

Default admin credentials are set in the environment variables. Change them for production use.

With PostgreSQL (recommended): Data is stored in a Docker volume and persists across container restarts. This is suitable for development and production.

Without persistence (dev-file): Keycloak uses an embedded H2 database. All data is lost when the container stops. Use only for quick testing.

For production, always use PostgreSQL with proper backups and consider using external managed databases.

When using a reverse proxy, SSL termination happens at the proxy level. The generated configurations:

• Nginx: Includes placeholder for SSL certificates. Use certbot or your own certs.
• HAProxy: Configured for SSL passthrough or termination with PEM files.

For local development, you can use tools like mkcert to generate trusted local certificates.

This generator creates configurations suitable for development. For production:

• Secrets: Use Docker secrets or environment variable injection from a vault
• Clustering: Configure Keycloak clustering with Infinispan for high availability
• Monitoring: Add health checks, metrics endpoints, and logging drivers
• Backups: Implement automated database backups

Consider using Skycloak Managed Hosting for production workloads.

The Distribution dropdown can generate a compose file for Locke, our open-source distribution of Keycloak on Redis. Locke ships both cache backends in one image: leave it on the default and it behaves exactly like upstream Keycloak, or set KC_CACHE: redis and the cache layer runs on any Redis-compatible store, including managed services like ElastiCache, Azure Cache, or Valkey.

The generated Locke compose includes a Redis service wired with health checks, so docker-compose up -d gives you Keycloak, PostgreSQL, and Redis running together. Versions follow upstream Keycloak releases (for example 26.6.3-1 is Keycloak 26.6.3, Locke build 1). See our Redis vs Infinispan benchmark for performance numbers.

Can I run Keycloak with Docker Compose in production?

Yes, for single-node deployments with PostgreSQL, persistent volumes, TLS at a reverse proxy, and tested backups. For high availability you need multiple Keycloak nodes behind a load balancer, which is where Kubernetes or managed Keycloak hosting becomes the better fit.

What database should Keycloak use in Docker?

PostgreSQL is the most widely deployed and best tested option, and it is what this generator configures. The embedded dev-file (H2) database is for quick experiments only: it loses data when the container stops and does not support clustering.

Can Keycloak use Redis instead of Infinispan?

Not out of the box, but Locke, an open-source Keycloak distribution by Skycloak, adds a Redis cache backend selectable with one environment variable. Pick Locke in the Distribution dropdown above to generate a ready-to-run compose file with Redis included.