Skip to main content

Containers for Keycloak

Production-ready Keycloak container images, bundled with the full Phase Two extension suite and opinionated defaults. The fastest way to a Keycloak deployment that does what your team actually expects.

Pull from Quay

The problem

The upstream Keycloak image is a starting point, not a finish line

The official image is intentionally minimal — no extensions, no opinions, build-time configuration required to do anything non-default.

  1. No extensions included

    Want Organizations, webhooks, magic links, or themes? You have to assemble them yourself and rebuild the image.

  2. Build wiring is fiddly

    Getting `kc.sh build` to run at image build time — not container start time — takes care most teams skip, costing startup performance and reliability.

  3. Everyone redoes the same work

    Every team running Keycloak in production rebuilds this layer. Most do it slightly differently and slightly wrong.

Why we built it

An image we could ship to production on day one

We maintain the Phase Two containers because we needed Keycloak that does what we expect out of the box — and so do our self-hosted users.

  1. All extensions bundled

    Organizations, Admin Portal, IdP Wizard, Magic Link, Events, Themes, and User Migration — version-aligned and tested together.

  2. Production defaults

    Sane defaults for caching, HTTP, and providers. The build optimizations Keycloak's own docs recommend, applied for you.

  3. Fast, identical startup

    `kc.sh build` runs at image build time. Containers start fast and start the same way every time.

  4. Tracks upstream releases

    New images cut for every Keycloak release we support, with the extension suite re-pinned to compatible versions.

What teams use them for

Drop-in upstream replacement

Swap the official Keycloak image for the Phase Two image and immediately have Organizations, Admin Portal, webhooks, magic links, and themes — without assembling a custom build.

Self-hosting at production scale

Sane defaults for caching, HTTP, and provider configuration so you can focus on running Keycloak instead of compiling it.

Local dev that matches production

Use the same image in development that runs in production. Catch extension and config issues before they ship.

Base for further customization

Use as a base image and layer your own extensions or themes on top. Inherit the Phase Two build wiring, override only what you need.

Key capabilities

All extensions, one image

Organizations, Admin Portal, IdP Wizard, Magic Link, Events, Themes, and User Migration — bundled, version-aligned, and tested against the included Keycloak version.

Optimized build phase

The `kc.sh build` step runs at image build time, not container start time. Containers start fast and start the same way every time.

Tracks upstream Keycloak releases

New images cut for every Keycloak release we support, with the extension suite re-pinned to compatible versions.

Get started

Pull from Quay

Images published to Quay.io. Use a release tag matching your target Keycloak version.

quay.io/phasetwo/phasetwo-keycloak

Read the Dockerfile

Source Dockerfiles, build scripts, and version matrix on GitHub.

p2-inc/phasetwo-containers

Skip the install

Phase Two managed Keycloak runs on these same images, configured and operated for you.

Try the hosted version

Ready to Try Keycloak?
Create Your Free Deployment Today.