Amith Sai
Amith Sai

Reputation: 75

Keycloak Setup Issues: Works with localhost but not with Domain Name

I'm currently working on deploying Keycloak using a StatefulSet in a GKE cluster. I've set up a load balancer service to expose Keycloak, but I'm facing issues accessing Keycloak with my domain name. Here's the relevant configuration:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: keycloak
  namespace: default
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  serviceName: "keycloak-headless"
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      serviceAccountName: keycloak-sa
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:latest
          args: ["start"]
          ports:
            - containerPort: 8080
              name: http
            - containerPort: 8443
              name: https
          volumeMounts:
            - name: keycloak-tls-volume
              mountPath: /etc/x509/https
              readOnly: true
          env:
            - name: KC_BOOTSTRAP_ADMIN_USERNAME
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_BOOTSTRAP_ADMIN_USERNAME
            - name: KC_BOOTSTRAP_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_BOOTSTRAP_ADMIN_PASSWORD
            - name: KC_DB
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_DB
            - name: KC_DB_URL
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_DB_URL
            - name: KC_HOSTNAME
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_HOSTNAME
            - name: KC_HEALTH_ENABLED
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_HEALTH_ENABLED
            - name: KC_DB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_DB_USERNAME
            - name: KC_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_DB_PASSWORD
            - name: KC_HTTPS_CERTIFICATE_FILE
              value: "/etc/x509/https/tls.crt"
            - name: KC_HTTPS_CERTIFICATE_KEY_FILE
              value: "/etc/x509/https/tls.key"
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /health/ready
              port: 9000
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 5
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /health/live
              port: 9000
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 5
          resources:
            requests:
              memory: "2Gi"
              cpu: "1000m"
            limits:
              memory: "4Gi"
              cpu: "2000m"
      volumes:
        - name: keycloak-tls-volume
          secret:
            secretName: keycloak-tls
      tolerations:
        - key: "keycloak"
          operator: "Exists"
          effect: "NoSchedule"


This is my service

apiVersion: v1
kind: Service
metadata:
  name: keycloak-service
  labels:
    app: keycloak
spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  - name: https
    port: 8443
    targetPort: 8443
  - name: jgroup
    port: 7600
    targetPort: 7600
  selector:
    app: keycloak
  type: ClusterIP
  clusterIP: None

This is my ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-ingress
  annotations:
    kubernetes.io/ingress.class: "gce"
    networking.gke.io/enable-global-access: "true"
spec:
  tls:
    - hosts:
        - houseofllm.com
      secretName: keycloak-tls
  rules:
    - host: houseofllm.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: keycloak-service
                port:
                  number: 8080

What Works: Port Forwarding: When I enable port forwarding using kubectl port-forward keycloak-0 8443:8443 -n default, I can access Keycloak at https://localhost:8443, and everything works fine.

What Doesn't Work: Domain Name Access: When I try to access Keycloak using my domain name (e.g., https://mydomainname.com:8443 or https://mydomainname.com), I receive an error saying "Safari cannot find the server."

Additional Information: I have a valid TLS certificate configured in the Keycloak setup.

Questions:

I narrowed it down to an issue with the ingress as the backend config is unhealthy. But I still don't know why it's unhealthy.

If i don't use ingress and use a service load balancer then everthing works. The following configuration works.

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: keycloak
  namespace: default
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  serviceName: "keycloak-service"
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      serviceAccountName: keycloak-sa
      securityContext:
        fsGroup: 1000
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:latest
          args: ["start","--cache-stack=kubernetes", "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true"]
          ports:
            - containerPort: 8080
              name: http
            - containerPort: 8443
              name: https
            - name: jgroups
              containerPort: 7600
          securityContext:
            runAsUser: 1000
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
          volumeMounts:
            - name: keycloak-tls-volume
              mountPath: /etc/x509/https
              readOnly: true
          env:
            - name: KC_BOOTSTRAP_ADMIN_USERNAME
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_BOOTSTRAP_ADMIN_USERNAME
            - name: KC_BOOTSTRAP_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_BOOTSTRAP_ADMIN_PASSWORD
            - name: KC_DB
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_DB
            - name: KC_DB_URL
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_DB_URL
            - name: KC_HOSTNAME
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_HOSTNAME
            - name: KC_HEALTH_ENABLED
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_HEALTH_ENABLED
            - name: KC_DB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_DB_USERNAME
            - name: KC_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_DB_PASSWORD
            - name: KC_HTTPS_CERTIFICATE_FILE
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_HTTPS_CERTIFICATE_FILE
            - name: KC_HTTPS_CERTIFICATE_KEY_FILE
              valueFrom:
                secretKeyRef:
                  name: keycloak-secrets
                  key: KC_HTTPS_CERTIFICATE_KEY_FILE
            - name: KC_PROXY
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_PROXY
            - name: jgroups.dns.query
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: JGROUPS_DNS_QUERY
            - name: PROXY_ADDRESS_FORWARDING
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: PROXY_ADDRESS_FORWARDING
            - name: KC_METRICS_ENABLED
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_METRICS_ENABLED
            - name: KC_HTTP_ENABLED
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_HTTP_ENABLED
            - name: KC_HTTP_RELATIVE_PATH
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_HTTP_RELATIVE_PATH
            - name: KC_HOSTNAME_URL
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_HOSTNAME_URL
            - name: KC_HOSTNAME_ADMIN_URL
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_HOSTNAME_URL
            - name: JAVA_OPTS_APPEND
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: JAVA_OPTS_APPEND
            - name: KC_LOG_LEVEL
              valueFrom:
                configMapKeyRef:
                  name: keycloak-configmap
                  key: KC_LOG_LEVEL
          resources:
            requests:
              memory: "2Gi"
              cpu: "1000m"
            limits:
              memory: "4Gi"
              cpu: "2000m"
      volumes:
        - name: keycloak-tls-volume
          secret:
            secretName: keycloak-tls
      tolerations:
        - key: "keycloak"
          operator: "Exists"
          effect: "NoSchedule"


apiVersion: v1
kind: Service
metadata:
  name: keycloak-service
  labels:
    app: keycloak
spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  - name: https
    port: 8443
    targetPort: 8443
  - name: jgroup
    port: 7600
    targetPort: 7600
  selector:
    app: keycloak
  type: LoadBalancer

Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-ingress
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 2500m
    nginx.ingress.kubernetes.io/proxy-buffer-size: 12k
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  ingressClassName: nginx
  rules:
  - host: houseofllm.com
    http:
      paths:
      - backend:
          service:
            name: keycloak-service
            port:
              number: 8080
        path: /keycloak/(.*)
        pathType: Prefix

Any help or guidance would be greatly appreciated!

Upvotes: 0

Views: 193

Answers (1)

PravyNandas
PravyNandas

Reputation: 667

I'm not entirely sure, but in my working configuration, I see the host is also passed to the start command which I don't see in yours

start --optimized --hostname=<your_domain_name>

Upvotes: 0

Related Questions