Reputation: 75
I'm currently working on deploying Keycloak using a StatefulSet in a GKE cluster. I've set up a load balancer service to expose Keycloak, but I'm facing issues accessing Keycloak with my domain name. Here's the relevant configuration:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: keycloak
namespace: default
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
serviceName: "keycloak-headless"
template:
metadata:
labels:
app: keycloak
spec:
serviceAccountName: keycloak-sa
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:latest
args: ["start"]
ports:
- containerPort: 8080
name: http
- containerPort: 8443
name: https
volumeMounts:
- name: keycloak-tls-volume
mountPath: /etc/x509/https
readOnly: true
env:
- name: KC_BOOTSTRAP_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_BOOTSTRAP_ADMIN_USERNAME
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_BOOTSTRAP_ADMIN_PASSWORD
- name: KC_DB
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_DB
- name: KC_DB_URL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_DB_URL
- name: KC_HOSTNAME
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HOSTNAME
- name: KC_HEALTH_ENABLED
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HEALTH_ENABLED
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_DB_USERNAME
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_DB_PASSWORD
- name: KC_HTTPS_CERTIFICATE_FILE
value: "/etc/x509/https/tls.crt"
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: "/etc/x509/https/tls.key"
readinessProbe:
httpGet:
scheme: HTTPS
path: /health/ready
port: 9000
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
httpGet:
scheme: HTTPS
path: /health/live
port: 9000
initialDelaySeconds: 60
periodSeconds: 20
timeoutSeconds: 5
resources:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "2000m"
volumes:
- name: keycloak-tls-volume
secret:
secretName: keycloak-tls
tolerations:
- key: "keycloak"
operator: "Exists"
effect: "NoSchedule"
This is my service
apiVersion: v1
kind: Service
metadata:
name: keycloak-service
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
- name: jgroup
port: 7600
targetPort: 7600
selector:
app: keycloak
type: ClusterIP
clusterIP: None
This is my ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-ingress
annotations:
kubernetes.io/ingress.class: "gce"
networking.gke.io/enable-global-access: "true"
spec:
tls:
- hosts:
- houseofllm.com
secretName: keycloak-tls
rules:
- host: houseofllm.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak-service
port:
number: 8080
What Works: Port Forwarding: When I enable port forwarding using kubectl port-forward keycloak-0 8443:8443 -n default, I can access Keycloak at https://localhost:8443, and everything works fine.
What Doesn't Work: Domain Name Access: When I try to access Keycloak using my domain name (e.g., https://mydomainname.com:8443 or https://mydomainname.com), I receive an error saying "Safari cannot find the server."
Additional Information: I have a valid TLS certificate configured in the Keycloak setup.
Questions:
I narrowed it down to an issue with the ingress as the backend config is unhealthy. But I still don't know why it's unhealthy.
If i don't use ingress and use a service load balancer then everthing works. The following configuration works.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: keycloak
namespace: default
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
serviceName: "keycloak-service"
template:
metadata:
labels:
app: keycloak
spec:
serviceAccountName: keycloak-sa
securityContext:
fsGroup: 1000
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:latest
args: ["start","--cache-stack=kubernetes", "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true"]
ports:
- containerPort: 8080
name: http
- containerPort: 8443
name: https
- name: jgroups
containerPort: 7600
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- name: keycloak-tls-volume
mountPath: /etc/x509/https
readOnly: true
env:
- name: KC_BOOTSTRAP_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_BOOTSTRAP_ADMIN_USERNAME
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_BOOTSTRAP_ADMIN_PASSWORD
- name: KC_DB
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_DB
- name: KC_DB_URL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_DB_URL
- name: KC_HOSTNAME
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HOSTNAME
- name: KC_HEALTH_ENABLED
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HEALTH_ENABLED
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_DB_USERNAME
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_DB_PASSWORD
- name: KC_HTTPS_CERTIFICATE_FILE
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_HTTPS_CERTIFICATE_FILE
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
valueFrom:
secretKeyRef:
name: keycloak-secrets
key: KC_HTTPS_CERTIFICATE_KEY_FILE
- name: KC_PROXY
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_PROXY
- name: jgroups.dns.query
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: JGROUPS_DNS_QUERY
- name: PROXY_ADDRESS_FORWARDING
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: PROXY_ADDRESS_FORWARDING
- name: KC_METRICS_ENABLED
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_METRICS_ENABLED
- name: KC_HTTP_ENABLED
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HTTP_ENABLED
- name: KC_HTTP_RELATIVE_PATH
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HTTP_RELATIVE_PATH
- name: KC_HOSTNAME_URL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HOSTNAME_URL
- name: KC_HOSTNAME_ADMIN_URL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_HOSTNAME_URL
- name: JAVA_OPTS_APPEND
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: JAVA_OPTS_APPEND
- name: KC_LOG_LEVEL
valueFrom:
configMapKeyRef:
name: keycloak-configmap
key: KC_LOG_LEVEL
resources:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "2000m"
volumes:
- name: keycloak-tls-volume
secret:
secretName: keycloak-tls
tolerations:
- key: "keycloak"
operator: "Exists"
effect: "NoSchedule"
apiVersion: v1
kind: Service
metadata:
name: keycloak-service
labels:
app: keycloak
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
- name: jgroup
port: 7600
targetPort: 7600
selector:
app: keycloak
type: LoadBalancer
Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 2500m
nginx.ingress.kubernetes.io/proxy-buffer-size: 12k
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
ingressClassName: nginx
rules:
- host: houseofllm.com
http:
paths:
- backend:
service:
name: keycloak-service
port:
number: 8080
path: /keycloak/(.*)
pathType: Prefix
Any help or guidance would be greatly appreciated!
Upvotes: 0
Views: 193
Reputation: 667
I'm not entirely sure, but in my working configuration, I see the host is also passed to the start command which I don't see in yours
start --optimized --hostname=<your_domain_name>
Upvotes: 0