Nginx Question posted in
The official documentation can be found here.

Keycloak in Kubernetes: 503 Service Temporarily Unavailable – Nginx

Following the instructions on the Keycloak docs site below, I’m trying to set up Keycloak to run in a Kubernetes cluster. I have an Ingress Controller set up which successfully works for a simple test page. Cloudflare points the domain to the ingress controllers IP.

Keycloak deploys successfully (Admin console listening on http://127.0.0.1:9990), but when going to the domain I get a message from NGINX: 503 Service Temporarily Unavailable.

https://www.keycloak.org/getting-started/getting-started-kube

Here’s the Kubernetes config:

apiVersion: v1
kind: Service
metadata:
  name: keycloak-cip
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 8080
  selector:
    name: keycloak
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    service.beta.kubernetes.io/linode-loadbalancer-default-protocol: https
    service.beta.kubernetes.io/linode-loadbalancer-port-443: '{ "tls-secret-name": "my-secret", "protocol": "https" }'
spec:
  rules:
    - host: my.domain.com
      http:
        paths:
          - backend:
              serviceName: keycloak-cip
              servicePort: 8080
  tls:
    - hosts:
        - my.domain.com
      secretName: my-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: default
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:12.0.3
          env:
            - name: KEYCLOAK_USER
              value: "admin"
            - name: KEYCLOAK_PASSWORD
              value: "admin"
            - name: PROXY_ADDRESS_FORWARDING
              value: "true"
          ports:
            - name: http
              containerPort: 8080
            - name: https
              containerPort: 8443
          readinessProbe:
            httpGet:
              path: /auth/realms/master
              port: 8080
            initialDelaySeconds: 90
            periodSeconds: 5
            failureThreshold: 30
            successThreshold: 1
  revisionHistoryLimit: 1

Edit:

TLS should be handled by the ingress controller.

Edit 2:

If I go into the controller using kubectl exec, I can do curl -L http://127.0.0.1:8080/auth which successfully retrieves the page:
<title>Welcome to Keycloak</title>. So I’m sure that keycloak is running. It’s just that either traffic doesn’t reach the pod, or keycloak doesn’t respond.

If I use the ClusterIP instead but otherwise keep the call above the same, I get a Connection timed out. I tried both ports 80 and 8080 with the same result.

Tags:

2

Answers


  1. 0

    Hello Have you tried to add this line :

    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

    it looks like it is missing from your config file which result in 503 error, check this for more input on the config of K8s.

    Login or Signup to reply.
  2. 0

    The following configuration is required to run keycloak behind ingress controller:

    - name: PROXY_ADDRESS_FORWARDING
  value: "true"
- name: KEYCLOAK_HOSTNAME
  value: "my.domain.com"

    So I think adding correct KEYCLOAK_HOSTNAME value should solve your issue.

    I had a similar issue with Traefik Ingress Controller:
    Can't expose Keycloak Server on AWS with Traefik Ingress Controller and AWS HTTPS Load Balancer

    You can find the full code of my configuration here:
    https://github.com/skyglass-examples/user-management-keycloak

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search