skip to Main Content

Following the instructions on the Keycloak docs site below, I’m trying to set up Keycloak to run in a Kubernetes cluster. I have an Ingress Controller set up which successfully works for a simple test page. Cloudflare points the domain to the ingress controllers IP.

Keycloak deploys successfully (Admin console listening on http://127.0.0.1:9990), but when going to the domain I get a message from NGINX: 503 Service Temporarily Unavailable.

https://www.keycloak.org/getting-started/getting-started-kube

Here’s the Kubernetes config:

apiVersion: v1
kind: Service
metadata:
  name: keycloak-cip
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 8080
  selector:
    name: keycloak
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    service.beta.kubernetes.io/linode-loadbalancer-default-protocol: https
    service.beta.kubernetes.io/linode-loadbalancer-port-443: '{ "tls-secret-name": "my-secret", "protocol": "https" }'
spec:
  rules:
    - host: my.domain.com
      http:
        paths:
          - backend:
              serviceName: keycloak-cip
              servicePort: 8080
  tls:
    - hosts:
        - my.domain.com
      secretName: my-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: default
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:12.0.3
          env:
            - name: KEYCLOAK_USER
              value: "admin"
            - name: KEYCLOAK_PASSWORD
              value: "admin"
            - name: PROXY_ADDRESS_FORWARDING
              value: "true"
          ports:
            - name: http
              containerPort: 8080
            - name: https
              containerPort: 8443
          readinessProbe:
            httpGet:
              path: /auth/realms/master
              port: 8080
            initialDelaySeconds: 90
            periodSeconds: 5
            failureThreshold: 30
            successThreshold: 1
  revisionHistoryLimit: 1


Edit:

TLS should be handled by the ingress controller.

Edit 2:

If I go into the controller using kubectl exec, I can do curl -L http://127.0.0.1:8080/auth which successfully retrieves the page:
<title>Welcome to Keycloak</title>. So I’m sure that keycloak is running. It’s just that either traffic doesn’t reach the pod, or keycloak doesn’t respond.

If I use the ClusterIP instead but otherwise keep the call above the same, I get a Connection timed out. I tried both ports 80 and 8080 with the same result.

2

Answers


  1. Hello Have you tried to add this line :

    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    

    it looks like it is missing from your config file which result in 503 error, check this for more input on the config of K8s.

    Login or Signup to reply.
  2. The following configuration is required to run keycloak behind ingress controller:

    - name: PROXY_ADDRESS_FORWARDING
      value: "true"
    - name: KEYCLOAK_HOSTNAME
      value: "my.domain.com"
    

    So I think adding correct KEYCLOAK_HOSTNAME value should solve your issue.

    I had a similar issue with Traefik Ingress Controller:
    Can't expose Keycloak Server on AWS with Traefik Ingress Controller and AWS HTTPS Load Balancer

    You can find the full code of my configuration here:
    https://github.com/skyglass-examples/user-management-keycloak

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search