Keycloak using bitnami with production config
I've been trying to get a HA production ready Keycloak up and running for a week now and I'm starting to become quite annoyed..
Yesterday I decided to go with helm & bitnami (cause it's supposed to be simpler), but I'm running into issue after issue... Could someone please help me?
Here's my bitnami values.yaml file:
auth:
adminUser: admin
adminPassword: admin
managementUser: manager
managementPassword: manager
extraEnvVars:
- name: KEYCLOAK_PRODUCTION
value: "true"
- name: KEYCLOAK_EXTRA_ARGS
value: "--auto-build"
proxy: edge
replicaCount: 2
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "1024Mi"
cpu: "1000m"
postgresql:
enabled: false
externalDatabase:
database: keycloak
host: {host}
user: {user}
password: {password}
cache:
enabled: true
ingress:
enabled: true
hostname: {hostname}
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/certificate-arn: {certArn}
alb.ingress.kubernetes.io/ssl-redirect: '443'
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
Apparently I'm not supposed to use --auto-build, but if I'm not using it, Keycloak doesn't find the postgres driver.
I'm pretty sure that's because the ENV variable KC_DB=postgres need to be added to Keycloak during build step, but I can't really change that behaviour since it's not my image?
Either way, using --auto-build fixes the issue, but when I go to my Keycloak domain, it looks like all of the css e.t.c. can't load..
If I disregard all of that and click on Administration Console, I get a 404..
Also, during startup I get a warning regarding the cache:
2022-10-05 10:35:22,624 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2022-10-05 10:35:22,912 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
I've tried multiple different Keycloak versions from 18.0.0 to 19.0.2.
Should it really be this hard to get Keycloak up and running?
Any help is greatly appreciated, I'm starting to lose my sanity here...
So I finally got it working, here's my final values.yaml file if anyone is stuck with getting Keycloak running in production mode:
auth:
adminUser: admin
adminPassword: admin
extraEnvVars:
- name: KEYCLOAK_PRODUCTION
value: "true"
- name: KEYCLOAK_EXTRA_ARGS
value: "--auto-build"
- name: KC_CACHE_STACK
value: kubernetes
proxy: edge
cache:
enabled: true
replicaCount: 2
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "1024Mi"
cpu: "1000m"
postgresql:
enabled: false
externalDatabase:
database: keycloak
host: {aws-rds-instance}.{aws-region}.rds.amazonaws.com
user: {user}
password: {password}
ingress:
enabled: true
hostname: {domain}
path: /*
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/certificate-arn: {certArn}
alb.ingress.kubernetes.io/ssl-redirect: '443'
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
Note, I still get these WARN logs:
2022-10-06 09:17:52,855 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2022-10-06 09:17:53,026 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
But when I login, delete one of the pods and refresh the page I'm still logged in (tested deleting both pods). So I guess the cache is work somehow anyway.
- Configure Keycloak OTP via Administration REST API
- Spring Security oauth2Login OAuth2UserService not executed after authentication
- keycloak-angular 26 is unable to find keycloak-js
- "Invalid token" in keycloak
- How to authenticate in the Keycloak admin api?
- Keycloak login page says "Page not found"?
- Keycloak Forget password link not open any form to enter password
- How to update email of federated user in keycloak
- Angular component rendered two times
- Keycloak admin client responds with Bad Request to attempt to list realms
- How to set up AWS Client VPN with Keycloak as IdP
- KeyCloak Java Service Account Create User
- SpringBoot OAuth2 with Keycloak not returning mapped Roles as Authorities
- Keycloak, not returning access token if update password action selected
- Infinispan String Property Replacer Error In Keycloak 26.0.2
- java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer
- portainer keycloak 20 oauth login "unauthorized" / "Unable to login via OAuth"
- Vue.js: Incorrectly installed `keycloak-js`
- Keycloak - how to allow linking accounts without registration
- client-credentials is unsupported_grant_type
- Keycloak using docker, for frontend and backend authentication
- How to implement Spring Boot Security OAuth2 with Keyclaok and Swagger
- Keycloak add extra claims from database / external source with custom protocol mapper
- Keycloak-Remix integration: where should I place the checks?
- Oauth2 Bff unable to connect with keycloak using reverse proxy
- Is it possible to disable HTTP for a Keycloak instance in Azure Container Apps?
- Role based authorization using Keycloak and .NET core
- Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException:
- Keycloak: The token has invalid signature
- Access user info from SecurityIdentity using quarkus-oidc