Comments (5)
I had the same problem. Solved it with adding these two in values file
keycloak:
extraEnv: |
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ingress:
annotations:
ingress.kubernetes.io/affinity: cookie
Sticky sessions is only a temporary fix. the JGroups clustering issue needs to be addressed.
from helm-charts.
This issue came up in the past and should have been fixed. See helm/charts#8355.
Proxy address fowarding is set anyway. The env var doesn't have any effect:
https://github.com/codecentric/helm-charts/blob/master/charts/keycloak/scripts/reverse-proxy.cli#L3
Since you're using MySql, I'm curious regarding your configuration because some folks seem to have an issue with it. See #9.
from helm-charts.
Thank you for your answer.
I am using aws rds to provision MySQL.
The only thing I have changed is ingress.yaml file :
{{- $ingress := .Values.keycloak.ingress -}}
{{- $releaseName := .Release.Name -}}
{{- if $ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "keycloak.fullname" . }}
{{- with $ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
app: {{ template "keycloak.name" . }}
chart: {{ template "keycloak.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
{{- if $ingress.tls }}
tls:
{{- range $ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
- http:
paths:
- path: /
backend:
serviceName: {{ template "keycloak.fullname" $ }}-http
servicePort: http
{{- end -}}
And here is the values.yaml I am using :
keycloak:
replicas: 3
image:
repository: jboss/keycloak
tag: 5.0.0
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
pullSecrets: []
# - myRegistrKeySecretName
hostAliases: []
# - ip: "1.2.3.4"
# hostnames:
# - "my.host.com"
securityContext:
runAsUser: 1000
fsGroup: 1000
runAsNonRoot: true
## The path keycloak will be served from. To serve keycloak from the root path, use two quotes (e.g. "").
basepath: auth
## Additional init containers, e. g. for providing custom themes
extraInitContainers: |
## Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
extraContainers: |
## Custom script that is run before Keycloak is started.
preStartScript:
## lifecycleHooks defines the container lifecycle hooks
lifecycleHooks: |
# postStart:
# exec:
# command: ["/bin/sh", "-c", "ls"]
## Additional arguments to start command e.g. -Dkeycloak.import= to load a realm
extraArgs: ""
## Username for the initial Keycloak admin user
username: admin
## Password for the initial Keycloak admin user. Applicable only if existingSecret is not set.
## If not set, a random 10 characters password will be used
password: admPwd
# Specifies an existing secret to be used for the admin password
existingSecret: ""
# The key in the existing secret that stores the password
existingSecretKey: password
## Allows the specification of additional environment variables for Keycloak
extraEnv: |
# - name: KEYCLOAK_LOGLEVEL
# value: DEBUG
# - name: WILDFLY_LOGLEVEL
# value: DEBUG
# - name: CACHE_OWNERS
# value: "2"
# - name: DB_QUERY_TIMEOUT
# value: "60"
# - name: DB_VALIDATE_ON_MATCH
# value: true
# - name: DB_USE_CAST_FAIL
# value: false
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "keycloak.name" . }}
release: "{{ .Release.Name }}"
matchExpressions:
- key: role
operator: NotIn
values:
- test
topologyKey: kubernetes.io/hostname
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: {{ template "keycloak.name" . }}
release: "{{ .Release.Name }}"
matchExpressions:
- key: role
operator: NotIn
values:
- test
topologyKey: failure-domain.beta.kubernetes.io/zone
nodeSelector: {
name: cicd
}
priorityClassName: ""
tolerations: []
## Additional pod labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
## Extra Annotations to be added to pod
podAnnotations: {}
livenessProbe:
initialDelaySeconds: 120
timeoutSeconds: 5
readinessProbe:
initialDelaySeconds: 30
timeoutSeconds: 1
resources: {}
# limits:
# cpu: "100m"
# memory: "1024Mi"
# requests:
# cpu: "100m"
# memory: "1024Mi"
## WildFly CLI configurations. They all end up in the file 'keycloak.cli' configured in the configmap which is
## executed on server startup.
cli:
nodeIdentifier: |
{{ .Files.Get "scripts/node-identifier.cli" }}
logging: |
{{ .Files.Get "scripts/logging.cli" }}
reverseProxy: |
{{ .Files.Get "scripts/reverse-proxy.cli" }}
ha: |
{{ .Files.Get "scripts/ha.cli" }}
datasource: |
{{ .Files.Get "scripts/datasource.cli" }}
# Custom CLI script
custom: |
## Add additional volumes and mounts, e. g. for custom themes
extraVolumes: |
extraVolumeMounts: |
## Add additional ports, eg. for custom admin console
extraPorts: |
podDisruptionBudget: {}
# maxUnavailable: 1
# minAvailable: 1
service:
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0"
labels: {}
# key: value
## ServiceType
## ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types
type: ClusterIP
## Optional static port assignment for service type NodePort.
# nodePort: 30000
port: 8080
# Optional: jGroups port for high availability clustering
jgroupsPort: 7600
## Ingress configuration.
## ref: https://kubernetes.io/docs/user-guide/ingress/
ingress:
enabled: true
annotations :
kubernetes.io/ingress.class: nginx
path: /auth
hosts:
- keycloak-prod.ourIntra.com
tls:
- hosts:
- keycloak-prod.ourIntra.com
secretName: testsecret
## Persistence configuration
persistence:
# If true, the Postgres chart is deployed
deployPostgres: false
# The database vendor. Can be either "postgres", "mysql", "mariadb", or "h2"
dbVendor: mysql
## The following values only apply if "deployPostgres" is set to "false"
# Specifies an existing secret to be used for the database password
existingSecret: rds-keycloak
# The key in the existing secret that stores the password
existingSecretKey: password
dbName: rds_master_keycloak
dbHost: db-endpoint.rds.amazonaws.com
dbPort: 3306
dbUser: admin
# Only used if no existing secret is specified. In this case a new secret is created
dbPassword: ""
from helm-charts.
After analyzing logs, it appears that the pods cannot communicate and each pod only sees itself:
logs from pod-0
12:44:45,174 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb
12:44:45,179 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-0|0] (1) [keycloak-0]
12:44:45,179 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [keycloak-0|0] (1) [keycloak-0]
12:44:45,184 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.38.0.7:7600]
12:44:45,184 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.38.0.7:7600]
12:44:45,234 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel ejb
12:44:45,234 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-0|0] (1) [keycloak-0]
12:44:45,234 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb
12:44:45,235 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [keycloak-0|0] (1) [keycloak-0]
12:44:45,235 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.38.0.7:7600]
12:44:45,251 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.38.0.7:7600]
12:44:45,294 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel ejb
12:44:45,294 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-0|0] (1) [keycloak-0]
12:44:45,305 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.38.0.7:7600]
logs from pod-1
12:44:45,179 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel ejb
12:44:45,184 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|0] (1) [keycloak-1]
12:44:45,192 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|0] (1) [keycloak-1]
12:44:45,205 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel ejb local address is keycloak-1, physical addresses are [10.32.0.14:7600]
12:44:45,225 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is keycloak-1, physical addresses are [10.32.0.14:7600]
12:44:45,242 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb
12:44:45,261 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|0] (1) [keycloak-1]
12:44:45,277 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel ejb
12:44:45,285 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|0] (1) [keycloak-1]
12:44:45,293 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is keycloak-1, physical addresses are [10.32.0.14:7600]
12:44:45,301 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel ejb local address is keycloak-1, physical addresses are [10.32.0.14:7600]
12:44:45,312 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb
12:44:45,318 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|0] (1) [keycloak-1]
12:44:45,324 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is keycloak-1, physical addresses are [10.32.0.14:7600]
```
from helm-charts.
My bad, When I removed the init part I also removed clusterDomain: cluster.local
part.
Now it's working fine while adding it back.
from helm-charts.
Related Issues (20)
- helm: Defined`extraEnvFrom`'s values.schema is wrong HOT 1
- Specify scheduler name HOT 1
- Upgrade issue from 20.0.1 to 21.1.1 using old db, themes and deployment HOT 1
- Unable to add security context allowPrivilegeEscalation and capabilities. HOT 1
- [keycloak] README.md Postresql HOT 1
- Version Upgrade HOT 4
- timeout reached before the port went into state "inuse"/cannot resolve host "keycloak-postgresql": lookup keycloak-postgresql on 10.96.0.10:53 HOT 1
- Unable to scale up keycloak on kubernetes HOT 1
- Migration Guide for keycloak to keycloakx helm chart HOT 1
- What is the reason for using Statefulset for Keycloak? HOT 1
- Pods fail to form Infinispan clustering in minikube HOT 3
- (keycloakx chart) KC_PROXY has been deprecated in Keycloak v24.0.0 HOT 1
- Can we generate 4.14.3 with quay repository reference for keycloak image
- Mixed content issue HOT 1
- Support for external database? HOT 4
- KeycloakX Update to 24.0.3 HOT 3
- [Keycloak] Network Policy enabling causes no connection between the pods or infini span instances HOT 1
- Is this repo still being maintained? HOT 2
- Support extraVolumeMounts and extraVolumes for deployment in templates HOT 2
- SHA1 support has been removed from JDK 9 onwards. Need to have option to support SHA1 algorithm. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.