codecentric / helm-charts Goto Github PK
View Code? Open in Web Editor NEWA curated set of Helm charts brought to you by codecentric
License: Apache License 2.0
A curated set of Helm charts brought to you by codecentric
License: Apache License 2.0
The following chart repo mentioned in README.md is not found:
https://codecentric.github.io/helm-charts
UPGRADE FAILED
Error: error validating "": error validating data: ValidationError(StatefulSet.spec.template.spec): unknown field "enableServiceLinks" in io.k8s.api.core.v1.PodSpec
Error: UPGRADE FAILED: error validating "": error validating data: ValidationError(StatefulSet.spec.template.spec): unknown field "enableServiceLinks" in io.k8s.api.core.v1.PodSpec
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.7", GitCommit:"6f482974b76db3f1e0f5d24605a9d1d38fad9a2b", GitTreeState:"clean", BuildDate:"2019-03-25T02:41:57Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
Related to #19
This is an issue with the version 4.14.2 that I am finding on making HA mode work on GKE platform.
All replicas came up, But, when I tried to login, the login fails, it comes back with messages such as
"You are already logged in."
But, it does not load the logged in page.
The only values I have changed were
keycloak:
replicas: 3
service:
type: NodePort
I used the following as Ingress on GKE
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: keycloak
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
labels:
app: keycloak
release: keycloak
spec:
tls:
- secretName: authcen-tls
rules:
- http:
paths:
- path: /auth
backend:
serviceName: keycloak-http
servicePort: http
When I performed the above change
I had seen log
Finished rebalance with members [keycloak-0, keycloak-2, keycloak-1]
which gave an indication that cluster formed successfully, But it failed during run time, with message as follows
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-9) Uncaught server error: java.lang.NullPointerException\n\tat org.keycloak.protocol.oidc.endpoints.TokenEndpoint.codeToToken(TokenEndpoint.java:300)
I felt that I am missing something here, Can anyone please let me know the steps to make HA mode working? (I tried it long before with 4.0 version which was working fine)
Hey,
how can i configure the livenessProbe/readynessProbe for a specfic Realm for keycloak ?
We have a keycloak setup with different whitelabel reamls, and therefore the liveness/readiness should be on realms/.
What it looks like is that only the keycloak basepath is configurable:
{{ if ne .Values.keycloak.basepath "" }}/{{ .Values.keycloak.basepath }}{{ end }}
{{ if ne .Values.keycloak.basepath "" }}/{{ .Values.keycloak.basepath }}{{ end }} /realms/master
But we want https://account-dev.fd.nl/auth/realms/FD
this because when we run a loadtest and we restart 1 of the 2 nodes, it detects to early the node is up and we get 500 errors for a short time. This becaus the custom FD realm (with custom provider features), is not up yet, its up after keycloak and master realms are up.
Is there another way to configure this ?
Thanks in advanced.
Hello,
we are using Keycloak with a replicaset of 3. Additionally we have configured Ingress with sticky sessions (annotation: nginx.ingress.kubernetes.io/affinity: cookie
).
Scenario
Actual behavior
Keycloak asks for credentials again
Expected behavior
Session is being re-used thus not asking for credentials again.
I have verified that the session is stored in the Infinispan cache sessions
and that the cache has been replicated onto at least 1 other node via jconsole and the respective MBean.
Hey,
it is already possible to add extraInitContainers for themes that are maintained/build separately.
What we like is that we can dynamicaly determine the release-number of this themes container:
extraInitContainers: |
- name: themes
image: docker-repo.xxx.org/theme:{{ .Values.themes-version }}
The version release number we use is actually the commit-id-hash and we want to pass it with ci gitlab.
The problem now is you only can make extraInitContainers configurable as a whole since you can not use Values in a values.yaml file.
Is it possible to make extraInitcontaiers more flexibale, for example to not define extraInitContainsers as a value itself but more like the above, defining name, image test as values array?
Or is there another solution you can suggest how is the preffered way ?
When you set .Values.keycloak.persistence.deployPostgres: true
There is an error in the _helpers.tpl file, with an undefined template: "postgresql.fullname"
Line 76 in _helpers.tpl
Hi there
I'm having the same issue as #40, I've got keycloak.persistence.deployPostgres=false
and yet postgres keeps getting deployed.
$ helm version
Client: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
$ oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO
Server https://localhost:8443
openshift v3.11.0+3b2d3b6-227
kubernetes v1.11.0+d4cacc0
keycloak:
persistence:
deployPostgres: false
dbVendor: postgres
dbName: keycloak
dbHost: kubedb-postgres
dbPort: 5432
dbUser: keycloak
dbPassword: keycloak
Maybe I'm just missing something?
Hi! I'm opening this issue because I couldn't find anything specific in the docs.
Is there any suggested upgrade strategy when releasing a new keycloak version or theme updates?
According to Keycloak's upgrading guide there is data in certain directories that needs to be retained. Something else I noticed, is that every time I upgrade keycloak, all users sessions are deleted, despite having verified that the infinispan cluster is working properly.
What I'm trying now as a solution, is to properly set up poddisruptionbudget but I was wondering if you already follow any specific strategy during updates to avoid issues like deleting all active user sessions or I'm missing something very obvious that results in this issue.
Thanks for all your work!
Hi,
how can I run Keycloak in HA mode? When I change keycloak replicas to higher than one, then I get an error with pod affinity.
Thanks in advance!
I'm trying to setup keycloak using helm chart on my eks cluster however I'm getting Invalid parameter: redirect_uri
error when accessing admin console.
Setup: ALB does ssl termination and forwards traffic nginx ingress controller.
Chart Version 5.0.0
Values:
keycloak:
replicas: 2
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/affinity: cookie
hosts:
- "auth.mydomain.com"
podDisruptionBudget:
minAvailable: 1
persistence:
dbVendor: mysql
dbName: ...
dbHost: ...
dbPort: ...
dbUser: ...
test:
enabled: false
Ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/affinity: cookie
creationTimestamp: "2019-07-08T18:38:47Z"
generation: 1
labels:
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: keycloak
helm.sh/chart: keycloak-5.0.0
name: keycloak
namespace: default
resourceVersion: "7110434"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/keycloak
uid: 9f398ac6-a1af-11e9-a664-0675dea9642a
spec:
rules:
- host: auth.mydomain.com
http:
paths:
- backend:
serviceName: keycloak-http
servicePort: http
path: /
status:
loadBalancer:
ingress:
- {}
Am I missing some configuration?
Hi,
For instance, when I run a simple keycloak docker container, I can inform the JDBC_PARAMS
environment variable like:
docker run --name keycloak -e DB_VENDOR=postgres -e JDBC_PARAMS='useSSL=false' jboss/keycloak
Keycloak Helm Chart provides the keycloak.extraEnv
Using a config file it would be something like this right?
keycloak:
extraEnv: |
- name: JDBC_PARAMS
value: useSSL=false
What about using --set
? I've tried something like
...
--set keycloak.extraEnv[0].name=JDBC_PARAMS,keycloak.extraEnv[0].value=useSSL=false
...
But, it doesn't work.
I am using
$ helm version
Client: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}
The --set
config, I am following https://github.com/helm/helm/blob/master/docs/using_helm.md#the-format-and-limitations-of---set
Thanks!
when I use ingress path not '/'
this NOTES.txt shows path also.
for example,
https://domain.com/keycloak
Hi,
I apologize if this is more a keycloak question then k8 question, but I'm trying to add an admin user to a realm after installing keycloak. I have tried this:
[jboss@keycloak-0 keycloak]$ bin/add-user-keycloak.sh -r 15rock -u admin-15rock -p <mypwd>
Added 'admin-15rock' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user
How do I restart the server? I tried deleting the pod so that the stateful set would start the pod again but that did not create the admin user for that realm. If you have any pointers, I would be grateful.
Hi,
I'm trying to install Keycloak with Postgres and my keycloak pod failed with "Readiness probe failed: Get http://192.168.0.53:8080/auth/realms/master: dial tcp 192.168.0.53:8080: connect: connection refused"
Checking the logs, I'm getting the following:
19:11:20,788 INFO [org.jboss.modules] (CLI command executor) JBoss Modules version 1.8.7.Final
LogManager error of type GENERIC_FAILURE: Failed to move file /opt/jboss/keycloak/standalone/log/server.log to /opt/jboss/keycloak/standalone/log/server.log.2019-03-20.
java.nio.file.FileSystemException: /opt/jboss/keycloak/standalone/log/server.log -> /opt/jboss/keycloak/standalone/log/server.log.2019-03-20: Operation not permitted
...
19:11:20,929 INFO [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.5.Final
19:11:20,950 INFO [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.2.Final
19:11:21,402 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 5.0.0 (WildFly Core 7.0.0.Final) starting
19:11:21,568 INFO [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
19:11:21,656 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment-mount-provider: org.jboss.msc.service.StartException in service jboss.deployment-mount-provider: WFLYSRV0113: Failed to create temp file provider
at org.jboss.as.server.deployment.DeploymentMountProvider$Factory$ServerDeploymentRepositoryImpl.start(DeploymentMountProvider.java:127)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: VFS000014: Could not create directory for root '/opt/jboss/keycloak/standalone/tmp/vfs/temp' (prefix 'temp', suffix '') after 10 attempts
at org.jboss.vfs.TempFileProvider.createTempDir(TempFileProvider.java:157)
at org.jboss.vfs.TempFileProvider.create(TempFileProvider.java:109)
at org.jboss.as.server.deployment.DeploymentMountProvider$Factory$ServerDeploymentRepositoryImpl.start(DeploymentMountProvider.java:125)
... 8 more
I'd love to know what's wrong with my setup.
Thank you !
Is this a BUG REPORT or a FEATURE REQUEST?: Bug Report
Version of Helm and Kubectl:
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.9", GitCommit:"16236ce91790d4c75b79f6ce96841db1c843e7d2", GitTreeState:"clean", BuildDate:"2019-03-25T06:30:48Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
Which chart: codecentric/keycloak 4.11.1
What happened:
I have Keycloak behind Kong Ingress Controller.
I 'm able to see keycloak welcome page at my {url}/auth/. However, when I click at Administration Console I am redirected to {url}:8000/auth/admin/master/console/
What you expected to happen:
When I click at Administration Console I should be redirect to {url}/auth/admin/master/console/
How to reproduce it (as minimally and precisely as possible):
helm install --name kong-develop --namespace develop stable/kong \
--set ingressController.enabled=true
3.1 Basic Configuration
3.2 Listeners
Load Balancer Protocol | Load Balancer Port | Instance Protocol | Instance Port |
---|---|---|---|
TCP | 80 | TCP | kong-proxy NodePort service |
TCP | 443 | TCP | kong-proxy TLS NodePort service |
TCP | 8444 | TCP | kong-admin NodePort service |
To help you detect the correct ports, take a look at the example image bellow:
In the example cluster shown in the image above:
3.3 Select Subnets
3.4 Security Group
Type | Protocol | Port Range | Source |
---|---|---|---|
Custom TCP Rule | TCP | 80 | Anywhere |
Custom TCP Rule | TCP | 443 | Anywhere |
Custom TCP Rule | TCP | 8444 | Anywhere |
3.5 Configure Health Check
Health Check should point to kong-admin NodePort service. To help you find the correct port take a look at the example image bellow.
Based on the image bellow health check should point to 31725 port.
3.6 Add EC2 Instances
Add only the node instances.
3.8 Bind Load Balancer and Cluster
Edit the node cluster Inbound security group adding the following rules:
Type | Protocol | Port Range | Source | Description |
---|---|---|---|---|
Custom TCP Rule | TCP | kong-admin NodePort service | Custom - the KongDevelopLB security group id | kongDevelopLB |
Custom TCP Rule | TCP | kong-proxy NodePort service | Custom - the KongDevelopLB security group id | kongDevelopLB |
Custom TCP Rule | TCP | kong-proxy TLS NodePort service | Custom - the KongDevelopLB security group id | kongDevelopLB |
Example:
Based on the image above:
3.9 Create an alias to the Load Balancer
In Route53 service, create an alias record set inside inside cluster hosted zone to point to kong Load Balancer.
Example:
If your cluster DNS name is kubernetes.mydomain.com
you could create an alias record set like this: develop.kubernetes.mydomain.com
4.1 Create a values.yaml file with the content bellow:
init:
image:
pullPolicy: Always
keycloak:
username: admin
password: admin
readinessProbe:
timeoutSeconds: 60
service:
type: NodePort
persistence:
deployPostgres: true
dbVendor: postgres
ingress:
enabled: true
hosts:
- develop.kubernetes.mydomain.com
extraEnv: |
- name: PROXY_ADDRESS_FORWARDING
value: "true"
4.2 Install keycloak using the values.yaml files craeted in step 4.1
Execute the code bellow:
helm install --name keycloak-develop --namespace develop codecentric/keycloak --values values.yaml
4.3 Access keycloak
Open the browser and access the following url: http://develop.kubernetes.mydomain.com/ and you gonna be redirected to http://develop.kubernetes.mydomain.com/auth/
4.4 Access the Administration Console
Click at the Administration Console link and you will be redirected to https://develop.kubernetes.mydomain.com:8443/auth/admin/master/console/
Further informations:
When I install keycloak (with helm) on minikube exposing the the service as a NodePort service without using ingress and load balancer I'm able to access Administration Console page.
Hi guys,
is there a way to disable the Keycloak welcome page?
Thank you!
It would be great to extend the README with an example of how to set a custom admin console port. As I understood it should be possible with the property keycloak.extraPorts but I didn't find a hint in the docs how the settings should look like.
https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/threat/admin.adoc
Hello,
I am trying to deploy keycloak using Mysql, the charts works just fine when replica is set to 1, but it doesn't work when it's greater than 1 (eg: 2 or 3). Actually I can see the main athentication page, but once I clic on "Log In" I get ERR_TOO_MANY_REDIRECTS error.
On logs I am getting on every pod :
09:41:53,225 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true
09:41:53,351 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true
09:41:53,480 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true
09:42:45,412 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:45,672 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:45,789 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:45,907 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:46,215 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:46,336 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:57,976 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,137 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,256 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,375 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,499 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,931 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:59,108 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
I tried to add
extraEnv: |
- name: PROXY_ADDRESS_FORWARDING
value: "true"
But I am still having the same issue.
Is there any ideas to resolve this?
Thank you !
The chart has an optional dependency on the PostgreSQL chart.
By default, the PostgreSQL chart requires PV support on underlying infrastructure (may be disabled).
Initially the realm json file is successfully imported. But when the realm json is changed and a cluster node is restarted the changes are not reflected. In the logs it states:
Realm 'foo' already exists. Import skipped
Do we do something wrong? Or how do you deal with that?
To improve support for custom Keycloak docker images with custom jgroups configurations,
it would be helpful to have access to the generated DNS name of the keycloak-headless service.
Hello,
I use the helm charts available in this repository to install keycloak on my kubernetes cluster.
When I want to add my freeipa implementation as User federation source using LDAPS connection between Keycloak and Freeipa I encounter an error.
The connection test works but the authentication test failed with this eror:
21:23:14,482 ERROR [org.keycloak.services] (default task-47) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: myfreeipa.fqdn:636: javax.naming.CommunicationException: simple bind failed: myfreeipa.fqdn:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:116)
at org.jboss.as.naming.InitialContext.init(InitialContext.java:101)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:91)
at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.keycloak.services.managers.LDAPConnectionTestManager.testLDAP(LDAPConnectionTestManager.java:77)
at org.keycloak.services.resources.admin.RealmAdminResource.testLDAPConnection(RealmAdminResource.java:940)
at sun.reflect.GeneratedMethodAccessor724.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:443)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 87 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 100 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 106 more
I assume it's a certifcate issue as my main Freeipa ca certificate is not know by keycloak to make the ldaps query authentication.
For example in my kubernetes / rancher cluster I've to add the certificate to rancher to be able to make a ldaps call and authenticate against my freeipa server.
A few search on the internet show that I can import certificate in the keystore using the keytool utility. As here the deployment use helm chart do you have a clue how to import my ca certificate inside the keycloak deployment ?
It would be nice if the keycloak-http
service would be optional, so that user can request not to create it at all during chart installation.
The reason is, for example, when using Ambassador as an API gateway, the only entry point to the Keycloak would be though the headless service. Having also keycloak-http
service means it may have to be secured as well (when using Ambassador in combination with Istio and mutual TLS), and in general complicates and pollutes configuration.
Helm intentionally tries to split up the mono repo which is a maintenance nightmare and you start the same mistake again?
I just do not get it :/
Code completely ignores 'KEYCLOAK_LOGLEVEL'. It's mentioned only in documentation and comment.
https://github.com/codecentric/helm-charts/search?q=KEYCLOAK_LOGLEVEL&unscoped_q=KEYCLOAK_LOGLEVEL
using a custom docker image based on jboss/keycloak:6.0.1
which just grabs aws rds cert and packages it up to be able to use ssl...
values.yaml
keycloak:
image:
repository: registry.blah.com/ci/keycloak
tag: 6.0.1-1.0.0
pullPolicy: Always
replicas: 1
extraEnv: |
- name: KEYCLOAK_LOGLEVEL
value: INFO
- name: JDBC_PARAMS
value: ssl=true
- name: _JAVA_OPTIONS
value: "-Djavax.net.ssl.trustStore=/tmp/cacerts.jks"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
password: s3cret
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: internal
ingress.kubernetes.io/affinity: cookie
hosts:
- keycloak.blah.com
tls:
- hosts:
- keycloak.blah.com
persistence:
dbVendor: postgres
dbName: keycloak
dbHost: aurora-postgresql-infra.cluster-{blah}.us-east-1.rds.amazonaws.com
dbUser: keycloak
dbPassword: s3cret
Caused by: org.postgresql.util.PSQLException: Could not open SSL root certificate file /opt/jboss/.postgresql/root.crt.
at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:120)
at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:61)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:33)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
... 55 more
Caused by: java.io.FileNotFoundException: /opt/jboss/.postgresql/root.crt (No such file or directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:117)
... 65 more
Hi, since this mornings release we are unable to port forward, resulting in a few environments failing.
This seems to be related to the change you made, from the Keycloak logs:
10:55:41,554 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on 100.96.7.6:8080
We rolled back to version 5.1.1, from the Keycloak logs:
12:13:44,442 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on 0.0.0.0:8080
Version 5.1.2 does not work. Anything we need to do to make this work on the latest version?
I'm try to enable Ingress on chart value and it helped to create Google Cloud HTTPs Load Balancer as expected. However, the default backend has not been defined in template so that GCP create a random default backend.
Could you please review and adapt the ingress template of keycloak chart to make it work on GCP?
When enabling postgres, the pod fails when Podsecuritypolicies are in effect on the cluster:
Events:
Type Reason Age From Message
Normal Scheduled 26s default-scheduler Successfully assigned keycloak/keycloack-postgresql-844b466bd5-784b4 to k8s003-worker003
Normal Pulling 26s kubelet, k8s003-worker003 Pulling image "postgres:9.6.2"
Normal Pulled 18s kubelet, k8s003-worker003 Successfully pulled image "postgres:9.6.2"
Warning Failed 4s (x3 over 18s) kubelet, k8s003-worker003 Error: container has runAsNonRoot and image will run as root
Normal Pulled 4s (x2 over 17s) kubelet, k8s003-worker003 Container image "postgres:9.6.2" already present on machine
Hi,
I would like to customize the restartPolicy of the keycloak pods.
By default (when not specified) the restartPolicy is "Always". This means that the keycloak container will restart but all other container in the pod won't be restarted.
Sometime you'd like to relaunch the initContainers or restart sidecars or ambassadors when the "main container" crashes. (for exemple to obtain a new vault credential to be used by the cloudSql Proxy and so on...)
So I would like the restartPolicy to be explicit and configurable with "Always" as default value.
What do you think ?
Thanks in advanced
Fred
codecentric helm repo can pull only jenkins chart. Keycloak is not available through repo. Is keycloak available on this repo?
Looking at the following file as referenace
https://codecentric.github.io/helm-charts/index.yaml
`apiVersion: v1
entries:
jenkins:
Istio is unable to inject it's sidecar, the securityContext
is defined directly on the statefulSet, overwriting what the sidecar needs to do, ending up giving an error like iptables v1.6.0: can't initialize iptables table "nat": Permission denied (you must be root)
This is discussed in istio/old_issues_repo#316
I'm testing out replacing
securityContext:
fsGroup: 1001
runAsNonRoot: true
runAsUser: 1000
directly on the statefulSet, with
securityContext:
runAsNonRoot: true
runAsUser: 1000
on the containers definition instead.
Will attach a PR on this soon if everything seams to work..
We have a cluster environment where limit and request settings for CPU and memory are enforced for every container. This is of course possible for the keycloak container itself as well as for the embedded postgresql helm chart/container.
Unfortunally it is not possible for the init container wait-for-postgres which is automatically enabled when deployPostgres is enabled.
Keycloak will not start up claiming that limits and requests have to be specified.
create Pod mp-login-keycloak-0 in StatefulSet mp-login-keycloak failed error: pods "mp-login-keycloak-0" is forbidden: failed quota: default-4jmm8: must specify limits.cpu,limits.memory,requests.cpu,requests.memory
Manually modifying the installed sidecar wait-for-postgres container after the helm chart installation and adding ressource limits + requests makes keekloack come up finally.
Please add a values.yaml possibility to be able to specify resources for the init Container.
Hi Team,
keycloak pods goes in a crashloop due to mysql connection error. The env vars (inside the pod) looks correct with the mysql creds.
Mysql Version: Server version: 5.7.17 MySQL Community Server (GPL)
Error logs:
15:56:29,233 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 62) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624)
at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:440)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:376)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2769)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:363)
at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:276)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:88)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:303)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:143)
at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:583)
at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:554)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java.lang.NumberFormatException: For input string: "tcp:"'.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.Util.getInstance(Util.java:408)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
... 55 more
Caused by: java.lang.NumberFormatException: For input string: "tcp:"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.lang.Integer.parseInt(Integer.java:615)
at com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330)
... 56 more
15:56:29,434 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal
15:56:29,543 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 62) MSC000001: Failed to start service jboss.deployment.unit."keycloak-server.war".undertow-deployment: org.jboss.msc.service.StartException in service jboss.deployment.unit."keycloak-server.war".undertow-deployment: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:164)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2769)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:363)
at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:276)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:88)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:303)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:143)
at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:583)
at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:554)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
... 8 more
Caused by: java.lang.RuntimeException: Failed to connect to database
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
... 31 more
Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)
at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:376)
... 43 more
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690)
at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:440)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
... 45 more
Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624)
... 48 more
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java.lang.NumberFormatException: For input string: "tcp:"'.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.Util.getInstance(Util.java:408)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
... 55 more
Caused by: java.lang.NumberFormatException: For input string: "tcp:"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.lang.Integer.parseInt(Integer.java:615)
at com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330)
Environment
Chart values (codecentric chart as dependeny:
keycloak:
fullnameOverride: "keycloak"
keycloak:
image:
pullSecrets: ["nexus-docker"]
## Additional init containers, e. g. for providing custom themes
service:
type: NodePort
extraInitContainers: |
- name: theme-provider
image: example-keycloak-theme:0.0.6
imagePullPolicy: IfNotPresent
command:
- sh
args:
- -c
- |
echo "Copying theme..."
cp -R /example/* /theme
volumeMounts:
- name: theme
mountPath: /theme
extraVolumes: |
- name: theme
emptyDir: {}
extraVolumeMounts: |
- name: theme
mountPath: /opt/jboss/keycloak/themes/example
persistence:
# If true, the Postgres chart is deployed
deployPostgres: true
# The database vendor. Can be either "postgres", "mysql", "mariadb", or "h2"
dbVendor: postgres
dbName: keycloak
dbHost: mykeycloak
dbPort: 5432
dbUser: keycloak
extraEnv: |
- name: KEYCLOAK_LOGLEVEL
value: DEBUG
- name: WILDFLY_LOGLEVEL
value: DEBUG
postgresql:
## PostgreSQL Database to create.
##
postgresqlDatabase: keycloak
postgresqlUsername: keycloak
persistence:
enabled: true
service:
port: 5432
Complete stacktrace
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013:
Operation ("add") failed - address: ([("subsystem" => "microprofile-metrics-smallrye")]): java.lang.NullPointerException
https://github.com/ibuetler/docker-keycloak-traefik-workshop/issues/1
10:19:29,873 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("subsystem" => "microprofile-metrics-smallrye")]): java.lang.NullPointerException
at org.wildfly.extension.microprofile.metrics.MicroProfileMetricsSubsystemAdd$2.execute(MicroProfileMetricsSubsystemAdd.java:86)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1412)
at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:521)
at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:472)
at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:434)
at org.jboss.as.server.ServerService.boot(ServerService.java:435)
at org.jboss.as.server.ServerService.boot(ServerService.java:394)
at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:374)
at java.lang.Thread.run(Thread.java:748)
When I try to set keycloak persistence to mysql it throws UnknownHostException :
Caused by: java.net.UnknownHostException: mysql: Name or service not known
at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method)
at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:929)
at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1324)
at java.net.InetAddress.getAllByName0(InetAddress.java:1277)
at java.net.InetAddress.getAllByName(InetAddress.java:1193)
at java.net.InetAddress.getAllByName(InetAddress.java:1127)
at com.mysql.jdbc.StandardSocketFactory.connect(StandardSocketFactory.java:188)
at com.mysql.jdbc.MysqlIO.<init>(MysqlIO.java:301)
... 68 more
Other pods in my cluster have no problem connecting to mysql service, only keycloak pod has this issue.
Install mysql
helm install --name mysql --set imageTag=5.6,mysqlRootPassword=secretpassword,mysqlUser=keycloak,mysqlPassword=password,mysqlDatabase=keycloak stable/mysql
Install keycloak
helm install --name keycloak --set keycloak.username=admin,keycloak.password=admin,keycloak.persistence.deployPostgres=false,keycloak.persistence.dbVendor=mysql,keycloak.persistence.dbName=keycloak,keycloak.persistence.dbHost=mysql,keycloak.persistence.dbPort=3306,keycloak.persistence.dbUser=keycloak,keycloak.persistence.dbPassword=password codecentric/keycloak
Linux version: CentOS Linux 7 (Core)
Kubernetes version: v1.14.2
Network: flannel:v0.11.0-amd64
Hi Team,
With keycloak deployment some of the features are disabled by default. But then is there a way to enable features through helm deployment?
I want to enable "Script authenticator" which allows to add "custom js" scripts which is disabled by default. This can be enabled using like option Dkeycloak.profile.feature.script=enabled as per keycloak doc. So want to know how we can pass this option on deploying the keycloak through helm
As there is also an active helm chart for jenkins in the stable repo, it would be great when the README contains a section how codecentric/jenkins
differs from stable/jenkins
.
This would make it easier for potential users to find the proper chart for their needs.
Hi,
Thanks for this chart. I'd appreciate any help you can guide me with. My issue is that even though I specify a redirect url as https://myclient/oidc_callback
, when the actual redirect happens, it fails as it redirects to http
instead of https
i.e. http://myclient/oidc_callback
.
My keycloak service(and client) are exposed via ingress using an NGINX controller.
I see PROXY_ADDRESS_FORWARDING
is set as true as default but it still does not work for me.
Questions:
values.yaml
to make this work?Hi,
It seems https://hub.helm.sh/charts/codecentric/mailhog does not exist, could you check this chart?
Error: chart "mailhog" matching 3.0.0 not found in codecentric index. (try 'helm repo update'). no chart name found
I am trying to run Keycloak and have it use an external MySQL 5.6.10 instance. I have tried using the latest version of the Keycloak chart (v5.1.2) and version v5.1.1, but both result in the same outcome.
I am installing the chart using a yaml file with the following values (although I obviously changed the passwords and database host):
keycloak:
username: kiwigrapefruit
password: pword
persistence:
deployPostgres: false
dbVendor: mysql
dbName: keycloak
dbHost: confidential.url.com
dbPort: 3306
dbUser: keycloak_user
dbPassword: keycloak_password
It is able to connect to the database and create the tables, because the previously empty keycloak
schema now has many tables in it (APPLICATION_DEFAULT_ROLES
, APP_NODE_REGISTRATIONS
, etc.).
The keycloak container keeps crashing and restarting itself. Here are the logs of the pod:
Here's my kubectl version
output:
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.11", GitCommit:"637c7e288581ee40ab4ca210618a89a555b6e7e9", GitTreeState:"clean", BuildDate:"2018-11-26T14:38:32Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.7-eks-c57ff8", GitCommit:"c57ff8e35590932c652433fab07988da79265d5b", GitTreeState:"clean", BuildDate:"2019-06-07T20:43:03Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
And here's my helm version
output:
Client: &version.Version{SemVer:"v2.14.2", GitCommit:"a8b13cc5ab6a7dbef0a58f5061bcc7c0c61598e7", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.2", GitCommit:"a8b13cc5ab6a7dbef0a58f5061bcc7c0c61598e7", GitTreeState:"clean"}
Let me know if you need any more information.
Thanks,
Tyler
Hi!
PostgreSQL connection configuration is available on my clusters trough one configmap (for PostgreSQL instance URL and port) and a secret (for database, user and password).
So, I want to use env valueFrom
to define persistence configuration for my Keycloak Helm release. I give them on keycloak.extraEnv
chart parameter.
This result with duplicate DB_*
env entries on final YAML (ones defined trough keycloak.dbEnvVars
and others with keycloak.extraEnv
).
Sometimes, Helm (or Kubernetes) complains with this error:
Error: UPGRADE FAILED: The order in patch list:
[map[name:DB_PORT value:<nil> valueFrom:map[configMapKeyRef:map[key:postgres-port name:postgres-server]]] map[name:DB_PORT value:5432 valueFrom:<nil>] map[name:DB_DATABASE value:<nil> valueFrom:map[secretKeyRef:map[key:postgres-database name:postgres-keycloak]]] map[name:DB_DATABASE value:keycloak valueFrom:<nil>] map[name:DB_USER value:<nil> valueFrom:map[secretKeyRef:map[name:postgres-keycloak key:postgres-username]]] map[valueFrom:<nil> name:DB_USER value:keycloak] map[$patch:delete name:JGROUPS_DISCOVERY_PROPERTIES] map[$patch:delete name:JGROUPS_DISCOVERY_PROTOCOL] map[name:KEYCLOAK_SERVICE_DNS_NAME $patch:delete]]
doesn't match $setElementOrder list:
[map[name:KEYCLOAK_USER] map[name:KEYCLOAK_PASSWORD_FILE] map[name:DB_VENDOR] map[name:DB_ADDR] map[name:DB_PORT] map[name:DB_DATABASE] map[name:DB_USER] map[name:DB_PASSWORD] map[name:KEYCLOAK_LOGLEVEL] map[name:PROXY_ADDRESS_FORWARDING] map[name:DB_ADDR] map[name:DB_PORT] map[name:KEYCLOAK_JDBC_PARAMS] map[name:DB_DATABASE] map[name:DB_USER] map[name:DB_PASSWORD]]
Possible solutions:
DB_*
env vars from parameters default values if deployPostgres
is usedkeycloak.dbEnvVars
generationFirst two solutions let user define DB_*
env vars by himself.
Last solution generate a lot of parameters and introduce some complexity on keycloak.dbEnvVars
helper.
What do you think of it?
Was using keycloak 4.0 chart with with the above flawlessly and installing postgres separately.
With the new 5.0 chart, I end up with two deployments of postgres.
Helm & Tiller 2.11.0
Kubernetes 1.13 cluster installed with Kubespray 2.8
In values.yaml there is:
reverseProxy: |
{{ .Files.Get "scripts/reverse-proxy.cli" }}
but none reverse-proxy.cli is present in scripts folder.
I am looking to run a command to add an LDAP to keycloak so that it can be done as part of a deploy process rather than having to be run manually. I've managed to assemble a kcadm.sh
command to do so:
./kcadm.sh create components -r master \
-s name=ldap \
-s providerId=ldap \
-s providerType=org.keycloak.storage.UserStorageProvider \
-s parentId=master \
-s 'config.enabled=["true"]' \
-s 'config.priority=["0"]' \
...
I'm struggling to figure out a way to run this. I think it has to be run after keycloak is up and running, so init containers are no good.
I saw the wildfly custom scripts parameter as well, but I don't know when they actually run. Also the command I want to run isn't for the wildfly scripting language just for kcadm.sh
.
What method could I go about using to accomplish this?
This has been raised a few times in the past regarding this chart using an extremely old version of the stable/postgres chart (0.15.0). The postgres chart is on 5.1.2 today and has significant improvements.
It looks like the keycloak chart is also about to have a major version bump, which would be a great opportunity to also include this change.
Currently the ingress only allows connections to the service via unsecure backend port tcp/8080.
To increase security we would like to allow ingress and service to connect via secure port 8443.
For that one can set the keycloak env variable KEYCLOAK_HTTPS_PORT
. But in the template this section is missing:
containers:
ports:
- containerPort: 8443
name: https
protocol: TCP
This is on Rancher 2.2.4 on a new cluster. I had been using the now deprecated Helm chart on a similar cluster without issues. But now that I tried using this one, it gives me this error.
These are the config options I supplied:
I'm not very familiar with Helm, do you perhaps have an idea of what could be wrong?
When I try to access my keycloak service via an nginx-ingress with TLS termination, it always redirects in an endless loop with a 304 message.
I tripple checked that I have PROXY_ADDRESS_FORWARDING set to true.
To make the issue easy to reproduce, I created a github repo to clone and run.
https://github.com/wuerzelchen/KeycloakCertManager
Infos:
Kubernetes Server Version 1.12.8
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.