Suspected ERROR on keycloak service target port about keycloak-operator HOT 10 CLOSED

Thanks for submitting the issue @JiyeYu !

This one is correct. We deny any non-encrypted traffic (8080 is pure HTTP). You should always use port 8443 with HTTPS.

If you really need to use HTTP for some reason - you will have to create a new Service yourself and point it to 8080. Once this is done, you will need to create a Route (or Ingress) pointing to your Service.

Please re-open this issue if my explanation is not sufficient.

from keycloak-operator.

@slaskawi Thank you for your quick response.

I understand the importance of using port 8443 for HTTPS.
However, seems that currently the default port of pod keycloak is 8080. Because In pkg/model/keycloak_deployment.go line 154(https://github.com/keycloak/keycloak-operator/blob/master/pkg/model/keycloak_deployment.go#L154), 8080 is used to check the liveness.

Then, in order to connect pod keycloak-0, service keycloak's target port should be 8080.
But currently, keycloak service's target port is 8443 (https://github.com/keycloak/keycloak-operator/blob/master/pkg/model/keycloak_service.go#L32). This unmatch will cause the connection error between service keycloak and pod keycloak.

I hope my description is clear and wait for your answer. Thank you!

from keycloak-operator.

@slaskawi Sorry, I cannot reopen this issue because this issue is closed by you(repo collaborator).

from keycloak-operator.

The configuration seems to be fine (although it could be slightly enhanced by using port 8443 by Kubernetes' Readiness and Liveness Probes).

However I see there's some problem with TLS on Keycloak Pods when using Minikube. This happens if I get into the keycloak-0 Pod (by using oc rsh or kubectl exec commands) and invoke curl -v https://localhost:8443 this returns me an error: curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. This however doesn't seem to happen on OpenShift.

@JiyeYu Could you please tell me more about your environment? Also, could you please copy-paste me your container logs?

from keycloak-operator.

I see. You mean both port 8080 and 8443 are open on Pod keycloak-0. And TLS problem on minikube is the reason why I failed to use port 8443.

I am using minikube. I failed to curl https://:8443. That's why I thought there was something wrong on port 8443 of Pod keycloak-0.
The log is exactly the same as yours.

$ minikube ssh
[characters made up MINIKUBE]

$ curl https://172.17.0.5:8443
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure

$ curl http://172.17.0.5:8080
<website context>

My env:

$ minikube version
minikube version: v1.5.2
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", 
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.2",

Now I exactly understand what happens. Thank you for your answer.
I guess there won't be too much people who will use minikube to install keycloak. Let me close this issue.

from keycloak-operator.

Good news @JiyeYu ! I found the root cause: https://issues.jboss.org/browse/KEYCLOAK-12306

from keycloak-operator.

Fixed in keycloak/keycloak-containers#239

from keycloak-operator.

Wow COOL! 👍Thank you @slaskawi !

from keycloak-operator.

Unfortunately, due to bad timing, this will be fixed in 8.0.2 or 9.0.0 (depending, which one will be first). We didn't manage to get it in for 8.0.1.

Here's a JIRA if you want to watch it: https://issues.redhat.com/browse/KEYCLOAK-12396

from keycloak-operator.

@JiyeYu thanks for reporting this. I'd appreciate if you join us on the https://groups.google.com/forum/#!forum/keycloak-dev, so we can continue this discussion there.

Our contributing guidelines were updated to keep consistency across the Keycloak organization and soon GH issues will be disabled.

For now, I'm closing this, but feel free to drop us an e-mail on the dev mailing list if you have any questions. My apologies for the inconvenience. //cc @slaskawi

from keycloak-operator.