keycloak deployment on kubernetes (GKE) : Ingress class -- nginx VS gce

10/19/2018

I am trying to deploy keycloak on google kubernetes engine and got it working using the ingress.class type nginx as follows

kubernetes.io/ingress.class: nginx

Full manifest can be found here https://github.com/vsomasvr/keycloak-gke/blob/master/keycloak-gke-ingress/ingress.yaml

But, my intent is to use ingress.class type "gce". For that I had changed the ingress annotations from the following

  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

to the following

kubernetes.io/ingress.allow-http: "false"
annotations: kubernetes.io/ingress.class: gce

After the above change, I consistently get a message indicating that the ingress has unhealthy backend (0/3). I wonder what other changes would "gce" require when "nginx" could run without any issues.

I ensured that its not a firewall issue as the ports that the app is using are allowed for all, I also have livenessProbe and readinessProbe setting in place.

Is there anything else that this configuration is missing?

I placed all the manifest files here https://github.com/vsomasvr/keycloak-gke/tree/master/keycloak-gke-ingress

Any help is appreciated

EDIT

I had added the annotation

kubernetes.io/ingress.allow-http: "false"

to the nginx ingress, tested & ensured that it would not cause any conflict. The app worked without issues.

On the other end, the gce ingress has the same behavior even when I remove the above mentioned annotation

-- Vsoma
google-kubernetes-engine
keycloak
kubernetes
kubernetes-ingress
nginx-ingress

1 Answer

10/19/2018

Your service seems to be configured to use HTTP traffic, which means the health checks for the Load Balancer will also use HTTP traffic (port 80) yet you are using an annotation that disables HTTP

kubernetes.io/ingress.allow-http: "false"

-- Patrick W
Source: StackOverflow