Keycloak in Kubernetes: 503 Service Temporarily Unavailable

2/24/2021

Following the instructions on the Keycloak docs site below, I'm trying to set up Keycloak to run in a Kubernetes cluster. I have an Ingress Controller set up which successfully works for a simple test page. Cloudflare points the domain to the ingress controllers IP.

Keycloak deploys successfully (Admin console listening on http://127.0.0.1:9990), but when going to the domain I get a message from NGINX: 503 Service Temporarily Unavailable.

https://www.keycloak.org/getting-started/getting-started-kube

Here's the Kubernetes config:

apiVersion: v1
kind: Service
metadata:
  name: keycloak-cip
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 8080
  selector:
    name: keycloak
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    service.beta.kubernetes.io/linode-loadbalancer-default-protocol: https
    service.beta.kubernetes.io/linode-loadbalancer-port-443: '{ "tls-secret-name": "my-secret", "protocol": "https" }'
spec:
  rules:
    - host: my.domain.com
      http:
        paths:
          - backend:
              serviceName: keycloak-cip
              servicePort: 8080
  tls:
    - hosts:
        - my.domain.com
      secretName: my-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: default
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:12.0.3
          env:
            - name: KEYCLOAK_USER
              value: "admin"
            - name: KEYCLOAK_PASSWORD
              value: "admin"
            - name: PROXY_ADDRESS_FORWARDING
              value: "true"
          ports:
            - name: http
              containerPort: 8080
            - name: https
              containerPort: 8443
          readinessProbe:
            httpGet:
              path: /auth/realms/master
              port: 8080
            initialDelaySeconds: 90
            periodSeconds: 5
            failureThreshold: 30
            successThreshold: 1
  revisionHistoryLimit: 1

Edit:

TLS should be handled by the ingress controller.

--

Edit 2:

If I go into the controller using kubectl exec, I can do curl -L http://127.0.0.1:8080/auth which successfully retrieves the page: <title>Welcome to Keycloak</title>. So I'm sure that keycloak is running. It's just that either traffic doesn't reach the pod, or keycloak doesn't respond.

If I use the ClusterIP instead but otherwise keep the call above the same, I get a Connection timed out. I tried both ports 80 and 8080 with the same result.

-- Martin01478
docker
keycloak
kubernetes
network-programming
ssl

2 Answers

2/24/2021

Hello Have you tried to add this line :

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

it looks like it is missing from your config file which result in 503 error, check this for more input on the config of K8s.

-- Jinja_dude
Source: StackOverflow

6/4/2021

The following configuration is required to run keycloak behind ingress controller:

- name: PROXY_ADDRESS_FORWARDING
  value: "true"
- name: KEYCLOAK_HOSTNAME
  value: "my.domain.com"

So I think adding correct KEYCLOAK_HOSTNAME value should solve your issue.

I had a similar issue with Traefik Ingress Controller: https://stackoverflow.com/questions/67828817/cant-expose-keycloak-server-on-aws-with-traefik-ingress-controller-and-aws-http

You can find the full code of my configuration here: https://github.com/skyglass-examples/user-management-keycloak

-- Mykhailo Skliar
Source: StackOverflow