Following the instructions on the Keycloak docs site below, I'm trying to set up Keycloak to run in a Kubernetes cluster. I have an Ingress Controller set up which successfully works for a simple test page. Cloudflare points the domain to the ingress controllers IP.
Keycloak deploys successfully (Admin console listening on http://127.0.0.1:9990
), but when going to the domain I get a message from NGINX: 503 Service Temporarily Unavailable
.
https://www.keycloak.org/getting-started/getting-started-kube
Here's the Kubernetes config:
apiVersion: v1
kind: Service
metadata:
name: keycloak-cip
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
selector:
name: keycloak
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
kubernetes.io/ingress.class: nginx
service.beta.kubernetes.io/linode-loadbalancer-default-protocol: https
service.beta.kubernetes.io/linode-loadbalancer-port-443: '{ "tls-secret-name": "my-secret", "protocol": "https" }'
spec:
rules:
- host: my.domain.com
http:
paths:
- backend:
serviceName: keycloak-cip
servicePort: 8080
tls:
- hosts:
- my.domain.com
secretName: my-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: default
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:12.0.3
env:
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "admin"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
readinessProbe:
httpGet:
path: /auth/realms/master
port: 8080
initialDelaySeconds: 90
periodSeconds: 5
failureThreshold: 30
successThreshold: 1
revisionHistoryLimit: 1
Edit:
TLS should be handled by the ingress controller.
--
Edit 2:
If I go into the controller using kubectl exec, I can do curl -L http://127.0.0.1:8080/auth
which successfully retrieves the page:
<title>Welcome to Keycloak</title>
. So I'm sure that keycloak is running. It's just that either traffic doesn't reach the pod, or keycloak doesn't respond.
If I use the ClusterIP instead but otherwise keep the call above the same, I get a Connection timed out
. I tried both ports 80 and 8080 with the same result.
Hello Have you tried to add this line :
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
it looks like it is missing from your config file which result in 503 error, check this for more input on the config of K8s.
The following configuration is required to run keycloak behind ingress controller:
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_HOSTNAME
value: "my.domain.com"
So I think adding correct KEYCLOAK_HOSTNAME value should solve your issue.
I had a similar issue with Traefik Ingress Controller: https://stackoverflow.com/questions/67828817/cant-expose-keycloak-server-on-aws-with-traefik-ingress-controller-and-aws-http
You can find the full code of my configuration here: https://github.com/skyglass-examples/user-management-keycloak