Hi,

how can I run Keycloak in HA mode? When I change keycloak replicas to higher than one, then I get an error with pod affinity.

Thanks in advance!

Hi,

I would like to customize the restartPolicy of the keycloak pods.
By default (when not specified) the restartPolicy is "Always". This means that the keycloak container will restart but all other container in the pod won't be restarted.

Sometime you'd like to relaunch the initContainers or restart sidecars or ambassadors when the "main container" crashes. (for exemple to obtain a new vault credential to be used by the cloudSql Proxy and so on...)

So I would like the restartPolicy to be explicit and configurable with "Always" as default value.

What do you think ?
Thanks in advanced
Fred

UPGRADE FAILED
Error: error validating "": error validating data: ValidationError(StatefulSet.spec.template.spec): unknown field "enableServiceLinks" in io.k8s.api.core.v1.PodSpec
Error: UPGRADE FAILED: error validating "": error validating data: ValidationError(StatefulSet.spec.template.spec): unknown field "enableServiceLinks" in io.k8s.api.core.v1.PodSpec

Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.7", GitCommit:"6f482974b76db3f1e0f5d24605a9d1d38fad9a2b", GitTreeState:"clean", BuildDate:"2019-03-25T02:41:57Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

Related to #19

Hey,

how can i configure the livenessProbe/readynessProbe for a specfic Realm for keycloak ?
We have a keycloak setup with different whitelabel reamls, and therefore the liveness/readiness should be on realms/.

What it looks like is that only the keycloak basepath is configurable:
{{ if ne .Values.keycloak.basepath "" }}/{{ .Values.keycloak.basepath }}{{ end }}
{{ if ne .Values.keycloak.basepath "" }}/{{ .Values.keycloak.basepath }}{{ end }} /realms/master

But we want https://account-dev.fd.nl/auth/realms/FD

this because when we run a loadtest and we restart 1 of the 2 nodes, it detects to early the node is up and we get 500 errors for a short time. This becaus the custom FD realm (with custom provider features), is not up yet, its up after keycloak and master realms are up.

Is there another way to configure this ?

Thanks in advanced.

I'm try to enable Ingress on chart value and it helped to create Google Cloud HTTPs Load Balancer as expected. However, the default backend has not been defined in template so that GCP create a random default backend.

Could you please review and adapt the ingress template of keycloak chart to make it work on GCP?

Thanks

Hi,
I apologize if this is more a keycloak question then k8 question, but I'm trying to add an admin user to a realm after installing keycloak. I have tried this:

[jboss@keycloak-0 keycloak]$ bin/add-user-keycloak.sh -r 15rock -u admin-15rock -p <mypwd>
Added 'admin-15rock' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user

How do I restart the server? I tried deleting the pod so that the stateful set would start the pod again but that did not create the admin user for that realm. If you have any pointers, I would be grateful.

Hi,

It seems https://hub.helm.sh/charts/codecentric/mailhog does not exist, could you check this chart?

Error: chart "mailhog" matching 3.0.0 not found in codecentric index. (try 'helm repo update'). no chart name found

I'm trying to setup keycloak using helm chart on my eks cluster however I'm getting Invalid parameter: redirect_uri error when accessing admin console.

Setup: ALB does ssl termination and forwards traffic nginx ingress controller.
Chart Version 5.0.0
Values:

  keycloak:
    replicas: 2
    ingress:
      enabled: true
      annotations:
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/affinity: cookie
      hosts:
        - "auth.mydomain.com"
    podDisruptionBudget:
      minAvailable: 1
    persistence:
      dbVendor: mysql
      dbName: ...
      dbHost: ...
      dbPort: ...
      dbUser: ...
  test:
    enabled: false

Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/affinity: cookie
  creationTimestamp: "2019-07-08T18:38:47Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: keycloak
    helm.sh/chart: keycloak-5.0.0
  name: keycloak
  namespace: default
  resourceVersion: "7110434"
  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/keycloak
  uid: 9f398ac6-a1af-11e9-a664-0675dea9642a
spec:
  rules:
  - host: auth.mydomain.com
    http:
      paths:
      - backend:
          serviceName: keycloak-http
          servicePort: http
        path: /
status:
  loadBalancer:
    ingress:
    - {}

Am I missing some configuration?

I am looking to run a command to add an LDAP to keycloak so that it can be done as part of a deploy process rather than having to be run manually. I've managed to assemble a kcadm.sh command to do so:

./kcadm.sh create components -r master \
-s name=ldap \
-s providerId=ldap \
-s providerType=org.keycloak.storage.UserStorageProvider \
-s parentId=master  \
-s 'config.enabled=["true"]' \
-s 'config.priority=["0"]' \
...

I'm struggling to figure out a way to run this. I think it has to be run after keycloak is up and running, so init containers are no good.

I saw the wildfly custom scripts parameter as well, but I don't know when they actually run. Also the command I want to run isn't for the wildfly scripting language just for kcadm.sh.

What method could I go about using to accomplish this?

The chart has an optional dependency on the PostgreSQL chart.
By default, the PostgreSQL chart requires PV support on underlying infrastructure (may be disabled).

Is this a BUG REPORT or a FEATURE REQUEST?: Bug Report

Version of Helm and Kubectl:

• Helm v2.13.1
• kubectl:

  Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"} 
  Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.9", GitCommit:"16236ce91790d4c75b79f6ce96841db1c843e7d2", GitTreeState:"clean", BuildDate:"2019-03-25T06:30:48Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

Which chart: codecentric/keycloak 4.11.1

What happened:

I have Keycloak behind Kong Ingress Controller.
I 'm able to see keycloak welcome page at my {url}/auth/. However, when I click at Administration Console I am redirected to {url}:8000/auth/admin/master/console/

What you expected to happen:

When I click at Administration Console I should be redirect to {url}/auth/admin/master/console/

How to reproduce it (as minimally and precisely as possible):

1. Create a kubernetes cluster with kops in AWS
2. Installing Kong Ingress Controller executing the following command:

helm install --name kong-develop --namespace develop stable/kong \
--set ingressController.enabled=true

3. Create an AWS Classic Load Balancer following the instructions bellow:

3.1 Basic Configuration

• Load Balancer name: KongDevelopLB
• Create LB Inside: Choose your cluster VPC

3.2 Listeners

To help you detect the correct ports, take a look at the example image bellow:

In the example cluster shown in the image above:

• Load Balancer port 80 should point to instance port 32518;
• Load Balancer port 443 should point to instance port 31021;
• Load Balancer port 8444 should point to instance port 31725.

3.3 Select Subnets

• Select Subnets: Select the cluster available subnets

3.4 Security Group

• Assign a security group: Create a new security group
• Security group name: KongDevelopLB-SecurityGroup

3.5 Configure Health Check

Health Check should point to kong-admin NodePort service. To help you find the correct port take a look at the example image bellow.

Based on the image bellow health check should point to 31725 port.

3.6 Add EC2 Instances

Add only the node instances.

3.8 Bind Load Balancer and Cluster

Edit the node cluster Inbound security group adding the following rules:

Example:

Based on the image above:

• kong-admin NodePort service is 31725.
• kong-proxy NodePort service is 32518.
• kong-proxy TLS NodePort service is 31021.

3.9 Create an alias to the Load Balancer

In Route53 service, create an alias record set inside inside cluster hosted zone to point to kong Load Balancer.

Example:

If your cluster DNS name is kubernetes.mydomain.com
you could create an alias record set like this: develop.kubernetes.mydomain.com

4. Installing keycloak behind Kong Ingress

4.1 Create a values.yaml file with the content bellow:

init:
 image:
  pullPolicy: Always

keycloak:
 username: admin
 password: admin
 readinessProbe:
  timeoutSeconds: 60
 service:
  type: NodePort
 persistence:
  deployPostgres: true
  dbVendor: postgres
 ingress:
  enabled: true
  hosts:
   - develop.kubernetes.mydomain.com
 extraEnv: |
   - name: PROXY_ADDRESS_FORWARDING
     value: "true"

4.2 Install keycloak using the values.yaml files craeted in step 4.1

Execute the code bellow:

helm install --name keycloak-develop --namespace develop codecentric/keycloak --values values.yaml

4.3 Access keycloak

Open the browser and access the following url: http://develop.kubernetes.mydomain.com/ and you gonna be redirected to http://develop.kubernetes.mydomain.com/auth/

4.4 Access the Administration Console

Click at the Administration Console link and you will be redirected to https://develop.kubernetes.mydomain.com:8443/auth/admin/master/console/

Further informations:

When I install keycloak (with helm) on minikube exposing the the service as a NodePort service without using ingress and load balancer I'm able to access Administration Console page.

when I use ingress path not '/'

this NOTES.txt shows path also.
for example,
https://domain.com/keycloak

Hi, since this mornings release we are unable to port forward, resulting in a few environments failing.

This seems to be related to the change you made, from the Keycloak logs:

10:55:41,554 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on 100.96.7.6:8080

We rolled back to version 5.1.1, from the Keycloak logs:

12:13:44,442 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on 0.0.0.0:8080

Version 5.1.2 does not work. Anything we need to do to make this work on the latest version?

It would be nice if the keycloak-http service would be optional, so that user can request not to create it at all during chart installation.

The reason is, for example, when using Ambassador as an API gateway, the only entry point to the Keycloak would be though the headless service. Having also keycloak-http service means it may have to be secured as well (when using Ambassador in combination with Istio and mutual TLS), and in general complicates and pollutes configuration.

codecentric helm repo can pull only jenkins chart. Keycloak is not available through repo. Is keycloak available on this repo?
Looking at the following file as referenace
https://codecentric.github.io/helm-charts/index.yaml

`apiVersion: v1
entries:
jenkins:

• apiVersion: v1
  appVersion: 2.176.2
  created: "2019-07-22T19:58:42.151419723Z"
  description: The leading open source automation server
  digest: c677eb97fec4b54f6abc4bfbd1c21c5bbb4fee94a0e6680183ba661ab654e251
  home: https://jenkins.io/
  icon: https://wiki.jenkins-ci.org/download/attachments/2916393/logo.png
  keywords:
  • ci
  • continuous integration
  • continuous delivery
  • continuous deployment
  • devops
  • automation
    maintainers:
  • email: [email protected]
    name: unguiculus
    name: jenkins
    sources:
  • https://github.com/codecentric/helm-charts
  • https://github.com/jenkinsci/jenkins
  • https://github.com/jenkinsci/docker
  • https://github.com/jenkinsci/docker-jnlp-slave
    urls:
  • https://github.com/codecentric/helm-charts/releases/download/jenkins-1.4.1/jenkins-1.4.1.tgz
    version: 1.4.1
    generated: "2019-07-22T19:58:41.936207039Z"`

When you set .Values.keycloak.persistence.deployPostgres: true

There is an error in the _helpers.tpl file, with an undefined template: "postgresql.fullname"
Line 76 in _helpers.tpl

Environment

• macOS Mojave Version 10.14.3
• docker desktop 2.1.0.1 with Kubernetes v1.14.3

Chart values (codecentric chart as dependeny:

keycloak:
  fullnameOverride: "keycloak"
  keycloak:
    image:
      pullSecrets: ["nexus-docker"]
    ## Additional init containers, e. g. for providing custom themes
    service:
      type: NodePort
    extraInitContainers: |
      - name: theme-provider
        image: example-keycloak-theme:0.0.6
        imagePullPolicy: IfNotPresent
        command:
          - sh
        args:
          - -c
          - |
            echo "Copying theme..."
            cp -R /example/* /theme
        volumeMounts:
          - name: theme
            mountPath: /theme
    extraVolumes: |
      - name: theme
        emptyDir: {}
    extraVolumeMounts: |
      - name: theme
        mountPath: /opt/jboss/keycloak/themes/example
    persistence:
      # If true, the Postgres chart is deployed
      deployPostgres: true
      # The database vendor. Can be either "postgres", "mysql", "mariadb", or "h2"
      dbVendor: postgres
      dbName: keycloak
      dbHost: mykeycloak
      dbPort: 5432
      dbUser: keycloak
    extraEnv: |
      - name: KEYCLOAK_LOGLEVEL
        value: DEBUG
      - name: WILDFLY_LOGLEVEL
        value: DEBUG

  postgresql:
    ## PostgreSQL Database to create.
    ##
    postgresqlDatabase: keycloak
    postgresqlUsername: keycloak
    persistence:
      enabled: true
    service:
      port: 5432

Complete stacktrace

ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013:
 Operation ("add") failed - address: ([("subsystem" => "microprofile-metrics-smallrye")]): java.lang.NullPointerException
 
 https://github.com/ibuetler/docker-keycloak-traefik-workshop/issues/1
 10:19:29,873 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
  ([("subsystem" => "microprofile-metrics-smallrye")]): java.lang.NullPointerException
 	at org.wildfly.extension.microprofile.metrics.MicroProfileMetricsSubsystemAdd$2.execute(MicroProfileMetricsSubsystemAdd.java:86)
 	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
 	at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
 	at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
 	at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1412)
 	at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:521)
 	at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:472)
 	at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:434)
 	at org.jboss.as.server.ServerService.boot(ServerService.java:435)
 	at org.jboss.as.server.ServerService.boot(ServerService.java:394)
 	at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:374)
 	at java.lang.Thread.run(Thread.java:748)  

Hi Team,

With keycloak deployment some of the features are disabled by default. But then is there a way to enable features through helm deployment?
I want to enable "Script authenticator" which allows to add "custom js" scripts which is disabled by default. This can be enabled using like option Dkeycloak.profile.feature.script=enabled as per keycloak doc. So want to know how we can pass this option on deploying the keycloak through helm

In values.yaml there is:

reverseProxy: |
      {{ .Files.Get "scripts/reverse-proxy.cli" }}

but none reverse-proxy.cli is present in scripts folder.

When enabling postgres, the pod fails when Podsecuritypolicies are in effect on the cluster:

Events:
Type Reason Age From Message

Normal Scheduled 26s default-scheduler Successfully assigned keycloak/keycloack-postgresql-844b466bd5-784b4 to k8s003-worker003
Normal Pulling 26s kubelet, k8s003-worker003 Pulling image "postgres:9.6.2"
Normal Pulled 18s kubelet, k8s003-worker003 Successfully pulled image "postgres:9.6.2"
Warning Failed 4s (x3 over 18s) kubelet, k8s003-worker003 Error: container has runAsNonRoot and image will run as root
Normal Pulled 4s (x2 over 17s) kubelet, k8s003-worker003 Container image "postgres:9.6.2" already present on machine

To improve support for custom Keycloak docker images with custom jgroups configurations,
it would be helpful to have access to the generated DNS name of the keycloak-headless service.

Helm intentionally tries to split up the mono repo which is a maintenance nightmare and you start the same mistake again?

I just do not get it :/

Hi Team,

keycloak pods goes in a crashloop due to mysql connection error. The env vars (inside the pod) looks correct with the mysql creds.

Mysql Version: Server version: 5.7.17 MySQL Community Server (GPL)

Error logs:
15:56:29,233 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 62) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624)
at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:440)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:376)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2769)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:363)
at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:276)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:88)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:303)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:143)
at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:583)
at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:554)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java.lang.NumberFormatException: For input string: "tcp:"'.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.Util.getInstance(Util.java:408)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
... 55 more
Caused by: java.lang.NumberFormatException: For input string: "tcp:"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.lang.Integer.parseInt(Integer.java:615)
at com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330)
... 56 more

15:56:29,434 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal
15:56:29,543 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 62) MSC000001: Failed to start service jboss.deployment.unit."keycloak-server.war".undertow-deployment: org.jboss.msc.service.StartException in service jboss.deployment.unit."keycloak-server.war".undertow-deployment: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:164)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2769)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:363)
at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:276)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:88)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:303)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:143)
at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:583)
at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:554)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
... 8 more
Caused by: java.lang.RuntimeException: Failed to connect to database
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
... 31 more
Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)
at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64)
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:376)
... 43 more
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690)
at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:440)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
... 45 more
Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624)
... 48 more
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java.lang.NumberFormatException: For input string: "tcp:"'.
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.Util.getInstance(Util.java:408)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
... 55 more
Caused by: java.lang.NumberFormatException: For input string: "tcp:"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.lang.Integer.parseInt(Integer.java:615)
at com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330)

This is on Rancher 2.2.4 on a new cluster. I had been using the now deprecated Helm chart on a similar cluster without issues. But now that I tried using this one, it gives me this error.

These are the config options I supplied:

I'm not very familiar with Helm, do you perhaps have an idea of what could be wrong?

Hi guys,
is there a way to disable the Keycloak welcome page?

Thank you!

Hey,

it is already possible to add extraInitContainers for themes that are maintained/build separately.
What we like is that we can dynamicaly determine the release-number of this themes container:

extraInitContainers: |
- name: themes
image: docker-repo.xxx.org/theme:{{ .Values.themes-version }}

• name: authenticator-provider
  image: docker-repo.xxx.org/authenticator-provider: {{ .Values.authenticator-version }}

The version release number we use is actually the commit-id-hash and we want to pass it with ci gitlab.
The problem now is you only can make extraInitContainers configurable as a whole since you can not use Values in a values.yaml file.
Is it possible to make extraInitcontaiers more flexibale, for example to not define extraInitContainsers as a value itself but more like the above, defining name, image test as values array?

Or is there another solution you can suggest how is the preffered way ?

This is an issue with the version 4.14.2 that I am finding on making HA mode work on GKE platform.

1. I tried installing the chart on GKE platform.
2. I tried the default chart with 1 replica and it worked perfectly.
   3)Then I purged the chart, and set the replicas=3 and installed again.

All replicas came up, But, when I tried to login, the login fails, it comes back with messages such as
"You are already logged in."
But, it does not load the logged in page.

The only values I have changed were

keycloak:
  replicas: 3
service:
  type: NodePort

I used the following as Ingress on GKE

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: keycloak
  annotations:
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

  labels:
    app: keycloak
    release: keycloak
spec:
  tls:
    - secretName: authcen-tls
  rules:
    - http:
        paths:
          - path: /auth
            backend:
              serviceName: keycloak-http
              servicePort: http

When I performed the above change
I had seen log
Finished rebalance with members [keycloak-0, keycloak-2, keycloak-1]
which gave an indication that cluster formed successfully, But it failed during run time, with message as follows
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-9) Uncaught server error: java.lang.NullPointerException\n\tat org.keycloak.protocol.oidc.endpoints.TokenEndpoint.codeToToken(TokenEndpoint.java:300)

I felt that I am missing something here, Can anyone please let me know the steps to make HA mode working? (I tried it long before with 4.0 version which was working fine)

Hi,

For instance, when I run a simple keycloak docker container, I can inform the JDBC_PARAMS environment variable like:

docker run --name keycloak -e DB_VENDOR=postgres -e JDBC_PARAMS='useSSL=false' jboss/keycloak

Keycloak Helm Chart provides the keycloak.extraEnv

Using a config file it would be something like this right?

keycloak:
  extraEnv: |
    - name: JDBC_PARAMS
      value: useSSL=false

What about using --set? I've tried something like

...
--set keycloak.extraEnv[0].name=JDBC_PARAMS,keycloak.extraEnv[0].value=useSSL=false
...

But, it doesn't work.

I am using

$ helm version
Client: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.9.1", GitCommit:"20adb27c7c5868466912eebdf6664e7390ebe710", GitTreeState:"clean"}

The --set config, I am following https://github.com/helm/helm/blob/master/docs/using_helm.md#the-format-and-limitations-of---set

Thanks!

Hi! I'm opening this issue because I couldn't find anything specific in the docs.
Is there any suggested upgrade strategy when releasing a new keycloak version or theme updates?

According to Keycloak's upgrading guide there is data in certain directories that needs to be retained. Something else I noticed, is that every time I upgrade keycloak, all users sessions are deleted, despite having verified that the infinispan cluster is working properly.

What I'm trying now as a solution, is to properly set up poddisruptionbudget but I was wondering if you already follow any specific strategy during updates to avoid issues like deleting all active user sessions or I'm missing something very obvious that results in this issue.

Thanks for all your work!

Code completely ignores 'KEYCLOAK_LOGLEVEL'. It's mentioned only in documentation and comment.

https://github.com/codecentric/helm-charts/search?q=KEYCLOAK_LOGLEVEL&unscoped_q=KEYCLOAK_LOGLEVEL

Hello,

I am trying to deploy keycloak using Mysql, the charts works just fine when replica is set to 1, but it doesn't work when it's greater than 1 (eg: 2 or 3). Actually I can see the main athentication page, but once I clic on "Log In" I get ERR_TOO_MANY_REDIRECTS error.

On logs I am getting on every pod :

09:41:53,225 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true
09:41:53,351 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true
09:41:53,480 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.38.0.0, error=expired_code, restart_after_timeout=true
09:42:45,412 WARN  [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:45,672 WARN  [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:45,789 WARN  [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:45,907 WARN  [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:46,215 WARN  [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:42:46,336 WARN  [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:57,976 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,137 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,256 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,375 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,499 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:58,931 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true
09:46:59,108 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.32.0.1, error=expired_code, restart_after_timeout=true

I tried to add

 extraEnv: |
    - name: PROXY_ADDRESS_FORWARDING
      value: "true" 

But I am still having the same issue.

Is there any ideas to resolve this?

Thank you !

Was using keycloak 4.0 chart with with the above flawlessly and installing postgres separately.
With the new 5.0 chart, I end up with two deployments of postgres.

Helm & Tiller 2.11.0
Kubernetes 1.13 cluster installed with Kubespray 2.8

When I try to set keycloak persistence to mysql it throws UnknownHostException :

Caused by: java.net.UnknownHostException: mysql: Name or service not known
	at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method)
	at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:929)
	at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1324)
	at java.net.InetAddress.getAllByName0(InetAddress.java:1277)
	at java.net.InetAddress.getAllByName(InetAddress.java:1193)
	at java.net.InetAddress.getAllByName(InetAddress.java:1127)
	at com.mysql.jdbc.StandardSocketFactory.connect(StandardSocketFactory.java:188)
	at com.mysql.jdbc.MysqlIO.<init>(MysqlIO.java:301)
	... 68 more

Other pods in my cluster have no problem connecting to mysql service, only keycloak pod has this issue.

How to reproduce:

Install mysql

helm install --name mysql --set imageTag=5.6,mysqlRootPassword=secretpassword,mysqlUser=keycloak,mysqlPassword=password,mysqlDatabase=keycloak stable/mysql

Install keycloak

helm install --name keycloak --set keycloak.username=admin,keycloak.password=admin,keycloak.persistence.deployPostgres=false,keycloak.persistence.dbVendor=mysql,keycloak.persistence.dbName=keycloak,keycloak.persistence.dbHost=mysql,keycloak.persistence.dbPort=3306,keycloak.persistence.dbUser=keycloak,keycloak.persistence.dbPassword=password codecentric/keycloak

Environment:

Linux version: CentOS Linux 7 (Core)
Kubernetes version: v1.14.2
Network: flannel:v0.11.0-amd64

Currently the ingress only allows connections to the service via unsecure backend port tcp/8080.

To increase security we would like to allow ingress and service to connect via secure port 8443.

For that one can set the keycloak env variable KEYCLOAK_HTTPS_PORT. But in the template this section is missing:

     containers:
        ports:
        - containerPort: 8443
          name: https
          protocol: TCP

Hi!

PostgreSQL connection configuration is available on my clusters trough one configmap (for PostgreSQL instance URL and port) and a secret (for database, user and password).
So, I want to use env valueFrom to define persistence configuration for my Keycloak Helm release. I give them on keycloak.extraEnv chart parameter.

This result with duplicate DB_* env entries on final YAML (ones defined trough keycloak.dbEnvVars and others with keycloak.extraEnv).
Sometimes, Helm (or Kubernetes) complains with this error:

Error: UPGRADE FAILED: The order in patch list:
[map[name:DB_PORT value:<nil> valueFrom:map[configMapKeyRef:map[key:postgres-port name:postgres-server]]] map[name:DB_PORT value:5432 valueFrom:<nil>] map[name:DB_DATABASE value:<nil> valueFrom:map[secretKeyRef:map[key:postgres-database name:postgres-keycloak]]] map[name:DB_DATABASE value:keycloak valueFrom:<nil>] map[name:DB_USER value:<nil> valueFrom:map[secretKeyRef:map[name:postgres-keycloak key:postgres-username]]] map[valueFrom:<nil> name:DB_USER value:keycloak] map[$patch:delete name:JGROUPS_DISCOVERY_PROPERTIES] map[$patch:delete name:JGROUPS_DISCOVERY_PROTOCOL] map[name:KEYCLOAK_SERVICE_DNS_NAME $patch:delete]]
doesn't match $setElementOrder list:
[map[name:KEYCLOAK_USER] map[name:KEYCLOAK_PASSWORD_FILE] map[name:DB_VENDOR] map[name:DB_ADDR] map[name:DB_PORT] map[name:DB_DATABASE] map[name:DB_USER] map[name:DB_PASSWORD] map[name:KEYCLOAK_LOGLEVEL] map[name:PROXY_ADDRESS_FORWARDING] map[name:DB_ADDR] map[name:DB_PORT] map[name:KEYCLOAK_JDBC_PARAMS] map[name:DB_DATABASE] map[name:DB_USER] map[name:DB_PASSWORD]]

Possible solutions:

• only set Keycloak's DB_* env vars from parameters default values if deployPostgres is used
• define a chart parameter to bypass keycloak.dbEnvVars generation
• define multiple new chart parameters to define persistence values to use a key in a configmap/secret

First two solutions let user define DB_* env vars by himself.
Last solution generate a lot of parameters and introduce some complexity on keycloak.dbEnvVars helper.

What do you think of it?

As there is also an active helm chart for jenkins in the stable repo, it would be great when the README contains a section how codecentric/jenkins differs from stable/jenkins.

This would make it easier for potential users to find the proper chart for their needs.

I am trying to run Keycloak and have it use an external MySQL 5.6.10 instance. I have tried using the latest version of the Keycloak chart (v5.1.2) and version v5.1.1, but both result in the same outcome.

I am installing the chart using a yaml file with the following values (although I obviously changed the passwords and database host):

keycloak:
  username: kiwigrapefruit
  password: pword
  persistence:
    deployPostgres: false
    dbVendor: mysql
    dbName: keycloak
    dbHost: confidential.url.com
    dbPort: 3306
    dbUser: keycloak_user
    dbPassword: keycloak_password

It is able to connect to the database and create the tables, because the previously empty keycloak schema now has many tables in it (APPLICATION_DEFAULT_ROLES, APP_NODE_REGISTRATIONS, etc.).

The keycloak container keeps crashing and restarting itself. Here are the logs of the pod:

https://pastebin.com/nCNC6JuD

Here's my kubectl version output:

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.11", GitCommit:"637c7e288581ee40ab4ca210618a89a555b6e7e9", GitTreeState:"clean", BuildDate:"2018-11-26T14:38:32Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.7-eks-c57ff8", GitCommit:"c57ff8e35590932c652433fab07988da79265d5b", GitTreeState:"clean", BuildDate:"2019-06-07T20:43:03Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}

And here's my helm version output:

Client: &version.Version{SemVer:"v2.14.2", GitCommit:"a8b13cc5ab6a7dbef0a58f5061bcc7c0c61598e7", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.2", GitCommit:"a8b13cc5ab6a7dbef0a58f5061bcc7c0c61598e7", GitTreeState:"clean"}

Let me know if you need any more information.

Thanks,
Tyler

using a custom docker image based on jboss/keycloak:6.0.1 which just grabs aws rds cert and packages it up to be able to use ssl...

values.yaml

keycloak:
  image:
    repository: registry.blah.com/ci/keycloak
    tag: 6.0.1-1.0.0
    pullPolicy: Always

  replicas: 1

  extraEnv: |
    - name: KEYCLOAK_LOGLEVEL
      value: INFO
    - name: JDBC_PARAMS
      value: ssl=true
    - name: _JAVA_OPTIONS
      value: "-Djavax.net.ssl.trustStore=/tmp/cacerts.jks"
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"

  password: s3cret

  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: internal
      ingress.kubernetes.io/affinity: cookie
    hosts:
      - keycloak.blah.com
    tls:
      - hosts:
        - keycloak.blah.com

  persistence:
    dbVendor: postgres
    dbName: keycloak
    dbHost: aurora-postgresql-infra.cluster-{blah}.us-east-1.rds.amazonaws.com
    dbUser: keycloak
    dbPassword: s3cret

Caused by: org.postgresql.util.PSQLException: Could not open SSL root certificate file /opt/jboss/.postgresql/root.crt.
	at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:120)
	at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:61)
	at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:33)
	at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
	at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
	at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
	at org.postgresql.Driver.makeConnection(Driver.java:454)
	at org.postgresql.Driver.connect(Driver.java:256)
	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
	... 55 more
Caused by: java.io.FileNotFoundException: /opt/jboss/.postgresql/root.crt (No such file or directory)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(FileInputStream.java:195)
	at java.io.FileInputStream.<init>(FileInputStream.java:138)
	at java.io.FileInputStream.<init>(FileInputStream.java:93)
	at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:117)
	... 65 more

Hello,

I use the helm charts available in this repository to install keycloak on my kubernetes cluster.
When I want to add my freeipa implementation as User federation source using LDAPS connection between Keycloak and Freeipa I encounter an error.

The connection test works but the authentication test failed with this eror:

21:23:14,482 ERROR [org.keycloak.services] (default task-47) KC-SERVICES0055: Error when authenticating to LDAP: simple bind failed: myfreeipa.fqdn:636: javax.naming.CommunicationException: simple bind failed: myfreeipa.fqdn:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
	at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:116)
	at org.jboss.as.naming.InitialContext.init(InitialContext.java:101)
	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
	at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:91)
	at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
	at javax.naming.InitialContext.init(InitialContext.java:244)
	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
	at org.keycloak.services.managers.LDAPConnectionTestManager.testLDAP(LDAPConnectionTestManager.java:77)
	at org.keycloak.services.resources.admin.RealmAdminResource.testLDAPConnection(RealmAdminResource.java:940)
	at sun.reflect.GeneratedMethodAccessor724.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
	at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400)
	at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364)
	at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
	at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
	at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
	at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:443)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
	... 87 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
	at sun.security.validator.Validator.validate(Validator.java:262)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
	... 100 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
	... 106 more

I assume it's a certifcate issue as my main Freeipa ca certificate is not know by keycloak to make the ldaps query authentication.

For example in my kubernetes / rancher cluster I've to add the certificate to rancher to be able to make a ldaps call and authenticate against my freeipa server.

A few search on the internet show that I can import certificate in the keystore using the keytool utility. As here the deployment use helm chart do you have a clue how to import my ca certificate inside the keycloak deployment ?

When I try to access my keycloak service via an nginx-ingress with TLS termination, it always redirects in an endless loop with a 304 message.
I tripple checked that I have PROXY_ADDRESS_FORWARDING set to true.

To make the issue easy to reproduce, I created a github repo to clone and run.
https://github.com/wuerzelchen/KeycloakCertManager

Infos:
Kubernetes Server Version 1.12.8

Hi,

I'm trying to install Keycloak with Postgres and my keycloak pod failed with "Readiness probe failed: Get http://192.168.0.53:8080/auth/realms/master: dial tcp 192.168.0.53:8080: connect: connection refused"

Checking the logs, I'm getting the following:

19:11:20,788 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.8.7.Final
LogManager error of type GENERIC_FAILURE: Failed to move file /opt/jboss/keycloak/standalone/log/server.log to /opt/jboss/keycloak/standalone/log/server.log.2019-03-20.
java.nio.file.FileSystemException: /opt/jboss/keycloak/standalone/log/server.log -> /opt/jboss/keycloak/standalone/log/server.log.2019-03-20: Operation not permitted   

...

19:11:20,929 INFO  [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.5.Final
19:11:20,950 INFO  [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.2.Final
19:11:21,402 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 5.0.0 (WildFly Core 7.0.0.Final) starting
19:11:21,568 INFO  [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
19:11:21,656 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment-mount-provider: org.jboss.msc.service.StartException in service jboss.deployment-mount-provider: WFLYSRV0113: Failed to create temp file provider
	at org.jboss.as.server.deployment.DeploymentMountProvider$Factory$ServerDeploymentRepositoryImpl.start(DeploymentMountProvider.java:127)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: VFS000014: Could not create directory for root '/opt/jboss/keycloak/standalone/tmp/vfs/temp' (prefix 'temp', suffix '') after 10 attempts
	at org.jboss.vfs.TempFileProvider.createTempDir(TempFileProvider.java:157)
	at org.jboss.vfs.TempFileProvider.create(TempFileProvider.java:109)
	at org.jboss.as.server.deployment.DeploymentMountProvider$Factory$ServerDeploymentRepositoryImpl.start(DeploymentMountProvider.java:125)
	... 8 more

I'd love to know what's wrong with my setup.

Thank you !

Initially the realm json file is successfully imported. But when the realm json is changed and a cluster node is restarted the changes are not reflected. In the logs it states:

Realm 'foo' already exists. Import skipped

Do we do something wrong? Or how do you deal with that?

The following chart repo mentioned in README.md is not found:
https://codecentric.github.io/helm-charts

We have a cluster environment where limit and request settings for CPU and memory are enforced for every container. This is of course possible for the keycloak container itself as well as for the embedded postgresql helm chart/container.
Unfortunally it is not possible for the init container wait-for-postgres which is automatically enabled when deployPostgres is enabled.

Keycloak will not start up claiming that limits and requests have to be specified.

create Pod mp-login-keycloak-0 in StatefulSet mp-login-keycloak failed error: pods "mp-login-keycloak-0" is forbidden: failed quota: default-4jmm8: must specify limits.cpu,limits.memory,requests.cpu,requests.memory

Manually modifying the installed sidecar wait-for-postgres container after the helm chart installation and adding ressource limits + requests makes keekloack come up finally.

Please add a values.yaml possibility to be able to specify resources for the init Container.

This has been raised a few times in the past regarding this chart using an extremely old version of the stable/postgres chart (0.15.0). The postgres chart is on 5.1.2 today and has significant improvements.

It looks like the keycloak chart is also about to have a major version bump, which would be a great opportunity to also include this change.

Hi there

I'm having the same issue as #40, I've got keycloak.persistence.deployPostgres=false and yet postgres keeps getting deployed.

$ helm version
Client: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}

$ oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://localhost:8443
openshift v3.11.0+3b2d3b6-227
kubernetes v1.11.0+d4cacc0

keycloak:
  persistence:
    deployPostgres: false
    dbVendor: postgres
    dbName: keycloak
    dbHost: kubedb-postgres
    dbPort: 5432
    dbUser: keycloak
    dbPassword: keycloak

Maybe I'm just missing something?

Hi,

Thanks for this chart. I'd appreciate any help you can guide me with. My issue is that even though I specify a redirect url as https://myclient/oidc_callback, when the actual redirect happens, it fails as it redirects to http instead of https i.e. http://myclient/oidc_callback.

My keycloak service(and client) are exposed via ingress using an NGINX controller.

I see PROXY_ADDRESS_FORWARDING is set as true as default but it still does not work for me.

Questions:

• Is there any setting I can modify in values.yaml to make this work?
• This SO questions making changes to an XML file. Do you know how I can have access to them on the pod or can I upload a file?
• If you have any other suggestions on how you made it work, I'd be very grateful.

It would be great to extend the README with an example of how to set a custom admin console port. As I understood it should be possible with the property keycloak.extraPorts but I didn't find a hint in the docs how the settings should look like.

https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/threat/admin.adoc

Istio is unable to inject it's sidecar, the securityContext is defined directly on the statefulSet, overwriting what the sidecar needs to do, ending up giving an error like iptables v1.6.0: can't initialize iptables table "nat": Permission denied (you must be root)

This is discussed in istio/old_issues_repo#316

I'm testing out replacing

      securityContext:
        fsGroup: 1001
        runAsNonRoot: true
        runAsUser: 1000

directly on the statefulSet, with

      securityContext:
        runAsNonRoot: true
        runAsUser: 1000

on the containers definition instead.

Will attach a PR on this soon if everything seams to work..

Hello,

we are using Keycloak with a replicaset of 3. Additionally we have configured Ingress with sticky sessions (annotation: nginx.ingress.kubernetes.io/affinity: cookie).

Scenario

1. login to Keycloak Admin UI
2. kill node (currently serving the client)
3. refresh the Admin UI

Actual behavior
Keycloak asks for credentials again

Expected behavior
Session is being re-used thus not asking for credentials again.

I have verified that the session is stored in the Infinispan cache sessions and that the cache has been replicated onto at least 1 other node via jconsole and the respective MBean.