galexrt / kubernetes-keycloak Goto Github PK

View Code? Open in Web Editor NEW

36.0 5.0 19.0 35 KB

This repo contains manifests to run Keycloak by Red Hat inside of Kubernetes with "host discovery".

License: MIT License

kubernetes-keycloak's Introduction

kubernetes-keycloak

This repo contains manifests to run Keycloak by RedHat in Kubernetes.

REPO ARCHIVAL

This repository has been archived as there are better ways to run Keycloak in Kubernetes / OpenShift:

GitHub keycloak/keycloak-operator - A Kubernetes Operator based on the Operator SDK for syncing resources in Keycloak
Helm Charts
- ArtifactHub Keycloak Helm Chart by codecentric
- ArtifactHub Keycloak Helm Chart by Bitnami

How To Use the Manifests

If you have your own Postgres Database running, ignore the database manifest named postgres.yaml. The postgres.yaml creates a single Postresql database instance for testing. Checkout the Configuration section below, before creating anything.

You should also before kubectl createing the manifests, modify the ingress.yaml or simply remove it, but then access to the Keycloak instance will be harder.

It doesn't matter in which order you create the manifests, for testing running the following is enough:

kubectl create -f . --namespace default

If you need help, please let me know through an issue.

Default credentials

NOTE To disable user creation, leave the specific *_USER and *_PASSWORD environment variables empty (only works for KEYCLOAK_* variables).

To change the usernames, edit the *_USER variables in the ConfigMap keycloak-env which can be found in configmap.yaml.

To change the passwords, edit the *_PASSWORD variables in the Secret keycloak-secret, which can be found in secret.yaml. The passwords/secrets need to be base64 encoded (example echo -n YOUR_PASSWORD | base64 -w0).

Keycloak

Username (KEYCLOAK_USER): keycloak
Password (KEYCLOAK_PASSWORD): keycloak123

Management

Username (KEYCLOAK_MGMT_USER): keycloak
Password (KEYCLOAK_MGMT_PASSWORD): keycloak123

Postgres (Example)

See postgres.yaml env vars for username and password.

Configuration

Environment variables

The environment variables can be set in the statefulset.yaml.

Name	Description	Default
`POSTGRES_HOST`	Postgres Database address	`postgres`
`POSTGRES_PORT`	Postgres Database port	`5432`
`POSTGRES_DATABASE`	Postgres Database name	`keycloak`
`POSTGRES_USER`	Postgres Database user	`keycloak`
`POSTGRES_PASSWORD`	Postgres Database password	`password`
`PROXY_ADDRESS_FORWARDING`	Enable proxy in front of Keycloak JBoss	`false`
`KEYCLOAK_LOGLEVEL`	Set Keycloak log level	`INFO`
`KEYCLOAK_USER`	First Keycloak user username (no management access)	``
`KEYCLOAK_PASSWORD`	First Keycloak user password (no management access)	``
`KEYCLOAK_MGMT_USER`	Management user username	``
`KEYCLOAK_MGMT_PASSWORD`	Management user password	``
`KEYCLOAK_OWNERS_COUNT`	The cache/sessions infiniband owner/"replica" count (should be `replicas` count)	`2`
`BASE_SCRIPT_DIR`	DON'T change unless you know what you are doing	`/scripts`
`MY_POD_IP`	The Pod IP	Kubernetes Downward API `status.podIP`

Exposing to the outside

An appropiate Ingress can be found here: ingress.yaml.

The service which exposes Keycloak HTTP port only is named keycloak-external.

Upgrade procedure

NOTE This procedure has not been tested to work in "100%" cases!

NOTE This procedure has been tested with a replicas of 2 deployment of Keycloak.

Without migrations

Update the image tag in the StatefulSet and replace (kubectl replace) the StatefulSet. That is it. The Pods should one by one get recreated with the image.

With migrations

WARNING This procedure only needs to be done only when new migrations are added to the bin/migrate-standalone-ha.cli file (which can be found in the release tarball of Keycloak)!

WARNING This only needs to be done in one Pod!

Update the image tag in the StatefulSet, replace (kubectl replace) the StatefulSet, wait for the highest count Pod to get terminated and started again, immediately run the following command in the highest count Keycloak Pod:

kubectl exec --namespace default -it keycloak-1 -- bash -c 'cd /opt/jboss && bin/jboss-cli.sh --file=bin/migrate-standalone-ha.cli'

(Where keycloak-1 would be the highest count Pod, for example for replicas: 10, it is keycloak-9)

After the successfull run of the exec, you need to delete the Pod you execed into.

kubernetes-keycloak's People

Contributors

Stargazers

Watchers

Forkers

ilanni2460 v-rajan cagdasoezguer alkallio huntex socialskycorporation fabi-alstom mingderwang nicolas59 leunguu peterjakobs bakuppus wamania pingwin jinx-heniux eramirez-bms sunitadevops dianrp43 devlucasmart

kubernetes-keycloak's Issues

Is it possible to do autoscaling keycloak given that it is a statefulset kind

@galexrt
If I scale manually scale the keycloak cluster like this:
kubectl scale --replicas=3 statefulset/keycloak it works like charm, I could see new nodes being added to the cluster and cache rebalancing happening smoothly.

But then , If i want to autoscale it I see something like this:-

$ kubectl autoscale statefulset keycloak --cpu-percent=50 --min=2 --max=6
error: cannot autoscale a {apps StatefulSet}

So my question is, is it even possible to autoscale the keycloak stateful. Or do we need some other mechanism to achieve this.

Thanks.

[question] Purpose of setReplicas

Thanks for creating this project.

I'm trying to understand how the setup works:

Can you explain a bit what the purpose of the setReplicas function in configmap.yaml/run.sh is?
I understand that this is to make each Keycloak Pod aware of all other Pods.
Is this only required to ensure the correct operation of the distributed Infinispan cache? Or are there other reasons why this is needed?

Also, I saw in your docs that AUTO_INJECT_HOSTS is "not used right now".
Does this mean that the number of Pods must remain constant while the StatefulSet is running?
Which steps would be required to change the number of Pods later?

CODE_TO_TOKEN_ERROR

Hi @galexrt, I deployed your setup on an Openshift 3.5 cluster. If the client is connected to the first node keycloak-0, than the login works fine. If the client is connected to the second node keycloak-1, then I get this error in the keycloak-0 logs:

09:30:38,126 WARN  [org.keycloak.events] (default task-79) type=CODE_TO_TOKEN_ERROR, realmId=Test, clientId=keycloak-sample-app, userId=null, ipAddress=10.0.1.24, error=expired_code, grant_type=authorization_code, code_id=c9edbc5e-acc4-4b1e-88aa-f3df3f6edd04, client_auth_method=client-secret

It looks like, the client is authentificating against keycloak-1 but tries to exchange the access_code with the token on the keycloak-0 node. It seems that the codes are not synched. Did you had this behavior?

pod keycloak-0 start failed

I just run follow for test:

kubectl create -f . --namespace keycloak

pod events

➜  kubernetes-keycloak git:(master) ✗ kubectl describe pod keycloak-0 --namespace keycloak
Name:           keycloak-0
Namespace:      keycloak
Priority:       0
Node:           kind-control-plane/172.17.0.2
Start Time:     Wed, 04 Mar 2020 11:21:44 +0800
Labels:         app=keycloak
                controller-revision-hash=keycloak-7899c684bb
                statefulset.kubernetes.io/pod-name=keycloak-0
Annotations:    <none>
Status:         Running
IP:             10.244.0.9
Controlled By:  StatefulSet/keycloak
Containers:
  keycloak:
    Container ID:  containerd://c91d6a2bdfca218ca6db362cbfeb5dfd8aeaed48dbb489297d72964b6a3072f7
    Image:         jboss/keycloak:3.4.2.Final
    Image ID:      docker.io/jboss/keycloak@sha256:e19a31b53ad0eedcf3b6bc9731119a4077c2df63bbaef529e49c52e69cf1b55b
    Ports:         8443/TCP, 9090/TCP, 7600/TCP, 57600/TCP, 55200/UDP, 45688/UDP, 54200/UDP, 23364/TCP, 23364/UDP, 4712/TCP, 4713/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP, 0/UDP, 0/UDP, 0/UDP, 0/TCP, 0/UDP, 0/TCP, 0/TCP
    Command:
      /scripts/run.sh
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Wed, 04 Mar 2020 12:34:14 +0800
      Finished:     Wed, 04 Mar 2020 12:34:54 +0800
    Ready:          False
    Restart Count:  25
    Limits:
      cpu:     2
      memory:  4Gi
    Requests:
      cpu:      750m
      memory:   1Gi
    Liveness:   http-get http://:8080/ delay=25s timeout=1s period=7s #success=1 #failure=3
    Readiness:  http-get http://:8080/ delay=10s timeout=1s period=10s #success=2 #failure=10
    Environment Variables from:
      keycloak-env     ConfigMap  Optional: false
      keycloak-secret  Secret     Optional: false
    Environment:
      MY_POD_IP:   (v1:status.podIP)
    Mounts:
      /scripts from keycloak-scripts (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-kxcxm (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  keycloak-scripts:
    Type:               Projected (a volume that contains injected data from multiple sources)
    ConfigMapName:      keycloak-scripts-cm
    ConfigMapOptional:  <nil>
  default-token-kxcxm:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-kxcxm
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age                    From                         Message
  ----     ------     ----                   ----                         -------
  Warning  Unhealthy  33m (x41 over 69m)     kubelet, kind-control-plane  Liveness probe failed: Get http://10.244.0.9:8080/: dial tcp 10.244.0.9:8080: connect: connection refused
  Normal   Pulled     8m48s (x22 over 69m)   kubelet, kind-control-plane  Container image "jboss/keycloak:3.4.2.Final" already present on machine
  Warning  BackOff    3m37s (x236 over 66m)  kubelet, kind-control-plane  Back-off restarting failed container

pod logs

➜  kubernetes-keycloak git:(master) ✗ kubectl logs -n keycloak --tail=100 -f keycloak-0
===> Failed! Hostname keycloak-0 unreachable.
=> Keycloak Hosts: 
Added user 'keycloak' to file '/opt/jboss/keycloak/standalone/configuration/mgmt-users.properties'
Added user 'keycloak' to file '/opt/jboss/keycloak/domain/configuration/mgmt-users.properties'
Added user 'keycloak' with groups null to file '/opt/jboss/keycloak/standalone/configuration/mgmt-groups.properties'
Added user 'keycloak' with groups null to file '/opt/jboss/keycloak/domain/configuration/mgmt-groups.properties'
Added 'keycloak' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user
[KEYCLOAK DOCKER IMAGE] Using the external postgres database
04:21:12,031 INFO  [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final
04:21:12,307 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
04:21:12,777 INFO  [org.jboss.as] (MSC service thread 1-7) WFLYSRV0049: Keycloak 3.4.2.Final (WildFly Core 3.0.8.Final) starting
04:21:13,002 INFO  [org.jboss.vfs] (MSC service thread 1-6) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
04:21:16,625 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
04:21:16,810 INFO  [org.wildfly.security] (Controller Boot Thread) ELY00001: WildFly Elytron version 1.1.6.Final
04:21:16,834 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
04:21:17,258 INFO  [org.jboss.as.patching] (MSC service thread 1-4) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
04:21:17,319 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
04:21:17,508 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
04:21:17,510 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.4.2.Final (WildFly Core 3.0.8.Final) started in 5455ms - Started 64 of 78 services (25 services are lazy, passive or on-demand)
The batch executed successfully
04:21:17,821 INFO  [org.jboss.as] (MSC service thread 1-7) WFLYSRV0050: Keycloak 3.4.2.Final (WildFly Core 3.0.8.Final) stopped in 18ms
04:21:20,084 INFO  [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final
04:21:20,298 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
04:21:20,679 INFO  [org.jboss.as] (MSC service thread 1-7) WFLYSRV0049: Keycloak 3.4.2.Final (WildFly Core 3.0.8.Final) starting
04:21:20,947 INFO  [org.jboss.vfs] (MSC service thread 1-6) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
04:21:25,022 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
04:21:25,252 INFO  [org.wildfly.security] (Controller Boot Thread) ELY00001: WildFly Elytron version 1.1.6.Final
04:21:25,329 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
04:21:26,372 INFO  [org.jboss.as.patching] (MSC service thread 1-3) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
04:21:26,431 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-5) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
04:21:26,734 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
04:21:26,737 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.4.2.Final (WildFly Core 3.0.8.Final) started in 6633ms - Started 64 of 82 services (29 services are lazy, passive or on-demand)
The batch failed with the following error: : 
WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
Step: step-9
Operation: /subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource)
Failure: WFLYCTL0212: Duplicate resource [
    ("subsystem" => "datasources"),
    ("jdbc-driver" => "postgresql")
]

04:21:27,233 INFO  [org.jboss.as] (MSC service thread 1-6) WFLYSRV0050: Keycloak 3.4.2.Final (WildFly Core 3.0.8.Final) stopped in 34ms
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/jboss/keycloak

  JAVA: /usr/lib/jvm/java/bin/java

  JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

=========================================================================

04:21:29,303 INFO  [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final
04:21:30,024 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
04:21:30,314 INFO  [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049: Keycloak 3.4.2.Final (WildFly Core 3.0.8.Final) starting
04:21:30,454 INFO  [org.jboss.vfs] (MSC service thread 1-8) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
*** JBossAS process (247) received TERM signal ***
04:21:30,757 INFO  [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal
04:21:31,072 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service jboss.as.server-controller: org.jboss.msc.service.StartException in service jboss.as.server-controller: Failed to start service
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978) [jboss-msc-1.2.7.SP1.jar:1.2.7.SP1]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_151]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_151]
        at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_151]
Caused by: java.lang.IllegalStateException: Container is down
        at org.jboss.msc.service.ServiceContainerImpl.install(ServiceContainerImpl.java:716) [jboss-msc-1.2.7.SP1.jar:1.2.7.SP1]
        at org.jboss.msc.service.ServiceTargetImpl.install(ServiceTargetImpl.java:223) [jboss-msc-1.2.7.SP1.jar:1.2.7.SP1]
        at org.jboss.msc.service.ServiceControllerImpl$ChildServiceTarget.install(ServiceControllerImpl.java:2555) [jboss-msc-1.2.7.SP1.jar:1.2.7.SP1]
        at org.jboss.msc.service.ServiceBuilderImpl.install(ServiceBuilderImpl.java:317) [jboss-msc-1.2.7.SP1.jar:1.2.7.SP1]
        at org.jboss.as.controller.AbstractControllerService.start(AbstractControllerService.java:353)
        at org.jboss.as.server.ServerService.start(ServerService.java:296) [wildfly-server-3.0.8.Final.jar:3.0.8.Final]
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) [jboss-msc-1.2.7.SP1.jar:1.2.7.SP1]
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) [jboss-msc-1.2.7.SP1.jar:1.2.7.SP1]
        ... 3 more

java.util.concurrent.ExecutionException: Operation failed
        at org.jboss.threads.AsyncFutureTask.operationFailed(AsyncFutureTask.java:74)
        at org.jboss.threads.AsyncFutureTask.get(AsyncFutureTask.java:268)
        at org.jboss.as.server.Main.main(Main.java:108)
        at org.jboss.modules.Module.run(Module.java:344)
        at org.jboss.modules.Main.main(Main.java:525)
Caused by: org.jboss.msc.service.StartException in service jboss.as.server-controller: Failed to start service
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: Container is down
        at org.jboss.msc.service.ServiceContainerImpl.install(ServiceContainerImpl.java:716)
        at org.jboss.msc.service.ServiceTargetImpl.install(ServiceTargetImpl.java:223)
        at org.jboss.msc.service.ServiceControllerImpl$ChildServiceTarget.install(ServiceControllerImpl.java:2555)
        at org.jboss.msc.service.ServiceBuilderImpl.install(ServiceBuilderImpl.java:317)
        at org.jboss.as.controller.AbstractControllerService.start(AbstractControllerService.java:353)
        at org.jboss.as.server.ServerService.start(ServerService.java:296)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
        ... 3 more
04:21:31,099 INFO  [org.jboss.as] (MSC service thread 1-8) WFLYSRV0050: Keycloak 3.4.2.Final (WildFly Core 3.0.8.Final) stopped in 328ms
*** JBossAS process (247) received TERM signal ***

Last mile encryption for keycloak not working

Hi @galexrt

I tried the approach you suggested for enabling SSL on keycloak and to add a mount of the certs to the keycloak statefulSet.

Yes the setup is terminating SSL at the LB.
You would need to add a mount of the certs to the Keycloak StatefulSet and tell your Ingress Controller to let SSL "passthrough" and also go to the "backend" (Keycloak Service).
Additionally you need to modify the Keycloak "config file" standalone-ha.xml (the config used here can be found here https://github.com/galexrt/kubernetes-keycloak/blob/master/configmap.yaml#L60-L706)...

To achieve that I initially though to put encoded certs and key in secret.yaml and refer that in stateful set. I could get those certs on keycloak pods but since keycloak requires a java keystore specifically, just certificate was not enough.
Then I found that kubertenes 1.10 supports adding binary data in config map. So I created a java keystore using the key pair I generated and used this command to create a Config map with binary data in it:
kubectl create configmap keystore-cm --from-file=keycloak-keystore=keycloak-vault.jks

Here keycloak-keystore is the key and jks file is the value.
and then I refered it into my statefulset like this:-

---
apiVersion: apps/v1
# Change to apps/v1beta2 for K8s < 1.9
kind: StatefulSet
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  serviceName: keycloak
  replicas: 2
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      volumes:
      - name: keycloak-scripts
        projected:
          sources:
          - configMap:
              name: keycloak-scripts-cm
              items:
              - key: run.sh
                path: run.sh
                mode: 0755
              - key: standalone-ha.xml
                path: standalone-ha.xml
                mode: 0644
      #- name: sslcerts
      #  secret:
      #    secretName: certificates
      - name: kc-keystore
        projected:
          sources:
          - configMap:
              name: keystore-cm
              items:
              - key: keycloak-keystore
                path: keycloak-keystore
                mode: 0644
      containers:
        - name: keycloak
          image: jboss/keycloak:3.4.3.Final
          ports:
            - name: https
              containerPort: 8443
            - name: management
              containerPort: 9090
            - name: jgroups-tcp
              containerPort: 7600
            - name: jgroups-tcp-fd
              containerPort: 57600
            - name: jgroups-udp
              containerPort: 55200
              protocol: UDP
            - name: jgroups-udp-mc
              containerPort: 45688
              protocol: UDP
            - name: jgroups-udp-fd
              containerPort: 54200
              protocol: UDP
            - name: modcluster
              containerPort: 23364
            - name: modcluster-udp
              containerPort: 23364
              protocol: UDP
            - name: txn-recovery-ev
              containerPort: 4712
            - name: txn-status-mgr
              containerPort: 4713
          envFrom:
          - configMapRef:
              name: keycloak-env    
          - secretRef:
              name: keycloak-secret
          env:
            - name: MY_POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
          command:
            - /scripts/run.sh
          args: []
          volumeMounts:
          - name: keycloak-scripts
            mountPath: "/scripts"
            readOnly: true
          #- name: sslcerts
          #  mountPath: "/opt/certs"
          #  readOnly: true
          - name: kc-keystore
            mountPath: "/opt/keystore"
            readOnly: true
          readinessProbe:
            failureThreshold: 10
            httpGet:
              path: /
              port: 8080
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 2
            timeoutSeconds: 60
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /
              port: 8080
              scheme: HTTP
            initialDelaySeconds: 25
            periodSeconds: 7
            timeoutSeconds: 60
          resources:
            limits:
              cpu: "2"
              memory: 4Gi
            requests:
              cpu: "750m"
              memory: "1Gi"

But after I deploy this, I am getting below errors, not sure whether this is the correct way to mount a keystore or not.

Logs

$ kubectl describe pods keycloak-0
Name:           keycloak-0
Namespace:      secdev
Node:           ip-172-31-39-102.ec2.internal/172.31.39.102
Start Time:     Fri, 17 Aug 2018 00:19:22 +0530
Labels:         app=keycloak
                controller-revision-hash=keycloak-7769cbf5f
                statefulset.kubernetes.io/pod-name=keycloak-0
Annotations:    <none>
Status:         Running
IP:             172.31.38.226
Controlled By:  StatefulSet/keycloak
Containers:
  keycloak:
    Container ID:  docker://8d33bfdead23a75f7fa6b705deebc06486a67f9fa775505ab9043d1310e2e56a
    Image:         jboss/keycloak:3.4.3.Final
    Image ID:      docker-pullable://jboss/keycloak@sha256:518aaa87ecd1492d4bd7f7d0df6c7bb856a37c89d323c110ebc4835860a4de82
    Ports:         8443/TCP, 9090/TCP, 7600/TCP, 57600/TCP, 55200/UDP, 45688/UDP, 54200/UDP, 23364/TCP, 23364/UDP, 4712/TCP, 4713/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP, 0/UDP, 0/UDP, 0/UDP, 0/TCP, 0/UDP, 0/TCP, 0/TCP
    Command:
      /scripts/run.sh
    State:          Running
      Started:      Fri, 17 Aug 2018 00:21:24 +0530
    Last State:     Terminated
      Reason:       Error
      Exit Code:    137
      Started:      Fri, 17 Aug 2018 00:20:10 +0530
      Finished:     Fri, 17 Aug 2018 00:21:24 +0530
    Ready:          False
    Restart Count:  3
    Limits:
      cpu:     2
      memory:  4Gi
    Requests:
      cpu:      750m
      memory:   1Gi
    Liveness:   http-get http://:8080/ delay=25s timeout=60s period=7s #success=1 #failure=3
    Readiness:  http-get http://:8080/ delay=10s timeout=60s period=10s #success=2 #failure=10
    Environment Variables from:
      keycloak-env     ConfigMap  Optional: false
      keycloak-secret  Secret     Optional: false
    Environment:
      MY_POD_IP:   (v1:status.podIP)
    Mounts:
      /opt/keystore from kc-keystore (ro)
      /scripts from keycloak-scripts (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-86xtj (ro)
Conditions:
  Type           Status
  Initialized    True
  Ready          False
  PodScheduled   True
Volumes:
  keycloak-scripts:
  <unknown>
  kc-keystore:
  <unknown>
  default-token-86xtj:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-86xtj
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason                 Age               From                                    Message
  ----     ------                 ----              ----                                    -------
  Normal   Scheduled              2m                default-scheduler                       Successfully assigned keycloak-0 to ip-172-31-39-102.ec2.internal
  Normal   SuccessfulMountVolume  2m                kubelet, ip-172-31-39-102.ec2.internal  MountVolume.SetUp succeeded for volume "default-token-86xtj"
  Normal   SuccessfulMountVolume  2m                kubelet, ip-172-31-39-102.ec2.internal  MountVolume.SetUp succeeded for volume "keycloak-scripts"
  Normal   SuccessfulMountVolume  2m                kubelet, ip-172-31-39-102.ec2.internal  MountVolume.SetUp succeeded for volume "kc-keystore"
  Warning  BackOff                1m (x2 over 1m)   kubelet, ip-172-31-39-102.ec2.internal  Back-off restarting failed container
  Normal   Pulled                 1m (x3 over 2m)   kubelet, ip-172-31-39-102.ec2.internal  Container image "jboss/keycloak:3.4.3.Final" already present on machine
  Normal   Created                1m (x3 over 2m)   kubelet, ip-172-31-39-102.ec2.internal  Created container
  Normal   Started                1m (x3 over 2m)   kubelet, ip-172-31-39-102.ec2.internal  Started container
  Warning  Unhealthy              57s (x3 over 1m)  kubelet, ip-172-31-39-102.ec2.internal  Liveness probe failed: Get http://172.31.38.226:8080/: dial tcp 172.31.38.226:8080: getsockopt: connection refused
  Warning  Unhealthy              30s (x8 over 2m)  kubelet, ip-172-31-39-102.ec2.internal  Readiness probe failed: Get http://172.31.38.226:8080/: dial tcp 172.31.38.226:8080: getsockopt: connection refused

Am I going the right direction. Do you see any issues is the way I am setting up the keystore here.

Thanks.

Statefulset Problem

I have a problem when deploying the statefulset.yaml file. Pods still in creatingContainer state

Warning FailedMount MountVolume.SetUp failed for volume "keycloak-scripts" : configmap references non-existent config key: REPLICAS 7 minutes ago
Warning FailedMount Unable to mount volumes for pod "keycloak-0_default(3a010ebf-6762-11e9-b9e2-005056a67a77)": timeout expired waiting for volumes to attach or mount for pod "default"/"keycloak-0". list of unmounted volumes=[keycloak-scripts]. list of unattached volumes=[keycloak-scripts default-token-dhqb6] 7 minutes ago
Normal Scheduled Successfully assigned default/keycloak-0 to k8s-worker2 5 minutes ago
Warning FailedMount Unable to mount volumes for pod "keycloak-0_default(3a010ebf-6762-11e9-b9e2-005056a67a77)": timeout expired waiting for volumes to attach or mount for pod "default"/"keycloak-0". list of unmounted volumes=[keycloak-scripts default-token-dhqb6]. list of unattached volumes=[keycloak-scripts default-token-dhqb6] 5 minutes ago
Warning FailedMount Unable to mount volumes for pod "keycloak-0_default(746a964c-6763-11e9-b9e2-005056a67a77)": timeout expired waiting for volumes to attach or mount for pod "default"/"keycloak-0". list of unmounted volumes=[keycloak-scripts]. list of unattached volumes=[keycloak-scripts default-token-dhqb6] 3 minutes ago
Warning FailedMount MountVolume.SetUp failed for volume "keycloak-scripts" : configmap references non-existent config key: REPLICAS 2 minutes ago
Normal Scheduled Successfully assigned default/keycloak-0 to k8s-worker2 a minute ago
Warning FailedMount MountVolume.SetUp failed for volume "keycloak-scripts" : configmap "keycloak-scripts-cm" not found a minute ago

Unable to start keycloak on AWS EKS cluster

Hi,

I am fairly new on Kubernetes, When i run this command:
kubectl create -f . --namespace default
But I am getting this error when i see the logs.
$ kubectl logs statefulsets/keycloak -n default

Starting with args:
==> I am instance number: 0
===> Checking instance: keycloak-0
curl: (6) Could not resolve host: keycloak-0.keycloak; Name or service not known
===> Failed! Hostname keycloak-0 unreachable.
=> Keycloak Hosts:
Added user 'keycloak' to file '/opt/jboss/keycloak/standalone/configuration/mgmt-users.properties'
Added user 'keycloak' to file '/opt/jboss/keycloak/domain/configuration/mgmt-users.properties'
Added user 'keycloak' with groups null to file '/opt/jboss/keycloak/standalone/configuration/mgmt-groups.properties'
Added user 'keycloak' with groups null to file '/opt/jboss/keycloak/domain/configuration/mgmt-groups.properties'
Added 'keycloak' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user
[KEYCLOAK DOCKER IMAGE] Using the external postgres database
13:12:22,878 INFO  [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final
13:12:23,260 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
/opt/jboss/keycloak/bin/change-database.sh: line 7:   135 Killed                  bin/jboss-cli.sh --file=cli/databases/$DB_VENDOR/standalone-configuration.cli
13:12:27,366 INFO  [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final
13:12:27,751 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
/opt/jboss/keycloak/bin/change-database.sh: line 10:   190 Killed                  bin/jboss-cli.sh --file=cli/databases/$DB_VENDOR/standalone-ha-configuration.cli
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/jboss/keycloak

  JAVA: /usr/lib/jvm/java/bin/java

  JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

=========================================================================

13:12:30,451 INFO  [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final
13:12:31,755 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
13:12:32,171 INFO  [org.jboss.as] (MSC service thread 1-7) WFLYSRV0049: Keycloak 3.4.3.Final (WildFly Core 3.0.8.Final) starting
13:12:32,360 INFO  [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
*** JBossAS process (298) received KILL signal ***

Also the readiness probe is fails with the below message:

Please let me know, whats going wrong here.

Thanks in advance.