Deploying Keycloak cluster on Kubernetes
Vložit
- čas přidán 14. 06. 2024
- In this video you will learn how to deploy Keycloak cluster on Kubernetes.
Source code is available on github: github.com/lukaszbudnik/keycl...
To find out more about Keycloak check out my Keycloak playlist: • Deploying Keycloak clu...
If you are interested in a short write up of all the examples in this playlist please check out this post: dev.to/lukaszbudnik/building-... - Věda a technologie
Dear Lukasz, Thanks a lot for the great video. Please continue doing Keycloak video. It help me alot.
Thanks, will do!
Thanks for the amazing video. Do you plan to create a vide on using infinispan with keycloak? Do we need to have a separate deployment for infinispan in the same cluster for distributed caching?
I have updated my GitHub repo with Keycloak 19.0.3 and it now starts in production mode which in turn starts Infinispan by default. minikube version was updated last week and this night I pushed a new AWS EKS version: github.com/lukaszbudnik/keycloak-kubernetes/pull/16
Thanks, Great video 👍. Please, how do we use port 443 instead for secure traffic? I think it’s the preferred port since keycloak is used for security 🤷🏽♂️
Hi Fredy, thanks for the comment. Glad you liked the video.
Please check out my second video in Keycloak series: czcams.com/video/XUvaMgTdwy0/video.html
It has HTTPS for ingress configured.
All changes are also in GitHub repo: github.com/lukaszbudnik/keycloak-kubernetes
Hi From my understanding, the headerless keycloak service allows the pod ips to be discovered within the cluster. But should we also have a non-headerless service which gets called from the ingress. In other examples I have seen over the internet there are usually two services keycloak-headerless (used to discover pod ips and configured in the deployment.yml), a keycloak (non headerless service) that are configured in the ingress.xml. Should we be setting up something like this instead of just one headerless service being called in both ingress.yml and deployment.yml.
You can connect ingress to a headless service no problem at all. If you take a look at all the deployment steps you will notice that I also have ingress: github.com/lukaszbudnik/keycloak-kubernetes
Thanks for the great video! :) . Is it possible to configure Cross-Datacenter Replication Mode in Kubernetes? Can you guide me in the right direction?
I never had to setup cross datacenter replication. However, it's possible and you can find more details here: www.keycloak.org/2019/05/keycloak-cluster-setup.html (see TCPPING section).
Thanks for the perfect video.
I followed this video to install the keycloak on our k8s cluster. Landing page works fine, but when I try to open admin page it returns "Invalid parameter: redirect_uri" error and does not load.
JFI, i installed v.6.0.1 since there is a special requirement for this version.
The env variable PROXY_ADDRESS_FORWARDING set to true and it is available in the pod. What else can cause this issue? Thanks.
Hi DrMicr0b, I'm sorry but I never used Keycloak older than v11. Can you could check on the Keycloak mailing list and see if the Keycloak community can help?
@@ukaszbudnik9618 upgrade to 12.x.x solved the issue. Thanks
Hi, we are using already a cluster in which there is one master node and 3 worker nodes. we are giving keycloak instance in config map of every service. Can i do this thing in my cluster.... (we have around 15 services...) for every service i need to add this keycloak.yml and keycloak.ingress.yml?
And 1 more ques what is the difference between jdbc_ping, tcp_ping... what is recommened to use
Hi, not sure if I understood you correctly. You are setting up Keycloak for every service that you have? You can have 1 Keycloak cluster for all your services using multiple Keycloak realms: 1 service = 1 realm. Regarding jdbc_ping, dns_ping, tcp_ping there is a good article (a little bit old) on Keycloak website which covers this, see: www.keycloak.org/2019/05/keycloak-cluster-setup.html
Hi, i am trying to deploy keycloak into kube and found your vid and repo. Great thanks but i have some issue. If i do not specify KC_CACHE and KC_CACHE_STACK in manifest, pods not even try to form a cluster. If i specify this env i get errors: "ERROR: ISPN000085: Error while trying to create a channel using the specified configuration file: default-configs/default-jgroups-kubernetes.xml" and "ERROR: dns_query can not be null or empty". Using official docker image for keycloak 17.0. Can you give any advice to solve this?
Hi, yes there were some breaking changes introduced when Keycloak migrated from WildFly to Quarkus. I have updated the project on GitHub to use Keycloak 19.0.3: github.com/lukaszbudnik/keycloak-kubernetes.
@Łukasz Budnik can you advice on multicloud installation of keycloak?
Hey, you mean like having a Keycloak cluster that spans 2+ clouds? That solution is possible but would require a lot of work like setting up multi-cloud jgroups cluster and database cluster. If you want to make it multi-cloud then you would have to expose public IPs of Keycloak servers and database servers (JGroups cluster and database replication manager). Also, do you want to have both databases (clouds) accept writes? Then you have to choose database technology that supports multi-master replication (MySQL for example). It's doable, but that's a lot of work. The question is do you really need to have multi-cloud Keycloak deployment? Maybe you could have a standby replica in the second cloud and promote it to primary only in case of the disaster recovery?
a query, where it is specified if it is standalone mode or domain of keycloack in that case?
Keycloak docker image uses standalone mode and standalone-ha.xml configuration file
Hi , I am deployed the keycloak in ecs cluster with Microsoft identity provider . now when i am trying to login via Microsoft Identity provider in login page .. i am getting SSL termination. any idea on this .. locally its working fine but inside ECS cluster its not working. cluster is inside Organization proxy.
Hi Sanjay, in my latest video I showed how to deploy Keycloak cluster to AWS EKS using Application Load Balancers as a HTTPS ingress. I don't know what is wrong with your setup (sometimes browsers drop insecure HTTP to HTTPS or invalid/unsecure HTTPS connections). In my video I setup a valid DNS and valid HTTPS cert, you can use my video as a reference: czcams.com/video/BuNZ7bjbzOQ/video.html
hello, the parameter dns_query = NAME, the NAME is the name of the services ??
yes, it's the name of the Kubernetes service, in my example I used keycloak and Kubernetes (for service type: ClusterIP and clusterIP: None) creates and manages DNS records for the purpose of service discovery. And using DNS records jgroups can find out all members of the cluster.
Nice👏. The ui keep redirecting /auth in infinite loop, via the Nginx ingress, how to get this fix. Pls. suggest.
I remember I had a similar situation when my DNS address didn't match the value set in the env variable "KC_HOSTNAME" (see keycloak.yaml). That's the only thing that comes to my mind.
Hi, Thanks for your all superb videos- do you have a plan to share video on “ how to customize keycloak Account page” objective is, to share account page with client icon and other basic facelifting similar to other enterprise SSO provider where they provide this very nice SSO page.
Will try. However customising Account page is no different from Login page really. Apart of the documentation, you can check out the official keycloak theme examples: github.com/keycloak/keycloak/tree/master/examples/themes
Hii your explanation is very good but I am facing issue in while deploying jboss/keycloak can you please help me on this
Quite recently I have updated the Kubernetes example to use Keycloak 19.0.3. Updated instructions are on GitHub: github.com/lukaszbudnik/keycloak-kubernetes
That's a great compiled up... Good Job..
Can you help me with this error, I am receiving when keycloak pods are getting ready
Readiness probe failed: Get "172.17.0.11:8080/auth/realms/master": dial tcp 172.17.0.11:8080: connect: connection refused
Hi Prashant,
Maybe the Kubernetes cluster that you are working on doesn’t have enough resources to start the deployment? Could you change for example the number of Keycloak replicas to 1. Or even comment out the readiness probe and let it run for a while and then check if pod started alright and/or check pod logs to see what happened? From the error message you posted Keycloak didn't start or crashed just after it started.
@@ukaszbudnik9618thanks for immediate reply, I have tried commenting our probe checker code and it does start pod but the site never comes up... Not sure where I am messing up.. this is the only resource deployed on minikube
You should also check the pod log and it should say why Keycloak is not able to start.
Figured out...Thanks it's working now
@@prashantgupta7235 how you figured out ?
not for beginners 😒
unfortunately, it requires some knowledge of both Kubernetes and Keycloak, but if you closely follow the steps in README.md in the GitHub repo you will get there! github.com/lukaszbudnik/keycloak-kubernetes give it a second chance!
Can i have your email please. i want some help to discuss. It about keycloak
hey, I have many viewers and I'm not be able to review all issues posted in comments (especially if they have no details). Keycloak has a very vibrant community, please reach out to: www.keycloak.org/community