Added APM agent in keycloak

Hi all,

We supervise our infrastructure and our applications in datadog saas. We added them in APM so that we can follow the tracks. I would like to include APM in keycloak to follow the trace end to end.

This consists of adding the option “-javaagent” with a special jar. I tried with keycloak v11 and it doesn’t work. Has anyone ever added APM to keycloak? Do you know how to do it ? Do we need a special module instead of a jar? Do I need to add a specific parameter in the configuration?

Regards,
Roland

I found how to do it :slight_smile:

For a KC 11 and a domain cluster, you have to modify host-master ou slave.xml in configuration folder and add parameters into jvms level like below and restart KC :

<jvms>
    <jvm name="default">
        <heap size="64m" max-size="256m"/>
        <jvm-options>
            <option value="-server"/>
            <option value="-XX:MetaspaceSize=96m"/>
            <option value="-XX:MaxMetaspaceSize=256m"/>
            <option value="-javaagent:/opt/jboss/dd-java-agent.jar"/>
            <option value="-Ddd.profiling.enabled=true"/>
            <option value="-Ddd.logs.injection=true"/>
            <option value="-Ddd.trace.sample.rate=1"/>
            <option value="-Ddd.service=keycloak"/>
            <option value="-Ddd.env=preprod"/>
        </jvm-options>
    </jvm>
</jvms>

Regards,
Roland

1 Like

Hello,
trying to do the same but didn’t succeded.
Can you explain how u did it? do u run it with kubernetes?
Thanks,

We have integrated newrelic for APM into our keycloak container running on kubernetes.

In our docker file we install and configure newrelic.

FROM quay.io/keycloak/keycloak:15.0.2

RUN cd /opt \
&& curl -sSO http://download.newrelic.com/newrelic/java-agent/newrelic-agent/7.1.1/newrelic-java.zip \
&& unzip newrelic-java.zip \
&& rm newrelic-java.zip

COPY newrelic/newrelic.yml /opt/newrelic/

# add any startup scripts (*.cli or *.sh)
COPY jboss/startup-scripts/ /opt/jboss/startup-scripts/ 

# default environment
ENV NEW_RELIC_APP_NAME="keycloak" \
NEW_RELIC_LICENSE_KEY="" \
NEW_RELIC_LOG_FILE_NAME="STDOUT"

the following script is copied into /opt/jboss/startup-scripts/

#!/bin/bash -e

if [ -v NEW_RELIC_LICENSE_KEY ]
then
    echo "enabling newrelic monitor"

    cat << 'EOF' >> /opt/jboss/keycloak/bin/standalone.conf
# new relic agent setup 
# https://docs.newrelic.com/docs/agents/java-agent/additional-installation/wildfly-installation-java
JAVA_OPTS="$JAVA_OPTS -javaagent:/opt/newrelic/newrelic.jar"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS,com.newrelic"
EOF

fi

Why not to use vendor neutral Open Telemetry (at least for tracing)

Dockerfile:

FROM jboss/keycloak:latest

RUN \
  curl -L https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/latest/download/opentelemetry-javaagent-all.jar \
  -o /tmp/opentelemetry-javaagent-all.jar

Then otlp exporter can be configured for example via env variables:

JAVA_OPTS_APPEND: "-javaagent:/tmp/opentelemetry-javaagent-all.jar"
OTEL_SERVICE_NAME: keycloak
  • others newrelic specific config: newrelic endpoint + some header with license key