Deploying Keycloak on AWS EKS cluster

Configuring the server
1

Hello,

I have been trying to deploy keycloak on AWS EKS cluster.
However, I am getting a 404 Not found error. I have created a secret using cert and key.
Below is the yaml file i am using to deploy

apiVersion: v1
kind: Service
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  selector:
    app: keycloak
  type: LoadBalancer
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
      - name: keycloak
        image: quay.io/keycloak/keyclaok:latest
        args: ["start"]
        env:
          - name: KEYCLOAK_ADMIN
            value: "admin"
          - name: KEYCLOAK_ADMIN_PASSWORD
            value: "admin"
          - name: KC_HEALTH_ENABLED
            value: "true"
          - name: KC_METRICS_ENABLED
            value: "true"
          - name: KC_HOSTNAME
            value: "<placeholder>"
          - name: KC_PROXY
            value: "edge"
        ports:
          - name: http
            containerPort: 8080
          - name: https
            containerPort: 8443
        readinessProbe:
          httpGet:
            path: /realms/master
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 3
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: default
  name: ingress-keycloak
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      if ($request_uri ~* "^/([^?]*)(\?.*)?$") {
        set $path_slug $1;
      }
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Path $path_slug;
      proxy_set_header X-Forwarded-Uri $request_uri;  
  labels:
    app: app-keycloak
spec:
  tls:
    - hosts:
        - <placeholder>
      secretName: kc-tls-secret  # Replace with the actual secret containing the SSL certificate
  rules:
  - host: <placeholder>
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: keycloak
            port:
              number: 8443

Please let me know what is going wrong here

2

Does the deployment start? What is in the container logs?

There is a typo in the image name.

3

The deployment starts with the following logs in the keycloak pod

UPDATE SUMMARY
Run:                        117
Previously run:               0
Filtered out:                 0
-------------------------------
Total change sets:          117

2024-02-22 06:41:19,117 INFO  [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
2024-02-22 06:41:22,529 INFO  [io.quarkus] (main) Keycloak 23.0.6 on JVM (powered by Quarkus 3.2.10.Final) started in 30.397s. Listening on: http://0.0.0.0:8080
2024-02-22 06:41:22,529 INFO  [io.quarkus] (main) Profile prod activated.
2024-02-22 06:41:22,530 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
2024-02-22 06:41:23,094 INFO  [org.keycloak.services] (main) KC-SERVICES0009: Added user 'admin' to realm 'master'
2024-02-22 09:08:16,932 ERROR [io.vertx.ext.web.RoutingContext] (vert.x-eventloop-thread-0) Unhandled exception in router
2024-02-22 09:18:16,360 ERROR [io.vertx.ext.web.RoutingContext] (vert.x-eventloop-thread-0) Unhandled exception in router

Also the ingress logs are as follows

192.168.51.38 - - [22/Feb/2024:08:33:11 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xEAuQ\xC6_jO?\x9F\xA0yN\xF8 \xE3]\x88\xF2\xFB\x99\x02\x92\x99\xEE\x87\xAF\x00<;y\xA8\x07 \xC0`v\xED\x87\x0C\xC7\xA2^\x10\x99s\x8D\x1Bd\x86\x14\xC92\x7FF\xB5\xB7\x06\xED!/\x1BP\xF8Ce\x00&\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x09\xC0\x13\xC0" 400 150 "-" "-" 0 0.717 [] [] - - - - df31b0bb7d6dea2ec73f3ee4815d9135
192.168.0.240 - - [22/Feb/2024:08:51:43 +0000] "MGLNDD_50.18.193.25_443" 400 150 "-" "-" 0 0.002 [] [] - - - - 37a80415cb56c25ff0a167e2c343ef02
192.168.51.38 - - [22/Feb/2024:09:17:24 +0000] "\x15\x03\x03\x00\x02\x02F" 400 150 "-" "-" 0 0.005 [] [] - - - - e6b230a893aabf5aff0981a2b7177d1b
192.168.51.38 - - [22/Feb/2024:09:17:25 +0000] "\x15\x03\x03\x00\x02\x02F" 400 150 "-" "-" 0 0.005 [] [] - - - - 535a5646711d917a8171e6d75635a436
192.168.0.240 - - [22/Feb/2024:09:38:14 +0000] "CONNECT api.ipify.org:443 HTTP/1.1" 400 150 "-" "-" 0 0.227 [] [] - - - - f955d434238f24d32d262f5f81fcd0e7
192.168.0.240 - - [22/Feb/2024:09:38:19 +0000] "\x04\x01\x00P\xBCrc\xEA0\x00" 400 150 "-" "-" 0 0.440 [] [] - - - - ae64f6d2c5dd6f34b4833aacf7558b8b
192.168.0.240 - - [22/Feb/2024:09:38:29 +0000] "\x05\x01\x00" 400 150 "-" "-" 0 0.439 [] [] - - - - eed1dee69fd04bfa1c008a80a1284d6a
4

Are the manifests you provided really the deployed config?

Apart from the typo in the image, it lacks the ssl configuration for the backend.
The ingress is supposed to use port 8443, but the service doesn’t expose it?
And if the cluster internal connection is supposed to be via https, then the keycloak deploayment needs to mount certificates and additonal config options to actually utilize them.

5

That typo has been rectified
I have exposed the port in the service
I have created a secret using the cert data and deployed it in the namespace where keycloak is deployed