Fail to create container image: No enum constant org.keycloak.common.Profile.ProfileValue.TOKEN-EXCHANGE

larsks · February 27, 2022, 5:30pm

Are the instructions at Keycloak - Server - Running Keycloak in a container accurate? With the example Dockerfile, the kc.sh build results in:

[1/2] STEP 5/5: RUN /opt/keycloak/bin/kc.sh build
Updating the configuration and installing your custom providers, if any. Please wait.
ERROR: Failed to run 'build' command.
ERROR: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
        [error]: Build step org.keycloak.quarkus.deployment.KeycloakProcessor#configureProviders threw an exception: java.lang.IllegalArgumentException: No enum constant org.keycloak.common.Profile.ProfileValue.TOKEN-EXCHANGE

I’m not sure what that error is trying to tell me; I’d appreciate any pointers. Thanks!

thebf · February 27, 2022, 7:32pm

I removed the line:

ENV KC_FEATURES=token-exchange

That got me further but it seems like there’s something that tries to log in to the database with the user sa after that.

I think the current docker setup is broken.

larsks · February 27, 2022, 8:18pm

I think the current docker setup is broken.

Agreed. If I remove the ENV KC_FEATURES=token-exchange it actually builds just fine for me, but at startup appears to ignore the KC_* environment variables that are meant to configure database access.

thebf · February 28, 2022, 8:49am

I have a feeling that locking it to 17.0.0 rather than choosing latest might work.

I got it running on “bare metal” so I haven’t got the time to play more with the docker side of things today.

larsks · February 28, 2022, 12:11pm

“17.0.0” is not one of the available tags (from the quay.io/keycloak/keycloak-x repository). The most recent that is not “latest” is 16.1.1.

larsks · February 28, 2022, 12:53pm

I was able to get things running with the following Dockerfile:

FROM quay.io/keycloak/keycloak-x:latest as builder

RUN /opt/keycloak/bin/kc.sh build \
	--db=postgres \
	--metrics-enabled=true \
	--features-token_exchange=enabled

FROM quay.io/keycloak/keycloak-x:latest
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
WORKDIR /opt/keycloak

# for demonstration purposes only, please make sure to use proper
# certificates in production instead
RUN keytool \
  -genkeypair \
  -storepass password \
  -storetype PKCS12 \
  -keyalg RSA \
  -keysize 2048 \
  -dname "CN=server" \
  -alias server \
  -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
  -keystore conf/server.keystore

ENV KEYCLOAK_ADMIN=admin
ENV KEYCLOAK_ADMIN_PASSWORD=change_me
ENV KC_HOSTNAME=localhost:8443
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

And the following invocation in my docker-compose.yaml:

  keycloak:
    image: keycloak
    ports:
      - "8080:8080"
      - "8443:8443"
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: secret
      KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
    command:
      - --http-enabled=true
      - --db-username=${POSTGRES_USER}
      - --db-password=${POSTGRES_PASSWORD}

Of particular note, the KC_DB_USERNAME and KC_DB_PASSWORD environment variables don’t appear to work, which is why I had to provide them on the command line instead.

dasniko · February 28, 2022, 1:00pm

keycloak-x was just the preview versions, it’s now regular quay.io/keycloak/keycloak.
Legacy version have the -legacy to the version tag, e.g. quay.io/keycloak/keycloak:17.0.0-legacy.

This is also mentioned in the blog post and migration guide!

larsks · February 28, 2022, 1:02pm

The forum just ate my post, so I’ll try again.

I was able to get things running with the latest image using the following Dockerfile:

FROM quay.io/keycloak/keycloak-x:latest as builder

RUN /opt/keycloak/bin/kc.sh build \
	--db=postgres \
	--metrics-enabled=true \
	--features-token_exchange=enabled

FROM quay.io/keycloak/keycloak-x:latest
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
WORKDIR /opt/keycloak

# for demonstration purposes only, please make sure to use proper
# certificates in production instead
RUN keytool \
  -genkeypair \
  -storepass password \
  -storetype PKCS12 \
  -keyalg RSA \
  -keysize 2048 \
  -dname "CN=server" \
  -alias server \
  -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
  -keystore conf/server.keystore

ENV KEYCLOAK_ADMIN=admin
ENV KEYCLOAK_ADMIN_PASSWORD=change_me
ENV KC_HOSTNAME=localhost:8443

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

Here, I’ve dropped use of the KC_* environment variables for configuration and just provided equivalent command line arguments.

I’m using the following invocation in my docker-compose.yaml:

  keycloak:
    image: keycloak
    ports:
      - "8080:8080"
      - "8443:8443"
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: secret
      KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
      KC_HOSTNAME: localhost:8443
    command:
      - --http-enabled=true
      - --db-username=${POSTGRES_USER}
      - --db-password=${POSTGRES_PASSWORD}

Note that while KC_DB_URL appears to work just fine, KC_DB_USERNAME and KC_DB_PASSWORD do not, so those had to be provided on the command line rather than as environment variables.

larsks · February 28, 2022, 1:04pm

What blog post? What migration guide? I’m following the container guide, which seems to have some misinformation in it.

Using the quay.io/keycloak/keycloak repository, it looks like I’ll need to start from scratch because kc.sh appears to have changed completely. Maybe the “migration guide” addresses this? I’ll see if I can find it.

dasniko · February 28, 2022, 1:06pm

The blog post for the 17 release:

https://www.keycloak.org/2022/02/keycloak-1700-released

dasniko · February 28, 2022, 1:08pm

The current container guide seems to have a type as it uses the keycloak-x image.
Trying to find the source and doing a PR for fixing this…

UPDATE: It’s already fixed in the sources of the guide, but not yet published…

larsks · February 28, 2022, 1:18pm

Using quay.io/keycloak/keycloak, things seems to work a little better. The KC_* environment variables appear to work as described, so I can use this Dockerfile:

FROM quay.io/keycloak/keycloak:17.0.0 as builder

ENV KC_DB=postgres
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:17.0.0
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
WORKDIR /opt/keycloak

# for demonstration purposes only, please make sure to use proper
# certificates in production instead
RUN keytool \
  -genkeypair \
  -storepass password \
  -storetype PKCS12 \
  -keyalg RSA \
  -keysize 2048 \
  -dname "CN=server" \
  -alias server \
  -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
  -keystore conf/server.keystore

ENV KEYCLOAK_ADMIN=admin
ENV KEYCLOAK_ADMIN_PASSWORD=change_me
ENV KC_HOSTNAME=localhost:8443

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]

And this invocation:

  keycloak:
    image: keycloak:17.0.0
    ports:
      - "8080:8080"
      - "8443:8443"
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}
      KC_DB_USERNAME: ${POSTGRES_USER}
      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}

Topic		Replies	Views
Running Keycloak production on DigitalOean Configuring the server container	1	2484	April 26, 2022
Keycloak 17 "failed to initialize keycloak"	2	2402	March 3, 2022
V20.0.3 - docker-compose - feature installation issues Configuring the server	4	1524	March 1, 2023
KeyCloak 19.0.1: KC_* Environment variables are ignored Configuring the server	4	4089	September 6, 2022
KC database env configurations are ignored Configuring the server	2	1691	February 7, 2023

Fail to create container image: No enum constant org.keycloak.common.Profile.ProfileValue.TOKEN-EXCHANGE

Related Topics