Healthchecks & Hostname configurations on Docker-Compose

CelsoSantos · February 10, 2023, 2:44pm

Hello.
I’m trying to upgrade to a newer version of Keycloak (coming from v15) and I run this as part of a docker compose stack. It’s basically keycloak and a browser application, with envoy in front of both doing mostly three things: TLS (the only place where I have TLS configured), JWT validation and routing.

I’ve managed to update everything and it’s running mostly fine, with the notable exception that I can’t figure out how to get health checks working…

So, this is my compose definition:

  keycloak:
    cap_drop:
      - ALL
    command: ["start-dev", "--http-relative-path '/auth'", "--health-enabled=true", "--proxy=edge", "--import-realm"] #, "--optimized", 
    container_name: keycloak
    environment:
      - AUDIENCE=https://csantos.example.com/
      - DOMAIN=csantos.example.com
      - JAVA_OPTS_APPEND="-Dkeycloak.profile.feature.upload_scripts=enabled"
      - KEYCLOAK_LOGLEVEL=INFO
      - KEYCLOAK_STATISTICS=all
      - PROXY_ADDRESS_FORWARDING=true
      - DEBUG="true"
      - KEYCLOAK_ADMIN=admin-user
      - KEYCLOAK_ADMIN_PASSWORD=password@admin
      - KC_HOSTNAME=csantos.example.com
      # - KC_HOSTNAME=localhost
      - KC_HEALTH_ENABLED='true'
      - KC_METRICS_ENABLED='true'
      - KC_HTTP_PORT=8080
      - KC_HTTP_ENABLED='false'
      - KC_HOSTNAME_STRICT='true'
      - KC_HOSTNAME_STRICT_HTTPS='true'
      - KC_HTTP_RELATIVE_PATH='/auth'
      # - KC_FEATURES='admin_fine_grained_authz,token_exchange'
    # entrypoint:
    #   - "/bin/sh"
    # extra_hosts:
      # - "my.domain.com:127.0.0.1"
    healthcheck:
      # test: ["CMD-SHELL", "curl -f http://localhost:8080/auth/health || exit 1"]
      test: ["CMD-SHELL", "curl -f http://csantos.example.com:8080/auth/health || exit 1"]
      interval: 2m
      timeout: 10s
      retries: 3
      start_period: 30s
    image: "myrepo/keycloak:20.0.3"
    ports:
      - "8080:8080"
    networks:
      - my-network
    security_opt:
      - no-new-privileges
    # user: nobody:nogroup
    volumes:
      - "./keycloak-iam/realm-config.json:/tmp/realm-config.json:rw"

Both of those health check commands will fail, no matter what I do, so I don’t know how to query KC for health… Also, if I enable KC_HTTP_ENABLED, then I’ll start getting jwt validation errors because the issuer will be http://csantos.example.com instead of https://csantos.example.com

How can I make this work??

isfong · April 17, 2023, 2:15am

Hi, The new version, container no longer contains the curl command

isfong · April 17, 2023, 2:19am

Alternate image：
Docker
k8s

Topic		Replies	Views
AWS EKS/K8 Healthcheck uses underlying server IP address and fails Getting advice	7	1009	August 18, 2022
Keycloak AWS Fargate Deployment issue	3	2846	April 12, 2020
Keycloak 17.0.1 behind NginX reverse proxy Configuring the server admin-console , documentation , upgrading	17	12773	April 25, 2022
Change health check URL to /health Getting advice	0	968	May 2, 2022
Changing identity provider redirect uri to use KC_HOSTNAME instead of KC_HOSTNAME_ADMIN Configuring the server identity-brokering	5	1277	February 17, 2024

Healthchecks & Hostname configurations on Docker-Compose

Related Topics