Hello.
I’m trying to upgrade to a newer version of Keycloak (coming from v15) and I run this as part of a docker compose stack. It’s basically keycloak and a browser application, with envoy in front of both doing mostly three things: TLS (the only place where I have TLS configured), JWT validation and routing.
I’ve managed to update everything and it’s running mostly fine, with the notable exception that I can’t figure out how to get health checks working…
So, this is my compose definition:
keycloak:
cap_drop:
- ALL
command: ["start-dev", "--http-relative-path '/auth'", "--health-enabled=true", "--proxy=edge", "--import-realm"] #, "--optimized",
container_name: keycloak
environment:
- AUDIENCE=https://csantos.example.com/
- DOMAIN=csantos.example.com
- JAVA_OPTS_APPEND="-Dkeycloak.profile.feature.upload_scripts=enabled"
- KEYCLOAK_LOGLEVEL=INFO
- KEYCLOAK_STATISTICS=all
- PROXY_ADDRESS_FORWARDING=true
- DEBUG="true"
- KEYCLOAK_ADMIN=admin-user
- KEYCLOAK_ADMIN_PASSWORD=password@admin
- KC_HOSTNAME=csantos.example.com
# - KC_HOSTNAME=localhost
- KC_HEALTH_ENABLED='true'
- KC_METRICS_ENABLED='true'
- KC_HTTP_PORT=8080
- KC_HTTP_ENABLED='false'
- KC_HOSTNAME_STRICT='true'
- KC_HOSTNAME_STRICT_HTTPS='true'
- KC_HTTP_RELATIVE_PATH='/auth'
# - KC_FEATURES='admin_fine_grained_authz,token_exchange'
# entrypoint:
# - "/bin/sh"
# extra_hosts:
# - "my.domain.com:127.0.0.1"
healthcheck:
# test: ["CMD-SHELL", "curl -f http://localhost:8080/auth/health || exit 1"]
test: ["CMD-SHELL", "curl -f http://csantos.example.com:8080/auth/health || exit 1"]
interval: 2m
timeout: 10s
retries: 3
start_period: 30s
image: "myrepo/keycloak:20.0.3"
ports:
- "8080:8080"
networks:
- my-network
security_opt:
- no-new-privileges
# user: nobody:nogroup
volumes:
- "./keycloak-iam/realm-config.json:/tmp/realm-config.json:rw"
Both of those health check commands will fail, no matter what I do, so I don’t know how to query KC for health… Also, if I enable KC_HTTP_ENABLED
, then I’ll start getting jwt validation errors because the issuer will be http://csantos.example.com
instead of https://csantos.example.com
How can I make this work??