Keycloak as Azure Container App

Guruvel · April 3, 2024, 10:02am

Hi All,

I am working on deploying keycloak as a Azure container app using the below configuration.

  env:
  - name: KEYCLOAK_ADMIN
    value: admin
  - name: KEYCLOAK_ADMIN_PASSWORD
    value: admin
  - name: KC_PROXY
    value: edge
  - name: KC_DB
    value: mysql
  - name: KC_DB_URL
    value: jdbc:mysql://10.0.0.1:3306/keycloak?useSSL=false
  - name: KC_DB_USERNAME
    value: keycloak
  - name: KC_DB_PASSWORD
    value: mtsadmn9331
  - name: TZ
    value: America/New_York
  - name: KC_HOSTNAME_DEBUG
    value: 'true'
  - name: KC_CACHE
    value: ispn
  - name: KC_HOSTNAME_STRICT
    value: 'false'

It is working until a 2nd replica created. If it create a 2 on or 3 rd replica, it breaks. which means it is not accepting the admin credentials, if it accept I it is showing network error.

I struck here with last 2 weeks.

please help me on this.

thanks,
Sriguruvek

jean.silga · April 3, 2024, 7:01pm

Try configuring the distributed infinispan cache. When there is more than one instance, the cache needs to be configured. More info on how to configure the infinispan cache here: Configuring distributed caches - Keycloak

Guruvel · April 4, 2024, 6:39am

Hi @jean.silga ,

yes , you are correct. but I have already configured the cache with ispn.
is there any other configuration available to set the distributed cache in KC .

Thanks,
guru

jean.silga · April 4, 2024, 6:50am

Does the logs confirm that your configuration is working? You should see logs about the infinispan cluster and how many members are in the cluster. If all node are not part of the infinispan cluster, then the cache cluster is not working.

Guruvel · April 4, 2024, 9:50am

Hi @jean.silga,

Thanks for the reply.

This is the log which I got from keycloak after it got up.

{“TimeStamp”:“2024-04-04T09:48:14.76074”,“Log”:“Connecting to the container ‘keycloakapp’…”}
{“TimeStamp”:“2024-04-04T09:48:14.7788”,“Log”:“Successfully Connected to container: ‘keycloakapp’ [Revision: ‘keycloakapp–uo7nfsv-85f8679855-c76rh’, Replica: ‘keycloakapp–uo7nfsv’]”}
{“TimeStamp”:“2024-04-04T09:48:14.7792451Z”,“Log”:“Appending additional Java properties to JAVA_OPTS: -Djava.net.preferIPv4Stack=true”}
{“TimeStamp”:“2024-04-04T09:48:14.7793365Z”,“Log”:“Changes detected in configuration. Updating the server image.”}
{“TimeStamp”:“2024-04-04T09:48:14.779388Z”,“Log”:“Updating the configuration and installing your custom providers, if any. Please wait.”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 7640ms”}
{“TimeStamp”:“2024-04-04T09:48:14.7794924Z”,“Log”:“Server configuration updated and persisted. Run the following command to review the configuration:”}
{“TimeStamp”:“2024-04-04T09:48:14.7795383Z”,“Log”:“”}
{“TimeStamp”:“2024-04-04T09:48:14.779591Z”,“Log”:“\tkc.sh show-config”}
{“TimeStamp”:“2024-04-04T09:48:14.7796393Z”,“Log”:“”}
{“TimeStamp”:“2024-04-04T09:48:14.7796891Z”,“Log”:“Next time you run the server, just run:”}
{“TimeStamp”:“2024-04-04T09:48:14.7797381Z”,“Log”:“”}
{“TimeStamp”:“2024-04-04T09:48:14.779785Z”,“Log”:“\tkc.sh start --optimized “}
{“TimeStamp”:“2024-04-04T09:48:14.7798335Z”,“Log”:””}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: \u003Cunset\u003E, Hostname: \u003Crequest\u003E, Strict HTTPS: false, Path: \u003Crequest\u003E, Strict BackChannel: false, Admin URL: \u003Cunset\u003E, Admin: \u003Crequest\u003E, Port: -1, Proxied: true”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [io.quarkus.agroal.runtime.DataSources] (main) Datasource \u003Cdefault\u003E enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller ‘org.infinispan.jboss.marshalling.core.JBossUserMarshaller’”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel \u0060ISPN\u0060”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 9f7ad08b-ef65-4dff-ade6-fba37ba77497, name: keycloakapp–uo7nfsv-85f8679855-c76rh-29876”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on .30002"}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:"WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded- and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) keycloakapp–uo7nfsv-85f8679855-c76rh-29876: no members discovered after 2007 ms: creating cluster as coordinator”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [keycloakapp–uo7nfsv-85f8679855-c76rh-29876|0] (1) [keycloakapp–uo7nfsv-85f8679855-c76rh-29876]”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel \u0060ISPN\u0060 local address is \u0060keycloakapp–uo7nfsv-85f8679855-c76rh-29876\u0060, physical addresses are \u0060[100.100.192.157:45538]\u0060”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: keycloakapp–uo7nfsv-85f8679855-c76rh-29876, Site name: null”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [io.quarkus] (main) Keycloak 22.0.1 on JVM (powered by Quarkus 3.2.0.Final) started in 7.033s. Listening on: http://0.0.0.0:8080”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [io.quarkus] (main) Profile prod activated.”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, vertx]”}

Guruvel · April 4, 2024, 9:56am

I need to mention that I am using an auto-scaling method from Azure container apps. In the log, I could see the cluster info and its members.

it only crashed when the replica was increased. when it scale out to 1 replica, it works fine

jean.silga · April 4, 2024, 10:12am

From the logs you pasted, your infinispan cluster only has one member: keycloakapp–uo7nfsv-85f8679855-c76rh-29876
Either you have more further logs that show that all your instances are part of the same cluster, or your cluster in not actually a cluster, but many clusters of one member each.
When you have one instance, it will work fine because then your cache is local to your instance and does not have to be distributed.

Guruvel · April 4, 2024, 10:31am

Thanks,

let me check my cluster setup and let you know. I guess keycloak is not using the auto-scaled Replicas.

kaskinas · April 8, 2024, 11:22pm

Hi, i did not see the cache stack configuration in your config. when you use KC_CACHE, you need to configure KC_CACHE_STACK like below:

name: KC_CACHE_STACK
value: azure
Configuring distributed caches - Keycloak

Topic		Replies	Views
Deploy production mode Keycloak 21.1.1 on Azure as Docker-container with MS SQL Database Configuring the server	0	1023	June 18, 2023
Keycloak 20.0.1 Azure webapp and pgsql Configuring the server	0	561	December 13, 2022
Trouble with Keycloak 20.0.1 as a Azure webapp and pgsql backend Configuring the server	4	1306	November 30, 2022
Azure App Service Configuring the server	2	4881	April 29, 2021
Failed to verify identity token Configuring the server	3	804	April 13, 2023

Keycloak as Azure Container App

Related Topics