Keycloak as Azure Container App

Hi All,

I am working on deploying keycloak as a Azure container app using the below configuration.

    value: admin
    value: admin
  - name: KC_PROXY
    value: edge
  - name: KC_DB
    value: mysql
  - name: KC_DB_URL
    value: jdbc:mysql://
  - name: KC_DB_USERNAME
    value: keycloak
  - name: KC_DB_PASSWORD
    value: mtsadmn9331
  - name: TZ
    value: America/New_York
    value: 'true'
  - name: KC_CACHE
    value: ispn
    value: 'false'

It is working until a 2nd replica created. If it create a 2 on or 3 rd replica, it breaks. which means it is not accepting the admin credentials, if it accept I it is showing network error.

I struck here with last 2 weeks.

please help me on this.


Try configuring the distributed infinispan cache. When there is more than one instance, the cache needs to be configured. More info on how to configure the infinispan cache here: Configuring distributed caches - Keycloak

Hi @jean.silga ,

yes , you are correct. but I have already configured the cache with ispn.
is there any other configuration available to set the distributed cache in KC .


Does the logs confirm that your configuration is working? You should see logs about the infinispan cluster and how many members are in the cluster. If all node are not part of the infinispan cluster, then the cache cluster is not working.

Hi @jean.silga,

Thanks for the reply.

This is the log which I got from keycloak after it got up.

{“TimeStamp”:“2024-04-04T09:48:14.76074”,“Log”:“Connecting to the container ‘keycloakapp’…”}
{“TimeStamp”:“2024-04-04T09:48:14.7788”,“Log”:“Successfully Connected to container: ‘keycloakapp’ [Revision: ‘keycloakapp–uo7nfsv-85f8679855-c76rh’, Replica: ‘keycloakapp–uo7nfsv’]”}
{“TimeStamp”:“2024-04-04T09:48:14.7792451Z”,“Log”:“Appending additional Java properties to JAVA_OPTS:”}
{“TimeStamp”:“2024-04-04T09:48:14.7793365Z”,“Log”:“Changes detected in configuration. Updating the server image.”}
{“TimeStamp”:“2024-04-04T09:48:14.779388Z”,“Log”:“Updating the configuration and installing your custom providers, if any. Please wait.”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 7640ms”}
{“TimeStamp”:“2024-04-04T09:48:14.7794924Z”,“Log”:“Server configuration updated and persisted. Run the following command to review the configuration:”}
{“TimeStamp”:“2024-04-04T09:48:14.779591Z”,“Log”:“\ show-config”}
{“TimeStamp”:“2024-04-04T09:48:14.7796891Z”,“Log”:“Next time you run the server, just run:”}
{“TimeStamp”:“2024-04-04T09:48:14.779785Z”,“Log”:“\ start --optimized “}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: \u003Cunset\u003E, Hostname: \u003Crequest\u003E, Strict HTTPS: false, Path: \u003Crequest\u003E, Strict BackChannel: false, Admin URL: \u003Cunset\u003E, Admin: \u003Crequest\u003E, Port: -1, Proxied: true”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [io.quarkus.agroal.runtime.DataSources] (main) Datasource \u003Cdefault\u003E enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller ‘org.infinispan.jboss.marshalling.core.JBossUserMarshaller’”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel \u0060ISPN\u0060”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 9f7ad08b-ef65-4dff-ade6-fba37ba77497, name: keycloakapp–uo7nfsv-85f8679855-c76rh-29876”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on .30002"}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:"WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-
and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) keycloakapp–uo7nfsv-85f8679855-c76rh-29876: no members discovered after 2007 ms: creating cluster as coordinator”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [keycloakapp–uo7nfsv-85f8679855-c76rh-29876|0] (1) [keycloakapp–uo7nfsv-85f8679855-c76rh-29876]”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel \u0060ISPN\u0060 local address is \u0060keycloakapp–uo7nfsv-85f8679855-c76rh-29876\u0060, physical addresses are \u0060[]\u0060”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: keycloakapp–uo7nfsv-85f8679855-c76rh-29876, Site name: null”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [] (main) Registering class”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [io.quarkus] (main) Keycloak 22.0.1 on JVM (powered by Quarkus 3.2.0.Final) started in 7.033s. Listening on:”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [io.quarkus] (main) Profile prod activated.”}
{“TimeStamp”:“2024-04-04T00:00:00”,“Log”:“INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, vertx]”}

I need to mention that I am using an auto-scaling method from Azure container apps. In the log, I could see the cluster info and its members.

it only crashed when the replica was increased. when it scale out to 1 replica, it works fine

From the logs you pasted, your infinispan cluster only has one member: keycloakapp–uo7nfsv-85f8679855-c76rh-29876
Either you have more further logs that show that all your instances are part of the same cluster, or your cluster in not actually a cluster, but many clusters of one member each.
When you have one instance, it will work fine because then your cache is local to your instance and does not have to be distributed.


let me check my cluster setup and let you know. I guess keycloak is not using the auto-scaled Replicas.

Hi, i did not see the cache stack configuration in your config. when you use KC_CACHE, you need to configure KC_CACHE_STACK like below:

How did you configured your cluster? I stuck with it…
I added those options --cache=ispn --cache-stack=azure but it doesn’t work.