Keycloak build and start in kubernetes deployment

Hello All,

We have a customized version of keycloak 18, quarkus powered, I try to setup a kubernetes deployment configuration file using a container for the start --auto-build step, and it doesn’t work as expected. It seems that when executing the container (in a pod) if fails to setup the database connexion.

Here is the service.yaml file:
imagePullPolicy: IfNotPresent
command: [ “java” ]
args:
- “-Xms64m”
- “-Xmx512m”
- ‘-XX:MetaspaceSize=96M’
- ‘-XX:MaxMetaspaceSize=256m’
- ‘-Djava.net.preferIPv4Stack=true’
- ‘–add-exports=java.base/sun.nio.ch=ALL-UNNAMED’
- ‘–add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED’
- ‘–add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED’
- ‘-Djava.util.logging.manager=org.jboss.logmanager.LogManager’
- ‘-Dquarkus-log-max-startup-records=10000’
- ‘-Dkc.home.dir=/opt/keycloak’
- ‘-Djboss.server.config.dir=/opt/keycloak/conf’
- “-Dquarkus.log.level=$(LOG_LEVEL)”
- ‘-Dkeycloak.migration.action=import’
- ‘-Dkeycloak.migration.provider=singleFile’
- ‘-Dkeycloak.migration.file=$(KEYCLOAK_CONFIGURATION_LOCATION)’
- ‘-Dkeycloak.migration.strategy=OVERWRITE_EXISTING’
- ‘-Djgroups.bind_addr=$(HOST_IP)’
- “-cp”
- ‘/opt/keycloak/lib/quarkus-run.jar’
- “io.quarkus.bootstrap.runner.QuarkusEntryPoint”
- “start”
- “–auto-build”
- “–cache=ispn”
- “–features=preview”
- “–http-relative-path=/auth”
- “–db=postgres”
- “–db-password=$(DB_PASSWORD)”
- “–db-username=$(DB_USER)”
- “–db-url=$(DB_CONNECTION_URL)”
- “–hostname=localhost”
- ‘–http-enabled=true’

And here is the service output:
2022-05-11 14:27:38,144 WARN [io.quarkus.runtime.configuration.ConfigRecorder] (main) Build time property cannot be changed at runtime:

• quarkus.datasource.jdbc.driver is set to ‘org.h2.jdbcx.JdbcDataSource’ but it is build time fixed to ‘org.postgresql.xa.PGXADataSource’. Did you change the property quarkus.datasource
• quarkus.http.root-path is set to ‘/’ but it is build time fixed to ‘/auth’. Did you change the property quarkus.http.root-path after building the application?

What do I do wrong ?

We’re attempting something similar at the moment, failing elsewhere in the process.

First of all - are you sure that this is the content of your service.yaml?
Generally speaking, anything that specifically relates to a command getting run in the container should probably live in a deployment.yaml.

With regards to your specific error on the build time args. As you can probably see from your logs, there are certain things (i.e. cache and database config) that can only be set up at build time. Is it possible that you are running the “build” command at a previous stage in your deployment pipeline? For instance in the quay.io keycloak image, the build stage runs as an independent first step. It may be necessary to run this step with the flags needed for your deployment.

I finally ended-up in having a build step (through a docker build command) and a start step (in the service.yaml). It is still obscure how is supposed to run the --auto-build command.
Also I faced a similar issue with the import feature, someone suggested to use the --import-realm option at the start step.

If you inspect kc.sh you’ll see that auto-build is evaluated in the script, not by the quarkus runtime. So passing it to the runtime does not have an effect. Instead you always need to run build yourself if you don’t wnat to use kc.sh.