Readiness probe on Kubernetes gets connection refused

1 
    readinessProbe:
      httpGet:
        path: /auth/realms/master
        port: 80
      initialDelaySeconds: 30
      timeoutSeconds: 30

NAME READY STATUS RESTARTS AGE IP
keycloak-69ff967c87-p9hp8 0/1 Running 0 20m 172.16.127.171

Events:
Type Reason Age From Message

Normal Scheduled 7m59s default-scheduler Successfully assigned default/keycloak-69ff967c87-p9hp8
Normal Pulling 7m58s kubelet Pulling image “quay.io/keycloak/keycloak:12.0.2
Normal Pulled 7m58s kubelet Successfully pulled image “quay.io/keycloak/keycloak:12.0.2” in 197.052976ms
Normal Created 7m58s kubelet Created container keycloak
Normal Started 7m58s kubelet Started container keycloak
Warning Unhealthy 2m55s (x28 over 7m25s) kubelet Readiness probe failed: Get “80/auth/realms/master”: dial tcp 172.16.127.171:80: connect: connection refused

2

Hi,
you can leverage on the built-in Microprofile endpoints for this but you need to bind the management.address to any interfaces.
Ex :

      # Bind management addresses to any interface in order to get health and metrics Microprofile endpoints
  args: ["-b", "0.0.0.0", "-Djboss.bind.address.management=0.0.0.0"]
  imagePullPolicy: Always
  readinessProbe:
    failureThreshold: 3
    httpGet:
      path: /health/ready
      port: admin
      scheme: HTTP
    periodSeconds: 30
    successThreshold: 1
    timeoutSeconds: 5
    initialDelaySeconds: 90
  livenessProbe:
    failureThreshold: 3
    httpGet:
      path: /health/live
      port: admin
      scheme: HTTP
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 30
    initialDelaySeconds: 90
  ports:
    - containerPort: 443
      name: https
    - containerPort: 8080
      name: http
    - containerPort: 9990
      name: admin
3

Does not look anything like what the documentation has. So the placement of that arg is right before the redinessProbe in the YAML?

4

It does not appear to have made any difference:

LAST SEEN TYPE REASON OBJECT MESSAGE
2m9s Warning Unhealthy pod/keycloak-594f7b975b-9dhfc Readiness probe failed: Get “http://172.16.127.174:80/auth/realms/master”: dial tcp 172.16.127.174:80: connect: connection refused
117s Warning Unhealthy pod/keycloak-64fccfdf44-n46k7 Readiness probe failed: Get “http://172.16.127.175:80/auth/realms/master”: dial tcp 172.16.127.175:80: connect: connection refused

5

It is fixed. Configuration issues on my side.

Thanks

6

Hello, I am facing the same configuration issue… Any hints how I can solve it?

7

Sometimes keycloak is simply taking too long to initialize.

Start the pod, follow the logs for keycloak.

The line marking a successful keycloak initialization looks like

INFO  [org.jboss.as.server] (ServerService Thread Pool -- 46) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")

See if you can get to that line before you get a failed probe.

If the probe fails before that line, you’ll probably have too little resources on the server, or have a database problem.

You can try to increase probe times.