I’ve read the documentation here Configuring the Management Interface - Keycloak and I can’t find a solution to this. When I run Keycloak with metrics and health enabled, I see that it comes up with
Keycloak 25.0.0 on JVM (powered by Quarkus 3.8.5) started in 7.471s. Listening on:
http://0.0.0.0:8080 and https://0.0.0.0:8443.
Management interface listening on https://0.0.0.0:9000.
How can I get the management server to run over HTTP, rather than HTTPS?
For reference, I am also setting the following parameters:
IMHO it’s not possible to run the mgmt interface on http, if the “main” server has https certificates configured. You can only configure different certificates for the mgmt interface, but not run it on http.
Or, you have to operate completely without http on the Keycloak server, then also mgmt is http.
Thanks for the clarification. Although, it’s not a particularly “clear” choice, IMO. I’m sticking with KC_LEGACY_OBSERVABILITY_INTERFACE for now, and then will figure out what to do between now and 26.
Discuss it with the team!
For metrics, I don’t see a big issue.
For health, yes, there might be issues with LBs not able to use proper https for health checks.
I’m planning to. First I want to get a sense of how things work so I can write a good issue. LBs are definitely a problem, but metrics also potentially. A lot of customers I work with, for better or worse, run http for internal things like metrics. Furthermore, a lot of people run http exclusively internally and let their ingress/LBs handle SSL termination for requests from the outside world. I don’t have to agree with it in order to need to figure out a solution for them.
Yes, for the “agree”, no for the solution.
I usually tell most of my customers, that they will eventually have to deal with the requirements a software has, if they want to use it. These “features” will increase in the future. So better be prepared, than be late
If anyone gets to this post and is looking for a temporary fix in their k8s environment, I validated that k8s http probes, which can be used for readiness and liveness probes, do not by default check the cert for validity:
If scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification.
I really think this was a bad idea to only allow https for the management interface.
This can be problematic when running behing a reverse-proxy on which we have no control.
It should be possible to enable both http and https for the management interface, like it is for the ‘normal’ interface.
Valid opinion, @omasseau. But complaining here doesn‘t help as this is a community forum to get help from the community. If you have valid arguments to improve Keycloak, you should start a discussion at Keycloak‘s GitHub repository, as this is the place where maintainers read.