In trying to get Keycloak installed on k8s via the operator, I encountered a number of issue that need attention:
- There is no way to configure the
storageClassName
for PersistentVolumeClaims, so clusters need to have a default StorageClass, and be fine with deploying the DB backing store on that class. - There is no way to configure resource requests/limits, and no defaults are provided.
- There is no way to configure the
frontendUrl
, affecting both the server config, and the Ingress (if enabled). - Per above, the default Ingress created by the operator has a host property of
*
, which is unlikely to be desired or useful. It is also unsecured (HTTP 80 only). Suggestcert-manager
compatible handling of Ingress certificates (both auto-generated via issuer annotations, andtls/secretRef
for pre-existing certs). - The Service created for the frontend has a
service.alpha.openshift.io/serving-cert-secret-name
annotation, which I’m guessing on openshift does some sort of TLS tunnelling, but on vanilla k8s does nothing. The symptom that leads me to presume this, is that attempting to connect to port 8443 via the service results in a failure to negotiate TLS, and a dropped connection, resulting in no access to the server. Perhaps this is actually due to a lack of TLS certs in the container or something though, rather than something openshift-specific, either way, the service is inaccessible. - Having worked around this by creating a custom service pointing to port 8080 in the container, and disabling the operator-provisioned Ingress, I’m able to create a functional external Ingress, and gain access to the welcome screen at
keycloak.example.com/auth/
, however clicking on the link to the admin console (keycloak.example.com/auth/admin/
), I’m redirected to the OIDC login page, and get anInvalid parameter: redirect_uri
error, as described here. Deleting the operator and adding the env var suggested there did indeed allow successful login.
So, with a bunch of hacking:
- create custom service pointing to insecure server container port 8080
- create custom ingress
- delete operator
- modify StatefulSet to add
PROXY_ADDRESS_FORWARDING="true"
env var
It is possible to get a Keycloak instance running on vanilla k8s via the operator, but it’s far from optimal, and at this stage I’ve not thoroughly tested everything to make sure that it is fully functional (if anything internal is using the 8443 port it will not work), since this is clearly not a hack I’m willing to put into production. And since the operator must be deleted/disabled, realms/etc clearly can’t be managed via CRDs in this state anyway.