docker - Unable to Set Up Keycloak with Production Mode - Stack Overflow

时间： 2025-01-06 admin 业界

I'm using Keycloak(26.0.7) as the IAM solution for our application. I want expose it via URL. In the deployment setup I have a Load balancer, Nginx and Kubernetes cluster where HTTPS will be terminate at the Load balancer level. Load balancer to Nginx and Nginx to pod will be HTTP only.

I've used a Dockerfile to create a custom keycloak image as I need to mount the certificate file and private key file and custom login themes as well.

Dockerfile

FROM quay.io/keycloak/keycloak:26.0.7 as builder
WORKDIR /opt/keycloak
FROM quay.io/keycloak/keycloak:26.0.7
USER root
RUN mkdir -p /opt/keycloak/conf
COPY certificate.cer /opt/keycloak/conf/certificate.cer
COPY private.key /opt/keycloak/conf/private.key

RUN mkdir -p /opt/keycloak/themes/my-theme
COPY ./my-theme /opt/keycloak/themes/my-theme

RUN chmod 644 /opt/keycloak/conf/certificate.cer
RUN chmod 600 /opt/keycloak/conf/decrypted_private.key

COPY --from=builder /opt/keycloak/ /opt/keycloak/

EXPOSE 8443
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start", "--https-certificate-file=/opt/keycloak/conf/certificate.cer",  "--https-certificate-key-file=/opt/keycloak/conf/private.key"]

Please also find following keycloak-ingress.yml, keycloak-service.yml and keycloak-deployment.yml as well.

keycloak-ingress.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-public-ingress
  namespace: foo
spec:
  ingressClassName: nginx
  rules:
  - host: abc.xyz
    http:
      paths:
      - backend:
          service:
            name: keycloak-service
            port:
              number: 8443
        path: /keycloak-service(/|$)(.*)
        pathType: ImplementationSpecific

keycloak-service.yml

apiVersion: v1
kind: Service
metadata:
  name: keycloak-service
  labels:
    app: keycloak
spec:
  ports:
  - name: http
    port: 8443
    targetPort: 8443
  selector:
    app: keycloak
  type: ClusterIP

keycloak-deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak-deployment
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
      - name: keycloak
        image: keycloak-service:0.0.1
        env:
        - name: KEYCLOAK_ADMIN_PASSWORD
          value: "password"
        - name: KEYCLOAK_ADMIN
          value: "admin"
        - name: KC_DB
          value: "mysql"
        - name: KC_DB_URL
          value: "jdbc:mysql://database_ip:3306/keycloak"
        - name: KC_DB_USERNAME
          value: "keycloak_user"
        - name: KC_DB_PASSWORD
          value: "changeit"
        - name: KC_HEALTH_ENABLED
          value: "true"
        - name: KC_METRICS_ENABLED
          value: "true"
        - name: KC_HTTP_ENABLED
          value: "true"
        - name: KC_HOSTNAME
          value: "abc.xyz"
        - name: KC_HTTP_RELATIVE_PATH
          value: "/keycloak-service"
        ports:
        - name: http
          containerPort: 8443
        readinessProbe:
          httpGet:
            path: /keycloak-service/health/ready
            port: 8443

However readiness probe is getting failed as per the following screenshot.