I'm using Keycloak(26.0.7) as the IAM solution for our application. I want expose it via https://abc.xyz.com/keycloak-service URL. In the deployment setup I have a Load balancer, Nginx and Kubernetes cluster where HTTPS will be terminate at the Load balancer level. Load balancer to Nginx and Nginx to pod will be HTTP only.
I've used a Dockerfile to create a custom keycloak image as I need to mount the certificate file and private key file and custom login themes as well.
Dockerfile
FROM quay.io/keycloak/keycloak:26.0.7 as builder
WORKDIR /opt/keycloak
FROM quay.io/keycloak/keycloak:26.0.7
USER root
RUN mkdir -p /opt/keycloak/conf
COPY certificate.cer /opt/keycloak/conf/certificate.cer
COPY private.key /opt/keycloak/conf/private.key
RUN mkdir -p /opt/keycloak/themes/my-theme
COPY ./my-theme /opt/keycloak/themes/my-theme
RUN chmod 644 /opt/keycloak/conf/certificate.cer
RUN chmod 600 /opt/keycloak/conf/decrypted_private.key
COPY --from=builder /opt/keycloak/ /opt/keycloak/
EXPOSE 8443
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start", "--https-certificate-file=/opt/keycloak/conf/certificate.cer", "--https-certificate-key-file=/opt/keycloak/conf/private.key"]
Please also find following keycloak-ingress.yml, keycloak-service.yml and keycloak-deployment.yml as well.
keycloak-ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-public-ingress
namespace: foo
spec:
ingressClassName: nginx
rules:
- host: abc.xyz.com
http:
paths:
- backend:
service:
name: keycloak-service
port:
number: 8443
path: /keycloak-service(/|$)(.*)
pathType: ImplementationSpecific
keycloak-service.yml
apiVersion: v1
kind: Service
metadata:
name: keycloak-service
labels:
app: keycloak
spec:
ports:
- name: http
port: 8443
targetPort: 8443
selector:
app: keycloak
type: ClusterIP
keycloak-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak-deployment
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: keycloak-service:0.0.1
env:
- name: KEYCLOAK_ADMIN_PASSWORD
value: "password"
- name: KEYCLOAK_ADMIN
value: "admin"
- name: KC_DB
value: "mysql"
- name: KC_DB_URL
value: "jdbc:mysql://database_ip:3306/keycloak"
- name: KC_DB_USERNAME
value: "keycloak_user"
- name: KC_DB_PASSWORD
value: "changeit"
- name: KC_HEALTH_ENABLED
value: "true"
- name: KC_METRICS_ENABLED
value: "true"
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_HOSTNAME
value: "abc.xyz.com"
- name: KC_HTTP_RELATIVE_PATH
value: "/keycloak-service"
ports:
- name: http
containerPort: 8443
readinessProbe:
httpGet:
path: /keycloak-service/health/ready
port: 8443
However readiness probe is getting failed as per the following screenshot.
