keycloak_quarkus fails to start upon installation
fmarchioni opened this issue · 19 comments
SUMMARY
I have installed keycloak with Quarkus as follows:
ansible-playbook -i host.ini playbooks/keycloak_quarkus.yml -e keycloak_quarkus_admin_pass=Password1234 --ask-become-pass
When the installation completes, it fails to start the keycloak server:
TASK [middleware_automation.keycloak.keycloak_quarkus : Wait until keycloak becomes active http://localhost:8443:8080/realms/master/.well-known/openid-configuration] ***
FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://localhost:8443:8080/realms/master/.well-known/openid-configuration (25 retries left).
I've also tried starting the server from /opt/keycloak with the 'keycloak' user but it does not start and no information is logged:
[keycloak@fedora bin]$ ./kc.sh start-dev
Updating the configuration and installing your custom providers, if any. Please wait.
ISSUE TYPE
- Bug Report
ANSIBLE VERSION
ansible --version
ansible [core 2.13.5]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/francesco/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/francesco/.local/lib/python3.10/site-packages/ansible
ansible collection location = /home/francesco/.ansible/collections:/usr/share/ansible/collections
executable location = /home/francesco/.local/bin/ansible
python version = 3.10.8 (main, Nov 14 2022, 00:00:00) [GCC 11.3.1 20220421 (Red Hat 11.3.1-3)]
jinja version = 3.1.2
libyaml = True
COLLECTION VERSION
ansible-galaxy collection list
# /home/francesco/.ansible/collections/ansible_collections
Collection Version
------------------------------ -------
ansible.posix 1.5.4
middleware_automation.common 1.1.2
middleware_automation.keycloak 1.2.8
# /home/francesco/.local/lib/python3.10/site-packages/ansible_collections
Collection Version
----------------------------- -------
amazon.aws 3.5.0
ansible.netcommon 3.1.3
ansible.posix 1.4.0
ansible.utils 2.6.1
ansible.windows 1.11.1
arista.eos 5.0.1
awx.awx 21.7.0
azure.azcollection 1.13.0
check_point.mgmt 2.3.0
chocolatey.chocolatey 1.3.1
cisco.aci 2.2.0
cisco.asa 3.1.0
cisco.dnac 6.6.0
cisco.intersight 1.0.19
cisco.ios 3.3.2
cisco.iosxr 3.3.1
cisco.ise 2.5.5
cisco.meraki 2.11.0
cisco.mso 2.0.0
cisco.nso 1.0.3
cisco.nxos 3.2.0
cisco.ucs 1.8.0
cloud.common 2.1.2
cloudscale_ch.cloud 2.2.2
community.aws 3.6.0
community.azure 1.1.0
community.ciscosmb 1.0.5
community.crypto 2.7.0
community.digitalocean 1.22.0
community.dns 2.3.3
community.docker 2.7.1
community.fortios 1.0.0
community.general 5.7.0
community.google 1.0.0
community.grafana 1.5.3
community.hashi_vault 3.3.1
community.hrobot 1.5.2
community.libvirt 1.2.0
community.mongodb 1.4.2
community.mysql 3.5.1
community.network 4.0.1
community.okd 2.2.0
community.postgresql 2.2.0
community.proxysql 1.4.0
community.rabbitmq 1.2.2
community.routeros 2.3.0
community.sap 1.0.0
community.sap_libs 1.3.0
community.skydive 1.0.0
community.sops 1.4.1
community.vmware 2.10.0
community.windows 1.11.0
community.zabbix 1.8.0
containers.podman 1.9.4
cyberark.conjur 1.2.0
cyberark.pas 1.0.14
dellemc.enterprise_sonic 1.1.2
dellemc.openmanage 5.5.0
dellemc.os10 1.1.1
dellemc.os6 1.0.7
dellemc.os9 1.0.4
f5networks.f5_modules 1.20.0
fortinet.fortimanager 2.1.5
fortinet.fortios 2.1.7
frr.frr 2.0.0
gluster.gluster 1.0.2
google.cloud 1.0.2
hetzner.hcloud 1.8.2
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 1.10.0
infinidat.infinibox 1.3.3
infoblox.nios_modules 1.4.0
inspur.ispim 1.1.0
inspur.sm 2.2.0
junipernetworks.junos 3.1.0
kubernetes.core 2.3.2
mellanox.onyx 1.0.0
netapp.aws 21.7.0
netapp.azure 21.10.0
netapp.cloudmanager 21.20.1
netapp.elementsw 21.7.0
netapp.ontap 21.24.1
netapp.storagegrid 21.11.1
netapp.um_info 21.8.0
netapp_eseries.santricity 1.3.1
netbox.netbox 3.8.0
ngine_io.cloudstack 2.2.4
ngine_io.exoscale 1.0.0
ngine_io.vultr 1.1.2
openstack.cloud 1.10.0
openvswitch.openvswitch 2.1.0
ovirt.ovirt 2.2.3
purestorage.flasharray 1.14.0
purestorage.flashblade 1.10.0
purestorage.fusion 1.1.1
sensu.sensu_go 1.13.1
servicenow.servicenow 1.0.6
splunk.es 2.1.0
t_systems_mms.icinga_director 1.31.0
theforeman.foreman 3.7.0
vmware.vmware_rest 2.2.0
vultr.cloud 1.1.0
vyos.vyos 3.0.1
wti.remote 1.0.4
STEPS TO REPRODUCE
Using the following host.ini
[keycloak]
localhost ansible_connection=local
playbooks/keycloak_quarkus.yml is only an example not really an entry point for the collection: I suggest you start with a base playbook like
---
- name: Playbook for Keycloak X Hosts
hosts: all
vars:
keycloak_quarkus_admin_password: "remembertochangeme"
roles:
- middleware_automation.keycloak.keycloak_quarkusthen you can start adding confgiuration on top of it and relaunch. If you need https, before ansible runs with:
keycloak_quarkus_https_enabled: True
keycloak_quarkus_key_file: conf/key.pem
keycloak_quarkus_cert_file: conf/cert.pemyou'll need to make the key and cert files available in the target host,
Thanks for the prompt response @guidograzioli . Keycloak server now starts up.
However, when trying to load the admin console it gets stuck:
http://localhost:8080 - > Administration Console - > http://localhost:8080/admin/master/console/
From the logs I see there's this info:
2023-09-09 12:44:47,989 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: localhost, Strict HTTPS: false, Path: auth, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
Which is a bit different from the same INFO of a keycloak installed from the zip file:
2023-09-09 12:48:11,623 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: false
Maybe some vars settings which are missing?
I made it work by commenting the following entries in the keycloak.conf:
#hostname=localhost
#hostname-path=auth
I just did a diff with the keycloak.conf from the zip distribution and I could see the above params are not included.
You are correct, the following:
hostname-path=auth
is a setting which moves the webapp context from / to /auth/ (not a default for keycloak quarkus, instead a setting made by default by the collection, to deploy the keycloak webapp at the same context path for both keycloak-legacy and keycloak-quarkus).
I see. Ok, by setting the keycloak_quarkus_http_relative_path to blank it solves the issues about the auth path:
---
- name: Playbook for Keycloak X Hosts
hosts: all
vars:
keycloak_quarkus_admin_pass: "AdminPassword12345"
keycloak_quarkus_http_relative_path: ""
roles:
- middleware_automation.keycloak.keycloak_quarkus
On the other hand, the Ansible playbook will still create a Keycloak config with hostname=localhost that causes the Admin UI to hang.
I've tried setting:
keycloak_quarkus_host: ""
However that causes the start-up (post installation) to fail:
FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://:8080/realms/master/.well-known/openid-configuration (25 retries left).
FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://:8080/realms/master/.well-known/openid-configuration (24 retries left).
FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://:8080/realms/master/.well-known/openid-configuration (23 retries left).
Overall, it's weird that by setting "hostname=localhost" in conf/keycloak.conf causes the Admin UI to hang.
Gotcha, I'll need to debug this with the browser inspector
seeing the same exact issue, unable to solve it so far
for my setup (no reverse proxy), i was able to solve this by removing the proxy line from the config. the ansible role doesn't have the ability to do this and setting proxy=none also doesn't seem to work
I am also failing to access the admin console after a successful playbook run with a simple:
- name: Install Keycloak
vars:
keycloak_quarkus_admin_pass: "myverylongpassword"
ansible.builtin.include_role:
name: middleware_automation.keycloak.keycloak_quarkus
for what I can see, the problem seems related that the current default configuration is trying to redirect to https://localhost instead of the default http://localhost:8080
Removing proxy= as suggested in the linked PR changes something but still doesn't solve the issue, it tries to connect to https://localhost:8443 which is not enabled/reachable by default (only http is)
The console will always force to promote http to https when in production mode; to have it running on 8080, without a proxy, in addition to the above, you will need to start in dev-mode, as:
keycloak_quarkus_start_dev: true
keycloak_quarkus_proxy_mode: none
keycloak_quarkus_frontend_url: 'http://localhost:8080/'The test above is an example of the setup
keycloak_quarkus_start_dev: true keycloak_quarkus_proxy_mode: none keycloak_quarkus_frontend_url: 'http://localhost:8080/'
still can't login to the admin console, is keycloak_quarkus_frontend_url really used? I don't see any other reference than just the variable declaration
still can't login to the admin console, is keycloak_quarkus_frontend_url really used? I don't see any other reference than just the variable declaration
ouch that's right, the variable is a leftover from the migration from keycloak-legacy (supposed to offer a compatibility config point, but not yet worked on). nevertheless, the two params that do the trick are keycloak_quarkus_start_dev and keycloak_quarkus_proxy_mode . If still can't login on the console, after having emptied the cache in the browser, please:
- pull current main HEAD
- make sure nothing runs on localhost:8080
- run
molecule converge -s quarkus-devmode - open http://localhost:8080/ then click on admin console and verify you can login with
admin/remembertochangeme - if not, please send thru the log file at
/var/log/keycloak/keycloak.logon the container (molecule login -s quarkus-devmode)
ok I think I got it, I have a working localhost setup with:
# Hostname for the Keycloak server.
hostname=localhost
hostname-port=8080
hostname-path should be defined only when behind a proxy (otherwise it's just generating redirect which lead to 404)
hostname-port should be configured accordingly to keycloak_quarkus_http_port or the port where the proxy is running
Thanks for all the hints!
I've raised a quick PR for handling hostname-port, then I think it would be a good idea to document in the playbooks a working example for localhost/dev deployment
The two PRs and the clarifications should be enough for closing, thanks everyone in this thread for contributing.