aws-samples/cdk-keycloak

Quarkus versions not deployable (keycloak > 16)

wiedsche opened this issue ยท 7 comments

The quarkus versions of Keycloak (versions > 16) are not deployable with cdk-keycloak.

The setup of the stack works correctly, except the startup of the Keycloak service in fargate:

The issues are related to:

  • Database connection
    • Database connection to singleDbInstance configurations are not working: quarkus.datasource.jdbc.driver is set to 'com.mysql.cj.jdbc.MysqlXADataSource' but it is build time fixed to 'org.h2.jdbcx.JdbcDataSource'
    • In aurora setup the same: Connection url is not supported: mysql.
    • Issue comes with the hardcoded "--optimized" startup parameter, that only has support in the default
  • JGroups causes failing startup:
    • Error while trying to create a channel using the specified configuration file: default-configs/default-jgroups-ec2.xml
    • and unable to load protocol org.jgroups.aws.s3.NATIVE_S3_PING (either with relative - org.jgroups.aws.s3.NATIVE_S3_PING - or absolute - org.jgroups.protocols.org.jgroups.aws.s3.NATIVE_S3_PING - class name)

Tested with keycloakVersion settings kc.KeycloakVersion.V19_0_3, kc.KeycloakVersion.V20_0_3, kc.KeycloakVersion.V21_0_1 and kc.KeycloakVersion.of('21.1.1').

Or is there a suggested workaround / different approach to use a custom image? Then this should be at least documented in the readme.

Hints from myself:

  • building a custom image of keycloak with a buildstep, that sets mysql as database engine solves the issue with the database.
  • adding jar files for jgroups and s3 within the custom image, solves the issue with cluster sync.

Anyways, without using a custom image of keycloak, cdk-keycloak could currently not be used. Also the documentation is incomplete.

I am also getting this error when I use the following cdk stack

#!/usr/bin/env python3
import os

import aws_cdk as cdk
import aws_cdk.aws_rds as rds 
from cdk_keycloak import KeyCloak, KeycloakVersion

app = cdk.App()
env = cdk.Environment(region="eu-west-1", account="xxxx")

stack = cdk.Stack(app, "keycloak-demo", env=env)

mysso = KeyCloak(stack, "KeyCloak",
    certificate_arn="arn:aws:acm:eu-west-1:xxx:certificate/aec6b1ac-df36-449b-a2e2-xxxxxx",
    keycloak_version=KeycloakVersion.V21_0_1,
    cluster_engine = rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_2_11_2),
    hostname = "keycloak-ecs",
    database_removal_policy=cdk.RemovalPolicy.DESTROY
)

app.synth()

Did you create a custom container image and then over-ride the image pulled in via this construct?

I build a custom image with a Dockerfile:

FROM quay.io/keycloak/keycloak:21.1.1 as builder

# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true

# Configure a database vendor
ENV KC_DB=mysql

WORKDIR /opt/keycloak

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:21.1.1
COPY --from=builder /opt/keycloak/ /opt/keycloak/

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

CDK script:

      const keycloak: kc.KeyCloak = new kc.KeyCloak(this, 'KeyCloak', {
                keycloakVersion: kc.KeycloakVersion.of('21.1.1'), // could be omitted, as we set the image directly
                hostname: 'myhostname',
                // override container image
                containerImage: myimage,
...

By setting the database vendor in the image, the optimized startup will work.
Perhaps the --optimized parameter should be configurable in cdk and not hardcoded - at least for development setups?

The next issue after solving the database config, will be the invalid default cache configuration. I solved this by adding additional provider jars in the Dockerfile. But I like to solve it somehow different - e.g. make it configurable that it works without a custom image.

Yup, this worked for me and I now have a working setup. This is what I ended up with:

FROM quay.io/keycloak/keycloak:21.1.1 as builder

# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true

# Configure a database vendor
ENV KC_DB=mysql

WORKDIR /opt/keycloak

COPY /providers /opt/keycloak/providers/
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:21.1.1
COPY --from=builder /opt/keycloak/ /opt/keycloak/
COPY --from=builder /opt/keycloak/providers/ /opt/keycloak/providers/

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

I copied across aws-java-sdk-core-1.12.410.jar aws-java-sdk-s3-1.12.410.jar jgroups-aws-2.0.1.Final.jar joda-time-2.12.2.jar (in my local providers directory)

And then I got it to (eventually work) by using the following CDK

#!/usr/bin/env python3
import os

import aws_cdk as cdk
import aws_cdk.aws_rds as rds 
import aws_cdk.aws_ecs as ecs
from cdk_keycloak import KeyCloak, KeycloakVersion

app = cdk.App()
env = cdk.Environment(region="eu-west-1", account="xxxxxx")

stack = cdk.Stack(app, "keycloak-demo", env=env)

mysso = KeyCloak(stack, "KeyCloak",
    certificate_arn="arn:aws:acm:eu-west-1:xxxxx:certificate/aec6b1ac-df36-449b-a2e2-xxxxxxxx",
    keycloak_version=KeycloakVersion.V21_0_1,
    cluster_engine = rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_2_11_2),
    hostname = "keycloak.ricsue.dev",
    env = { "KEYCLOAK_FRONTEND_URL" : "https://keycloak.ricsue.dev"},
    container_image = ecs.ContainerImage.from_registry("xxxxx.dkr.ecr.eu-west-1.amazonaws.com/keycloak:21.1.1-amd64"),
    database_removal_policy=cdk.RemovalPolicy.DESTROY
)

app.synth()

I am not getting any errors now, so massive thank you. There is no way I would have got to this without your help above.

That's totally correct. ๐Ÿ‘
I did it the same way. I used as provider jars some more recent versions of them:

  • aws-java-sdk-core-1.12.477.jar
  • aws-java-sdk-s3-1.12.477.jar
  • jgroups-5.2.2.Final.jar
  • jgroups-aws-2.0.1.Final.jar
  • joda-time-2.12.2.jar

I added as well jgroups-5.2.2.Final.jar as it is listed as dependency of jgroups-aws in maven central.

Is the KEYCLOAK_FRONTEND_URL env parameter really required?

I am not sure whether KEYCLOAK_FRONTEND_URL is required but the issue I had is that I could not access the Admin console, and googling it folk suggested you needed to set it. When I set it, it did work however, I did also change the hostname to be the same so I made the classic "mistake" of making more than one change. What I did notice is that in the Admin console html I saw the following snippet towards the end :



<script id="environment" type="application/json">
--
  | {
  | "loginRealm": "master",
  | "authServerUrl": "https://keycloak.ricsue.dev",
  | "authUrl": "https://keycloak.ricsue.dev",
  | "consoleBaseUrl": "/admin/master/console/",
  | "resourceUrl": "/resources/pucwx/admin/keycloak.v2",
  | "masterRealm": "master",
  | "resourceVersion": "pucwx",
  | "isRunningAsTheme": true
  | }

and authServerUrl was changed with one of those values, and authUrl the other. So it might need both, but not 100% sure.

I did wonder about using newer versions of the jar files, so now I know you have tried this out I will probably update mine too.