Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: Set scheme for probes and serviceMonitor #784

Merged
merged 1 commit into from
Aug 23, 2024

Conversation

TheBigLee
Copy link
Contributor

@TheBigLee TheBigLee commented Jul 30, 2024

The new health endpoints used by the three probes (liveness, readiness
and startup) as well as the metrics endpoint are now served on a
dedicated interface with its own port. The scheme of the interface only
servers HTTP or HTTPS. If the main keycloak interface serves HTTPS,
the internal management interface will also serve HTTPS, regardless if
the main keycloak interface servers plain HTTP or not.

It's therefore impossible for the probes or the serviceMonitor to work
with a plain HTTP scheme, if keycloak has HTTPS enabled.

We therefore need a way to specify the scheme of the internalPort via
helm values to be able to set a custom scheme for the probes and the
serviceMonitor

This fixes #778 and #781

@TheBigLee TheBigLee requested a review from a team as a code owner July 30, 2024 09:14
@mruzicka
Copy link

mruzicka commented Aug 1, 2024

@TheBigLee , the scheme should not be hardcoded, it would break the probes for everyone (us included) who runs Keycloak on http (behind a SSL terminating proxy) by providing these values to the chart:

proxy:
  enabled: true
  mode: xforwarded
  http:
    enabled: true

I.e. the scheme should be conditional on the .Values.enabled and .Values.http.enabled values.

Edit: It turns out it is enough to set .Values.http.enabled to true, for Keycloak to be run on http.

@TheBigLee
Copy link
Contributor Author

TheBigLee commented Aug 6, 2024

@TheBigLee , the scheme should not be hardcoded, it would break the probes for everyone (us included) who runs Keycloak on http (behind a SSL terminating proxy) by providing these values to the chart:

proxy:
  enabled: true
  mode: xforwarded
  http:
    enabled: true

I.e. the scheme should be conditional on the .Values.enabled and .Values.http.enabled values.

Edit: It turns out it is enough to set .Values.http.enabled to true, for Keycloak to be run on http.

It's actually more complicated than that.
Keycloak itself can run on http, https or both. The management interface however, can only run on http or https. If Keycloak itself is running on https than the management interface will run on https as well.
The chart itself currently doesn't support setting up HTTPS directly for Keycloak. You have to set the KC_HTTPS_CERTIFICATE_FILE env variable via the extraEnv chart variable and load the certificate and key using the extraVolumes chart variable.

So there is actually no easy way to automatically determine the correct scheme for the probes.
I've refactored the code and defined a new variable http.internalScheme that can easily be overridden in the chart. Hopefully this approach is acceptable.

Edit: I found out that the serviceMonitor also needs the scheme set to https if the internal management interface is served via https. I've amended the code accordingly.

@TheBigLee TheBigLee changed the title FIX: Probes internalPort requires HTTPS scheme feature: Set scheme for probes Aug 6, 2024
@TheBigLee TheBigLee changed the title feature: Set scheme for probes feature: Set scheme for probes and serviceMonitor Aug 6, 2024
The new health endpoints used by the three probes (liveness, readiness
and startup) as well as the metrics endpoint are now served on a
dedicated interface with its own port. The scheme of the interface only
servers HTTP or HTTPS. If the main keycloak interface serves HTTPS,
the internal management interface will also serve HTTPS, regardless if
the main keycloak interface servers plain HTTP or not.

It's therefore impossible for the probes or the serviceMonitor to work
with a plain HTTP scheme, if keycloak has HTTPS enabled.

We therefore need a way to specify the scheme of the internalPort via
helm values to be able to set a custom scheme for the probes and the
serviceMonitor

Signed-off-by: Nicolas Bigler <nicolas.bigler@vshn.ch>
@pascal-sochacki pascal-sochacki merged commit 5c65821 into codecentric:master Aug 23, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Keycloak 25.0.0 Helm Chart deployment -> CrashLoop
3 participants