keycloak_quarkus fails to start upon installation

[fmarchioni]

SUMMARY

I have installed keycloak with Quarkus as follows:

ansible-playbook -i host.ini playbooks/keycloak_quarkus.yml -e keycloak_quarkus_admin_pass=Password1234 --ask-become-pass

When the installation completes, it fails to start the keycloak server:

TASK [middleware_automation.keycloak.keycloak_quarkus : Wait until keycloak becomes active http://localhost:8443:8080/realms/master/.well-known/openid-configuration] ***
FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://localhost:8443:8080/realms/master/.well-known/openid-configuration (25 retries left).

I've also tried starting the server from /opt/keycloak with the 'keycloak' user but it does not start and no information is logged:

[keycloak@fedora bin]$ ./kc.sh start-dev
Updating the configuration  and installing your custom providers, if any. Please wait.

log.txt

ISSUE TYPE

• Bug Report

ANSIBLE VERSION

ansible --version
ansible [core 2.13.5]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/francesco/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/francesco/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/francesco/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/francesco/.local/bin/ansible
  python version = 3.10.8 (main, Nov 14 2022, 00:00:00) [GCC 11.3.1 20220421 (Red Hat 11.3.1-3)]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

ansible-galaxy collection list

# /home/francesco/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
ansible.posix                  1.5.4  
middleware_automation.common   1.1.2  
middleware_automation.keycloak 1.2.8  

# /home/francesco/.local/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    3.5.0  
ansible.netcommon             3.1.3  
ansible.posix                 1.4.0  
ansible.utils                 2.6.1  
ansible.windows               1.11.1 
arista.eos                    5.0.1  
awx.awx                       21.7.0 
azure.azcollection            1.13.0 
check_point.mgmt              2.3.0  
chocolatey.chocolatey         1.3.1  
cisco.aci                     2.2.0  
cisco.asa                     3.1.0  
cisco.dnac                    6.6.0  
cisco.intersight              1.0.19 
cisco.ios                     3.3.2  
cisco.iosxr                   3.3.1  
cisco.ise                     2.5.5  
cisco.meraki                  2.11.0 
cisco.mso                     2.0.0  
cisco.nso                     1.0.3  
cisco.nxos                    3.2.0  
cisco.ucs                     1.8.0  
cloud.common                  2.1.2  
cloudscale_ch.cloud           2.2.2  
community.aws                 3.6.0  
community.azure               1.1.0  
community.ciscosmb            1.0.5  
community.crypto              2.7.0  
community.digitalocean        1.22.0 
community.dns                 2.3.3  
community.docker              2.7.1  
community.fortios             1.0.0  
community.general             5.7.0  
community.google              1.0.0  
community.grafana             1.5.3  
community.hashi_vault         3.3.1  
community.hrobot              1.5.2  
community.libvirt             1.2.0  
community.mongodb             1.4.2  
community.mysql               3.5.1  
community.network             4.0.1  
community.okd                 2.2.0  
community.postgresql          2.2.0  
community.proxysql            1.4.0  
community.rabbitmq            1.2.2  
community.routeros            2.3.0  
community.sap                 1.0.0  
community.sap_libs            1.3.0  
community.skydive             1.0.0  
community.sops                1.4.1  
community.vmware              2.10.0 
community.windows             1.11.0 
community.zabbix              1.8.0  
containers.podman             1.9.4  
cyberark.conjur               1.2.0  
cyberark.pas                  1.0.14 
dellemc.enterprise_sonic      1.1.2  
dellemc.openmanage            5.5.0  
dellemc.os10                  1.1.1  
dellemc.os6                   1.0.7  
dellemc.os9                   1.0.4  
f5networks.f5_modules         1.20.0 
fortinet.fortimanager         2.1.5  
fortinet.fortios              2.1.7  
frr.frr                       2.0.0  
gluster.gluster               1.0.2  
google.cloud                  1.0.2  
hetzner.hcloud                1.8.2  
hpe.nimble                    1.1.4  
ibm.qradar                    2.1.0  
ibm.spectrum_virtualize       1.10.0 
infinidat.infinibox           1.3.3  
infoblox.nios_modules         1.4.0  
inspur.ispim                  1.1.0  
inspur.sm                     2.2.0  
junipernetworks.junos         3.1.0  
kubernetes.core               2.3.2  
mellanox.onyx                 1.0.0  
netapp.aws                    21.7.0 
netapp.azure                  21.10.0
netapp.cloudmanager           21.20.1
netapp.elementsw              21.7.0 
netapp.ontap                  21.24.1
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0 
netapp_eseries.santricity     1.3.1  
netbox.netbox                 3.8.0  
ngine_io.cloudstack           2.2.4  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.2  
openstack.cloud               1.10.0 
openvswitch.openvswitch       2.1.0  
ovirt.ovirt                   2.2.3  
purestorage.flasharray        1.14.0 
purestorage.flashblade        1.10.0 
purestorage.fusion            1.1.1  
sensu.sensu_go                1.13.1 
servicenow.servicenow         1.0.6  
splunk.es                     2.1.0  
t_systems_mms.icinga_director 1.31.0 
theforeman.foreman            3.7.0  
vmware.vmware_rest            2.2.0  
vultr.cloud                   1.1.0  
vyos.vyos                     3.0.1  
wti.remote                    1.0.4 

STEPS TO REPRODUCE

Using the following host.ini

[keycloak]
localhost ansible_connection=local

[guidograzioli]

playbooks/keycloak_quarkus.yml is only an example not really an entry point for the collection: I suggest you start with a base playbook like

---
- name: Playbook for Keycloak X Hosts
  hosts: all
  vars:
    keycloak_quarkus_admin_password: "remembertochangeme"
  roles:
    - middleware_automation.keycloak.keycloak_quarkus

then you can start adding confgiuration on top of it and relaunch. If you need https, before ansible runs with:

    keycloak_quarkus_https_enabled: True
    keycloak_quarkus_key_file: conf/key.pem
    keycloak_quarkus_cert_file: conf/cert.pem

you'll need to make the key and cert files available in the target host,

[fmarchioni]

Thanks for the prompt response @guidograzioli . Keycloak server now starts up.
However, when trying to load the admin console it gets stuck:

http://localhost:8080 - > Administration Console - > http://localhost:8080/admin/master/console/

From the logs I see there's this info:
2023-09-09 12:44:47,989 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: localhost, Strict HTTPS: false, Path: auth, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true

Which is a bit different from the same INFO of a keycloak installed from the zip file:
2023-09-09 12:48:11,623 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: false

Maybe some vars settings which are missing?

[fmarchioni]

I made it work by commenting the following entries in the keycloak.conf:

#hostname=localhost
#hostname-path=auth

I just did a diff with the keycloak.conf from the zip distribution and I could see the above params are not included.

[guidograzioli]

You are correct, the following:

hostname-path=auth

is a setting which moves the webapp context from / to /auth/ (not a default for keycloak quarkus, instead a setting made by default by the collection, to deploy the keycloak webapp at the same context path for both keycloak-legacy and keycloak-quarkus).

[fmarchioni]

I see. Ok, by setting the keycloak_quarkus_http_relative_path to blank it solves the issues about the auth path:

---
- name: Playbook for Keycloak X Hosts
  hosts: all
  vars:
    keycloak_quarkus_admin_pass: "AdminPassword12345"
    keycloak_quarkus_http_relative_path: ""
  roles:
    - middleware_automation.keycloak.keycloak_quarkus

On the other hand, the Ansible playbook will still create a Keycloak config with hostname=localhost that causes the Admin UI to hang.
I've tried setting:
keycloak_quarkus_host: ""
However that causes the start-up (post installation) to fail:

FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://:8080/realms/master/.well-known/openid-configuration (25 retries left).
FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://:8080/realms/master/.well-known/openid-configuration (24 retries left).
FAILED - RETRYING: [localhost]: Wait until keycloak becomes active http://:8080/realms/master/.well-known/openid-configuration (23 retries left).

Overall, it's weird that by setting "hostname=localhost" in conf/keycloak.conf causes the Admin UI to hang.

[guidograzioli]

Gotcha, I'll need to debug this with the browser inspector

[msherman13]

seeing the same exact issue, unable to solve it so far

[msherman13]

for my setup (no reverse proxy), i was able to solve this by removing the proxy line from the config. the ansible role doesn't have the ability to do this and setting proxy=none also doesn't seem to work

[msherman13]

#109

[gionn]

I am also failing to access the admin console after a successful playbook run with a simple:

- name: Install Keycloak
  vars:
    keycloak_quarkus_admin_pass: "myverylongpassword"
  ansible.builtin.include_role:
    name: middleware_automation.keycloak.keycloak_quarkus

for what I can see, the problem seems related that the current default configuration is trying to redirect to https://localhost instead of the default http://localhost:8080

[gionn]

Removing proxy= as suggested in the linked PR changes something but still doesn't solve the issue, it tries to connect to https://localhost:8443 which is not enabled/reachable by default (only http is)

[guidograzioli]

The console will always force to promote http to https when in production mode; to have it running on 8080, without a proxy, in addition to the above, you will need to start in dev-mode, as:

keycloak_quarkus_start_dev: true
keycloak_quarkus_proxy_mode: none
keycloak_quarkus_frontend_url: 'http://localhost:8080/'

[guidograzioli]

The test above is an example of the setup

[gionn]

keycloak_quarkus_start_dev: true
keycloak_quarkus_proxy_mode: none
keycloak_quarkus_frontend_url: 'http://localhost:8080/'

still can't login to the admin console, is keycloak_quarkus_frontend_url really used? I don't see any other reference than just the variable declaration

https://github.com/search?q=repo%3Aansible-middleware%2Fkeycloak%20keycloak_quarkus_frontend_url&type=code

[msherman13]

I actually don’t think the frontend url is used at all based on the code.On Sep 19, 2023, at 7:17 AM, Giovanni Toraldo ***@***.***> wrote: keycloak_quarkus_start_dev: true keycloak_quarkus_proxy_mode: none keycloak_quarkus_frontend_url: 'http://localhost:8080/' still can't login to the admin console, is keycloak_quarkus_frontend_url really used? I don't see any other reference than just the variable declaration https://github.com/search?q=repo%3Aansible-middleware%2Fkeycloak%20keycloak_quarkus_frontend_url&type=code —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[guidograzioli]

still can't login to the admin console, is keycloak_quarkus_frontend_url really used? I don't see any other reference than just the variable declaration

ouch that's right, the variable is a leftover from the migration from keycloak-legacy (supposed to offer a compatibility config point, but not yet worked on). nevertheless, the two params that do the trick are keycloak_quarkus_start_dev and keycloak_quarkus_proxy_mode . If still can't login on the console, after having emptied the cache in the browser, please:

1. pull current main HEAD
2. make sure nothing runs on localhost:8080
3. run molecule converge -s quarkus-devmode
4. open http://localhost:8080/ then click on admin console and verify you can login with admin/remembertochangeme
5. if not, please send thru the log file at /var/log/keycloak/keycloak.log on the container (molecule login -s quarkus-devmode)

[gionn]

ok I think I got it, I have a working localhost setup with:

# Hostname for the Keycloak server.
hostname=localhost
hostname-port=8080

hostname-path should be defined only when behind a proxy (otherwise it's just generating redirect which lead to 404)

hostname-port should be configured accordingly to keycloak_quarkus_http_port or the port where the proxy is running

[gionn]

Thanks for all the hints!

I've raised a quick PR for handling hostname-port, then I think it would be a good idea to document in the playbooks a working example for localhost/dev deployment

[guidograzioli]

The two PRs and the clarifications should be enough for closing, thanks everyone in this thread for contributing.