Skip to content

Commit

Permalink
FIX: Probes internalPort requires HTTPS scheme
Browse files Browse the repository at this point in the history 
The new health enpoints used by the three probes (liveness, readiness
and startup) are now served on a dedicated interface with its own port.
The scheme of the interface only servers HTTP or HTTPS. If the main
keycloak interface serves HTTPS, the internal management interface will
also serve HTTPS, regardless if the main keycloak interface servers
plain HTTP or not.

It's therefore impossible for the probes to work with a plain HTTP
scheme, if keycloak has HTTPS enabled.

We therefore need a way to specify the scheme of the internalPort via
helm values to be able to set a custom scheme for the probes.

Signed-off-by: Nicolas Bigler <[email protected]>
  • Loading branch information
@TheBigLee
TheBigLee committed Aug 6, 2024
1 parent 5422bea commit 45a338f
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 1 deletion.
2 changes: 2 additions & 0 deletions charts/keycloakx/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,8 @@ The following table lists the configurable parameters of the Keycloak-X chart an
| `proxy.enabled` | If `true`, the `KC_PROXY` env variable will be set to the configured mode | `true` |
| `proxy.mode` | The configured proxy mode | `edge` |
| `http.relativePath` | The relative http path (context-path) | `/auth` |
| `http.internalPort` | The port of the internal management interface | `http-internal` |
| `http.internalScheme` | The scheme of the internal management interface | `HTTP` |
| `metrics.enabled` | If `true` then the metrics endpoint is exposed | `true` |
| `health.enabled` | If `true` then the health endpoint is exposed. If the `readinessProbe` is is needed `metrics.enable` must be `true`. | `true` |
| `serviceMonitor.enabled` | If `true`, a ServiceMonitor resource for the prometheus-operator is created | `false` |
Expand Down
4 changes: 3 additions & 1 deletion charts/keycloakx/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,9 @@
"type": "array"
},
"http": {
"relativePath": "string"
"relativePath": "string",
"internalPort": "string",
"internalScheme": "string"
},
"image": {
"$ref": "#/definitions/image"
Expand Down
4 changes: 4 additions & 0 deletions charts/keycloakx/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ livenessProbe: |
httpGet:
path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/live'
port: '{{ .Values.http.internalPort }}'
scheme: '{{ .Values.http.internalScheme }}'
initialDelaySeconds: 0
timeoutSeconds: 5
Expand All @@ -175,6 +176,7 @@ readinessProbe: |
httpGet:
path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/ready'
port: '{{ .Values.http.internalPort }}'
scheme: '{{ .Values.http.internalScheme }}'
initialDelaySeconds: 10
timeoutSeconds: 1
Expand All @@ -183,6 +185,7 @@ startupProbe: |
httpGet:
path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health'
port: '{{ .Values.http.internalPort }}'
scheme: '{{ .Values.http.internalScheme }}'
initialDelaySeconds: 15
timeoutSeconds: 1
failureThreshold: 60
Expand Down Expand Up @@ -420,6 +423,7 @@ http:
# For backwards compatibility reasons we set this to the value used by previous Keycloak versions.
relativePath: "/auth"
internalPort: http-internal
internalScheme: HTTP

serviceMonitor:
# If `true`, a ServiceMonitor resource for the prometheus-operator is created
Expand Down

0 comments on commit 45a338f

Please sign in to comment.