LivenessProbe and ReadinessProbe fail when resource limits set

[Jiye Yu]

Hi Keycloak Operator Developper,

I tried to set CPU limits and requests for Keycloak StatefulSet by Keycloak-Operator.

Here is my manifest used:

apiVersion: keycloak.org/v1alpha1

kind: Keycloak

metadata:

    name: example-keycloak

    labels:

        app: sso

spec:

    instances: 1

    extensions:

        - https://github.com/aerogear/keycloak-metrics-spi/releases/download/1.0.4/keycloak-metrics-spi-1.0.4.jar

    externalAccess:

        enabled: True

    podDisruptionBudget:

        enabled: True

    keycloakDeploymentSpec:

        resources:

            limits:

                cpu: 600m

            requests:

                cpu: 300m

When I deployed Keycloak by above yaml file, I can find my pod is running but container is not ready. I checked the pod description and found both LivenessProbe and ReadinessProbe failed.

I tried again and again, and I found I can succeed One out of five times. (Only one time the Keycloak container is ready.)

Then I deployed Keycloak Operator locally and removed LivenessProbe and ReadinessProbe check logic. I deployed Keycloak again and waited several minutes. I found Keycloak working well. (I can accees to the Keycloak GUI page.) Also CPU limits worked well.

I am wondering if current LivenessProbe and ReadinessProbe are incompatible with Resource Limits.

Can you reproduce my issue?

Thanks,

Jiye Yu

Hitachi, Ltd.

[Sebastian Łaskawiec]

Thanks for looking into this!

The Liveness and Readiness probes use fixed timeouts and number of failures. Depending how much CPU you will assign to RHSSO, it may turn out that it won't boot up within this designated time. I did some tests long time ago and here are the results: https://github.com/keycloak/keycloak-operator/pull/232#issuecomment-662931228

I see two solutions - one on your end and one of ours. The former is to increase the CPU to 1. That should be enough to let Keycloak boot successfully up. The latter is to implement a startup probe: https://issues.redhat.com/browse/KEYCLOAK-16662

Thanks,

Sebastian

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/2753ac5b-99fb-4036-b6d5-291f892675b7n%40googlegroups.com.

--

Sebastian Łaskawiec

[Jiye Yu]

Hi Sebastian,

Your suggestion helps.

Thank you!

Jiye Yu