[KEYCLOA-OPERATOR] Issue creating Keycloak instance using keycloak-operator

76 views
Skip to first unread message

Veronica Di Giorgio

unread,
Dec 14, 2020, 2:42:56 PM12/14/20
to Keycloak User
Hello everyone, 

I'm having some trouble using the keycloak operator installing on a simple Kubernetes Cluster. 

Basically, what happens is that when I install a new Keycloak, the PostgresSQL is not able to run properly because it does not have permissions to create a new directory on /var/lib/pgsql/data/userdata

As far as I understood, the problem is related to the securityContext which is not set to the postgres deployment even if Postgres runs always using user 26 (as can be noted here: https://catalog.redhat.com/software/containers/rhscl/postgresql-10-rhel7/5aa63541ac3db95f196086f1?container-tabs=dockerfile)

I had to do a lot of workarounds to make it work, and finally I succeded by configuring manually the security context as follows:

securityContext:
  fsGroup: 26
  runAsUser: 26

There is any possibility to set the security context via the operator? if not, can you please point me out what is the correct solution to apply?

Thanks,
Veronica

Ian FitzPatrick

unread,
Dec 22, 2020, 5:51:52 AM12/22/20
to Keycloak User
Hi All,

I'm having the same issue. The workaround I used was specifying an initContainer in the keycloak-postgresql deployment to do a chmod (yes I know) on /var/lib/pgsql/data. As far as I can see there's no option to do this directly in the operator (same goes for the securityContext workaround above). I'd also be interested in the "correct" way to solve this ;-)

Thanks!

Best,

Ian

Veronica Di Giorgio

unread,
Jan 23, 2021, 6:08:01 AM1/23/21
to Keycloak User
I think that the only resolution to make it work if you don't use OC is to provide your own DB instance and then configure your Keycloak resource to 
use an external db. 

It's not clear to me if in this case the Backup feature works, I didn't tried it yet.

This is an example secret I used to access an external DB (previously created with the correct grants), which creates a service of type external which can point either to an instance inside or outside the cluster:

---
apiVersion: v1
kind: Secret
metadata:
  #the name is exactly this one
  name: keycloak-db-secret
data:
  POSTGRES_DATABASE: {{ .Values.db.name | b64enc }}
  POSTGRES_SUPERUSER: "true"
  POSTGRES_USERNAME: {{ .Values.db.username | b64enc }}
  POSTGRES_PASSWORD: {{ .Values.db.password | b64enc }}
  POSTGRES_EXTERNAL_PORT: {{ .Values.db.port | b64enc }}
  POSTGRES_EXTERNAL_ADDRESS: {{ .Values.db.host | b64enc }}
type: Opaque
Reply all
Reply to author
Forward
0 new messages