Using KC_HTTP_RELATIVE_PATH does not work.

4,633 views
Skip to first unread message

Jennifer Wirth

unread,
Jun 22, 2022, 9:03:59 AM6/22/22
to Keycloak User

Hi,

Since keycloak 17 the “/auth” context has been removed. According to the migration guide (https://www.keycloak.org/migration/migrating-to-quarkus) a simple setting of --http-relative-path should do the trick.

However when i run my container using that setting (through the environment variable) i get the warning:

quarkus.http.root-path is set to ‘/‘ but it is build time fixed to ‘/auth’. Did you change the property quarkus.http.root-path after building the application?

And my k8s livenessProbes fails. I tried setting -Dquarkus.http.root-path=/auth in the JAVA_OPTS_APPEND env variable, but to no avail.


I am using the quay.io/keycloak/keycloak:18.0.1 image on  kubernetes.  The following is the full deployment yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak-next
  namespace: sso
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak-next
      stack: java
      type: canary
  template:
    metadata:
      labels:
        app: keycloak-next
        stack: java
        type: canary
    spec:
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:18.0.1
          args:
            - "start"
          env:
            - name: JAVA_OPTS_APPEND
              value: "-Dquarkus.http.root-path=/auth"
            - name: KC_HTTP_RELATIVE_PATH
              value: "/auth"
            - name: KC_PROXY
              value: edge
            - name: KC_HTTP_ENABLED
              value:  "true"
            - name: KC_HOSTNAME
              value: toto.foobar.com
            - name: KEYCLOAK_LOGLEVEL
              value: WARN
            - name: PROXY_ADDRESS_FORWARDING
              value: "true"
            - name: KEYCLOAK_USER
              value: admin
            - name: KEYCLOAK_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: keycloak-password
                  name: keycloak
            - name: JDBC_PARAMS
              value: useSSL=false
            - name: DB_ADDR
              value: postgres-keycloak-headless
            - name: DB_VENDOR
              value: postgres
            - name: DB_DATABASE
              value: keycloak
            - name: DB_USER
              value: postgres
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: postgres-password
                  name: keycloak
          ports:
            - containerPort: 8080
              name: http
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /auth/
              port: http
            initialDelaySeconds: 300
            periodSeconds: 1
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /auth/realms/master
              port: http
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app: postgres-keycloak
                topologyKey: kubernetes.io/hostname
              weight: 1

David Kanenwisher

unread,
Jun 23, 2022, 12:32:30 PM6/23/22
to Keycloak User
I think you have to pass "--http-relative-path /auth" to the "kc.sh" script to put the "auth" context back in. The full command we use is "/opt/keycloak/bin/kc.sh build --http-relative-path /auth --db postgres --cache-stack kubernetes". We build the docker image in gradle so the syntax might look a little strange:

dockerfile {
    from ("quay.io/keycloak/keycloak:$keycloakVersion")
    environmentVariable('JAVA_OPTS_APPEND', keycloakJavaOptsAppend)
    runCommand('/opt/keycloak/bin/kc.sh build --http-relative-path /auth --db postgres --cache-stack kubernetes')
}

I haven't used "-Dquarkus.http.root-path=/auth" yet but I suspect the reason you're getting that warning is because it wasn't set before "kc.sh" was called or at least "kc.sh" wasn't called after you set it. I think if you built the image and passed that option to "JAVA_OPTS_APPEND" the warning would go away.

Hope this helps!

David

Jennifer Wirth

unread,
Jun 27, 2022, 1:25:46 AM6/27/22
to Keycloak User
Hi David,

Yes i found out that the provided/standard image cannot be used and a custom image must be created to override the "context path" of keycloak. I wish the documentation was clearer on this. In addition this is a major break from the past (or any other web application/framework).

I was eventually able to migrate my keycloak (took me two days)

Thanks for your reply and help,

Jenny
Reply all
Reply to author
Forward
0 new messages