[keycloak-user] Deploy keycloak to Kubernetes Cluster on GCP

William Nankap willyvic17 at gmail.com
Tue Nov 20 17:12:15 EST 2018 

hello Dimitry

i had tried the lodbalancer with ingress in kubernetes on google cloud
i can access to keycloak interface but not on the wildfly interface.

i had expose my keycloak deployment on one service with 2 ports 8080 and
9990 on type=Nodeport (as the documentation)
and create 2 ingress service one for the port 8080 and another for 9990
(but can't access to wildfly).

where is my mystake? Can you help me please

Le mar. 20 nov. 2018 à 15:47, William Nankap <willyvic17 at gmail.com> a
écrit :

> Hello Dimitry, thanks for your answer.
>
> P.S. Probably THE article on how to enable HTTPS on management interface:
>
> http://www.mastertheboss.com/jboss-server/jboss-security/securing-access-to-jboss-wildfly-management-console
>
> 1- Thanks
>
>
> On Mon, 2018-11-19 at 22:11 +0300, Dmitry Telegin wrote:
> > Hello William, answers inline,
> >
> > On Sun, 2018-11-18 at 02:11 +0100, William Nankap wrote:
> > > Hi every one,
> > >
> > > when i deploy docker keycloak4.5.0.Final to kubernetes cluster on GCP
> i can
> > > normaly access to keycloak interface via the extern ip address on port
> > > 8080. But i can't access to the WILDFLY Management Interface on port
> 9990.
> >
> > This is because by default Keycloak/Wildfly opens management ports (9990
> and 9993) on the local IP only (127.0.0.1). To override this, you can
> append the following to the command line of your image:
> >
> > -bmanagement=0.0.0.0
> >
> > This will bind management interface to all the IPs on the host. However,
> you shouldn't access your plain HTTP management interface (9990) from the
> external IP, but rather use HTTPS on port 9993. Google "Wildfly management
> https" for how to configure it.
> >
> > Alternatively, you can use reverse proxy / load balancer to terminate
> SSL.
> >
>     1- How can i add this command  *-bmanagement=0.0.0.0* on my docker
> image ? a link for help please
>
>  2- i can access the standalone.xml but i can't modify. to access this i
> run early the command
>              *kubectl exec -it [PODNAME] /bin/bash*
>           that open  *[**jboss at podname]$ cd
> keycloak/standalone/configuration*
>           how can i modify the standalone.xml?
>
> 3-  after deployed my keycloak docker on my cluster, i expose that by
> create a service which is loadbalancer. i open port 80 that read keycloak
> interface, but when i open port 9990 i get error connexion refused
>
>
> > > My questions:
> > >
> > > 1/ What are the recommandation to use keycloak in production?
> > >      a/ Install keycloak server side an wildfly server to use it
> correctly?
> > >      b/ Install only the keycloak server. How can i manage deployment
> for
> > > an app if i can't access to the wildfly management interface? Is it
> > > imperativ to access it?
> >
> > You mean - should you install separate Keycloak and application server
> instances, or is it possible to deploy WARs right into Keycloak? The answer
> to the second question is yes in theory, but in practice this is not
> recommended by many reasons.
> >
> > Your typical setup would include Keycloak as an identity and
> authentication server, and another app server (Wildfly, Tomcat, Jetty etc.)
> to host your actual applications that you want secured by Keycloak.
> >
> > >
> > > 2/ Need you more details on my deployment to help me? If yes, which?
> > >
> > > 3/ How can i get the wildfly management interface on my GCP deployment
> to
> > > deploy my app?
> >
> > Please see above. Alternatively, you can use jboss-cli tool in the
> container which operates locally and doesn't require external IP.
> >
> > Finally, you can deploy applications by simply dropping them into the
> standalone/deployments directory.
> >
>
> 1- i can't paste a file on this directory. may be i don't the good method.
> can you help me?
>
>
> > > 4/ Have you suggestions for me, the best way to use keycloak in
> production?
> > > Some support?
> >
> > Everything depends on your particular problem. The bare minimum is that
> you should have a "real" DBMS (PostgreSQL, MySQL etc.) and not an embedded
> one.
> >
> > >
> > > I will be very thankful for your answer.
> > >
> > > Kindest regards...
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list