Keycloak container fails to start in Azure Container Apps

[julioct]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Deploying a container provisioned via the Keycloak integration won't start in Azure Container Apps (ACA).

ACA will try to activate it, but it continuously fails.

The container reports this in the logs:

Key material not provided to setup HTTPS. Please configure your keys/certificates or start the server in development mode.

Expected Behavior

Keycloak should successfully deploy to ACA.

Steps To Reproduce

1. Create a .NET Aspire app
2. Add the Keycloak AppHost integration: via Aspire.Hosting.Keycloak NuGet package
3. Add the Keycloak integration to the AppHost model:

var builder = DistributedApplication.CreateBuilder(args);

var keycloak = builder.AddKeycloak("keycloak", 8080);

builder.Build().Run();

4. Deploy via azd up
5. The container never starts in ACA:

Exceptions (if any)

Key material not provided to setup HTTPS. Please configure your keys/certificates or start the server in development mode.

.NET Version info

.NET SDK:
Version: 8.0.400
Commit: 36fe6dda56
Workload version: 8.0.400-manifests.2772ffde
MSBuild version: 17.11.3+0c8610977

Runtime Environment:
OS Name: Windows
OS Version: 10.0.22631
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\8.0.400\

.NET workloads installed:
Configured to use loose manifests when installing new manifests.
[aspire]
Installation Source: SDK 8.0.400, VS 17.11.35303.130
Manifest Version: 8.2.1/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.aspire\8.2.1\WorkloadManifest.json
Install Type: Msi

Host:
Version: 8.0.8
Architecture: x64
Commit: 08338fcaa5

.NET SDKs installed:
8.0.108 [C:\Program Files\dotnet\sdk]
8.0.206 [C:\Program Files\dotnet\sdk]
8.0.304 [C:\Program Files\dotnet\sdk]
8.0.400 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
Microsoft.AspNetCore.App 8.0.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 8.0.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 8.0.6 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
Not set

global.json file:
Not found

Learn more:
https://aka.ms/dotnet/info

Download .NET:
https://aka.ms/dotnet/download

Anything else?

When deploying to Azure, the Keycloak integration adds just this parameter:

start

However to run Keycloak in prod requires multiple other parameters as described here.

Something like this:

podman|docker run --name mykeycloak -p 8080:8080 \
        -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
        quay.io/keycloak/keycloak:latest \
        start \
        --db=postgres --features=token-exchange \
        --db-url=<JDBC-URL> --db-username=<DB-USER> --db-password=<DB-PASSWORD> \
        --https-key-store-file=<file> --https-key-store-password=<password>

[davpodda]

Hi have you any solution? I have the same problem

[sandves]

Any updates on this? Would be really helpful with an example on how to do run Keycloak in Aspire in a production ready setup.

[eerhardt]

@DamianEdwards - do we have any keycloak contacts we could ask about this issue?

[DamianEdwards]

I don't think we need a contact. The Keycloak integration is still in preview. In order for it to be successfully started in production mode it requires extra configuration which the hosting integration currently doesn't expose modeling for in a first-class way, e.g. the HTTPS certificate information. When run during local development we configure it to run in dev mode which removes these requirements.

The work here is to update the Keycloak hosting integration to expose appropriate API that enables configuring it for production use when deployed. Whether we can make it work by default (with generated passwords, certificates/keys, etc.) is still an open question.

[LeakeyMaina]

Has anyone managed to get this working?

[rcolombo-cdesign]

Hello, i deployed a Keycloak instance to an Azure Container App, and i do get this problem. I understand we have to somehow give Keycloak the references to the SSL certificate for it to work with HTTPS.

But does this still stands with an Ingress in front of the container? I expect that with an Ingress service configured for the container, i can simply run the Keycloak using HTTP mode, and even still for the connections outside the ACA, it will still serve everything in HTTPS, is this correct?

If so, one point of attention, is that the Keycloak management interface calls some iframes, for which i get a CORS error (mixed http/https content)

[DamianEdwards]

But does this still stands with an Ingress in front of the container? I expect that with an Ingress service configured for the container, i can simply run the Keycloak using HTTP mode, and even still for the connections outside the ACA, it will still serve everything in HTTPS, is this correct?

I think you can but you need to configure it specifically for running behind a reverse proxy, see https://www.keycloak.org/server/reverseproxy

[YandyZaldivar]

I would also be interested in any workaround while the integration is still in preview.