Keycloak admin console loading indefinitely

Question

I have a Keycloak server running in an EKS cluster that I'm trying to configure for production instead of dev mode.

I've managed to get SSL working with a reverse proxy, but when I go to the login page for the admin console it just loads indefinitely.

Here's my configuration:

Dockerfile

FROM --platform=linux/arm64 quay.io/keycloak/keycloak:19.0.1 as builder

ENV KC_DB=postgres
ENV KC_PROXY=edge
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange
ENV KC_HTTP_RELATIVE_PATH=/auth
RUN /opt/keycloak/bin/kc.sh build

FROM --platform=linux/arm64 quay.io/keycloak/keycloak:19.0.1
COPY --from=builder /opt/keycloak/ /opt/keycloak/

## Install custom providers
COPY auth-identione-extension/target/auth-identione-extension-1.0.0-SNAPSHOT.jar /opt/keycloak/providers

ENV KC_HOSTNAME_STRICT=false
ENV KC_KEYCLOAK_USER={user}
ENV KC_KEYCLOAK_PASSWORD={password}
ENV KC_DB_URL={dburl}
ENV KC_DB_USERNAME={dbusername}
ENV KC_DB_PASSWORD={dbpassword}
ENV KC_HTTP_ENABLED=true
ENV KC_HOSTNAME=auth.identione.com
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start", "--optimized"]

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: default
  name: keycloak-deployment
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: keycloak-app
  replicas: 1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: keycloak-app
    spec:
      containers:
        - image: {keycloak-img-url}
          name: keycloak-app
          resources:
            requests:
              memory: "512Mi"
              cpu: "500m"
            limits:
              memory: "1024Mi"
              cpu: "1000m"
          imagePullPolicy: Always
          ports:
            - name: http
              containerPort: 8080

service.yaml

apiVersion: v1
kind: Service
metadata:
  namespace: default
  name: keycloak-service
spec:
  ports:
    - port: 8180
      targetPort: 8080
      protocol: TCP
  type: NodePort
  selector:
    app.kubernetes.io/name: keycloak-app

ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: default
  name: keycloak-service-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: {certificate-arn}
    alb.ingress.kubernetes.io/ssl-redirect: 'https'
spec:
  rules:
    - host: auth.identione.com
      http:
        paths:
          - path: /*
            backend:
              serviceName: keycloak-service
              servicePort: 8180

Answer 1

Found the issue.

I had to move the ENV KC_PROXY=edge variable in the Dockerfile after running the build script.

Answer 2

There's a related issue documenting this on their GitHub with specific instructions on how to debug this:

1. Start Keycloak with the --hostname-debug=true option.
   (Env var: KC_HOSTNAME_DEBUG.) Documentation link.
2. Browse to this URL: KEYCLOAK_BASE_URL/realms/master/hostname-debug

You would see an HTML table with a set of [OK] and [Not OK] next to frontend, backend, and admin.

A few pointers to help you debug this:

• All of the URLs must be HTTPS URLs. If using HTTP (and not HTTPS), all of the URLs must be HTTP.
• Try setting the right proxy value. If TLS terminates on a reverse proxy, use edge. You can read more about the other proxy options here.
• If you are using HTTPS, --hostname-strict-https=false must NOT be set, especially if your proxy setting is edge. Setting it to false will cause keycloak to generate HTTP URLs instead of HTTPs.