Keycloak admin console isn't reachable

[ppatierno]

After deploying EnMasse with the Keycloak instance, the web console seems to be not reachable using the browser. Getting the ip address of the standard-authservice service and trying with following :

http://<ip-address>:8080/auth/admin/

I get this error :

This site can’t be reached

172.30.67.126 refused to connect.

[lulf]

Strange, this works for me with the latest snapshot: https://dl.bintray.com/enmasse/snapshots/latest/enmasse-latest.tgz

Also works when I deploy directly from the master repo.

Deployed as such: ./templates/install/deploy-openshift.sh -d -k admin

It does take a while, but keycloak becomes reachable after 1-2 minutes. Then I am able to create users and assign credentials in the console and verify:

PN_TRACE_FRM=1 python /usr/share/proton-0.18.0/examples/python/simple_recv.py -a amqp://lulf:lulf@172.30.169.202:5672

[lulf]

One thing I do notice is that the HTTP liveness probe on the console fails as it is unable authenticate, so that will cause the console to get restarted sometimes, but no errors in the log as far as I can see. Just pushed a fix for the probe.

I am also unable to authenticate with the same user in the console, so something is not right :)

[ppatierno]

I have just deleted all my previous images (to be sure) and updated the master branch on my local PC. The I have used the getting started guide command (as always) :

./deploy-openshift.sh -m "https://localhost:8443" -n enmasse

but adding a -k admin for Keyclock (using "admin" as password for admin :-))

I still see an error in the Keyclock log about Could not start http listener and the admin console isn't reachable. At the end of the log I also see :

05:21:34,145 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 05:21:34,145 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990

but maybe it's the admin console of some other component in Keycloack ?

In the OpenShift events I also see this :

Liveness probe failed: dial tcp 172.17.0.2:5671: getsockopt: connection refused

related to a not started keycloack instance and the reason why the console can't connect to it and crashes.

[ppatierno]

I have also tried with the enmasse-latest.tgz ... same problem. I have checked that no one is already listening on port 8080 on my PC ... no one is there.

[lulf]

The 9990 port is for the WildFly app server. Could you try the following:

openssl req -new -x509 -batch -nodes -days 11000 -out tls.crt -keyout tls.key
mkdir -p certs && mv tls.crt tls.key certs
docker run -ti -v $PWD/certs:/opt/jboss/keycloak/standalone/certs:z -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin enmasseproject/keycloak:latest

[ppatierno]

The problem seems to be related to this error :

"protocol family unavailable"

which is related to the usage of the IPv6 stack. On my side even disabling IPv6 doesn't fix the problem. The way to do that is set the preferred stack to use (IPv4) on Keycloak startup with this Java options :

java.net.preferIPv4Stack=true

So this issue is fixed by aa8cc3a603e379c2612328e2b4093b75a32f3723

[dkim-dev]

After deploying EnMasse with the Keycloak instance, the web console seems to be not reachable using the browser. Getting the ip address of the standard-authservice service and trying with following :

http://<ip-address>:8080/auth/admin/

I get this error :

This site can’t be reached

172.30.67.126 refused to connect.

this is because Jboss is listening only on 127.0.0.1

Solution is here: https://serverfault.com/questions/830053/cant-access-jboss-remotely-despite-of-proper-binding-of-ip-address-in-standalon