search

aws-samples / cdk-keycloak

CDK construct library that allows you to create KeyCloak on AWS in TypeScript or Python
Apache License 2.0
88 stars 30 forks source link

Creating a simple Keycloak setup fails with quarkus errors - ERROR: Strict hostname resolution configured but no hostname setting provided #200

Closed 094459 closed 1 year ago

094459 commented 1 year ago

I am using the following cdk code to build a simple poc keycloak environment

#!/usr/bin/env python3
import os

import aws_cdk as cdk
from cdk_keycloak import KeyCloak, KeycloakVersion

app = cdk.App()
env = cdk.Environment(region="eu-west-1", account="xxxxxxxx")

stack = cdk.Stack(app, "keycloak-demo", env=env)

KeyCloak(stack, "KeyCloak",
    certificate_arn="arn:aws:acm:eu-west-1:xxxxxx:certificate/xxxxxxx",
    keycloak_version=KeycloakVersion.V21_0_1,
    aurora_serverless=True
)

app.synth()

This fails eventually, with the ECS Tasks failing.

2023-06-01T18:34:11.088+01:00CopyAppending additional Java properties to JAVA_OPTS: -Djgroups.s3.region_name=eu-west-1 -Djgroups.s3.bucket_name=keycloak-demo-keycloakkeycloakcontainerserivcekey-sqq3c05eufqh | Appending additional Java properties to JAVA_OPTS: -Djgroups.s3.region_name=eu-west-1 -Djgroups.s3.bucket_name=keycloak-demo-keycloakkeycloakcontainerserivcekey-sqq3c05eufqh
-- | --
  | 2023-06-01T18:34:12.490+01:00CopyERROR: Unexpected error when starting the server in (production) mode | ERROR: Unexpected error when starting the server in (production) mode
  | 2023-06-01T18:34:12.490+01:00CopyERROR: Failed to start quarkus | ERROR: Failed to start quarkus
  | 2023-06-01T18:34:12.490+01:00CopyERROR: Strict hostname resolution configured but no hostname setting provided | ERROR: Strict hostname resolution configured but no hostname setting provided
  | 2023-06-01T18:34:12.490+01:00CopyFor more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command. | For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.
wchaws commented 1 year ago

@adamstortz Can you help to check this? Many thanks.

094459 commented 1 year ago

I have made some progress (I think) in so far that I discovered you could set "hostname" as a property within the keycloak class (it is an optional property). I adjusted my cdk app as follows:

#!/usr/bin/env python3
import os

import aws_cdk as cdk
from cdk_keycloak import KeyCloak, KeycloakVersion

app = cdk.App()
env = cdk.Environment(region="eu-west-1", account="xxxx")

stack = cdk.Stack(app, "keycloak-demo", env=env)

KeyCloak(stack, "KeyCloak",
    certificate_arn="arn:aws:acm:eu-west-1:xxx:certificate/aec6b1ac-df36-449b-a2e2-xxxxxxxx",
    keycloak_version=KeycloakVersion.V21_0_1,
    aurora_serverless_v2=True,
    hostname = "keycloak-ecs"
)

app.synth()

and this time I do not get the hostname error. However, the ECS Service still fails to start, with the following error:


6/5/2023, 4:01:00 PM GMT+1 | 2023-06-05 15:01:00,037 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode | keycloak
-- | -- | --
6/5/2023, 4:01:00 PM GMT+1 | 2023-06-05 15:01:00,038 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start caches | keycloak
6/5/2023, 4:01:00 PM GMT+1 | 2023-06-05 15:01:00,038 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: org.infinispan.commons.CacheConfigurationException: ISPN000085: Error while trying to create a channel using the specified configuration file: default-configs/default-jgroups-ec2.xml | keycloak
6/5/2023, 4:01:00 PM GMT+1 | 2023-06-05 15:01:00,038 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.commons.CacheConfigurationException: ISPN000085: Error while trying to create a channel using the specified configuration file: default-configs/default-jgroups-ec2.xml | keycloak
6/5/2023, 4:01:00 PM GMT+1 | 2023-06-05 15:01:00,038 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: ISPN000085: Error while trying to create a channel using the specified configuration file: default-configs/default-jgroups-ec2.xml | keycloak
6/5/2023, 4:01:00 PM GMT+1 | 2023-06-05 15:01:00,038 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: JGRP000002: unable to load protocol aws.S3_PING (either with relative - aws.S3_PING - or absolute - org.jgroups.protocols.aws.S3_PING - class name) | keycloak
6/5/2023, 4:01:00 PM GMT+1 | 2023-06-05 15:01:00,038 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command. | keycloak
6/5/2023, 4:00:59 PM GMT+1 | 2023-06-05 15:00:59,905 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheConfigurationException: ISPN000085: Error while trying to create a channel using the specified configuration file: default-configs/default-jgroups-ec2.xml | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.remoting.transport.jgroups.JGroupsTransport.buildChannel(JGroupsTransport.java:727) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.remoting.transport.jgroups.JGroupsTransport.initChannel(JGroupsTransport.java:504) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGroupsTransport.java:485) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.remoting.transport.jgroups.CorePackageImpl$1.start(CorePackageImpl.java:42) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.remoting.transport.jgroups.CorePackageImpl$1.start(CorePackageImpl.java:27) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:617) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:608) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:577) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:808) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.metrics.impl.MetricsCollector.start(MetricsCollector.java:78) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.metrics.impl.CorePackageImpl$1.start(CorePackageImpl.java:41) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.metrics.impl.CorePackageImpl$1.start(CorePackageImpl.java:34) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:617) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:608) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:577) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:808) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.startDependencies(BasicComponentRegistryImpl.java:635) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:599) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:577) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:808) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.AbstractComponentRegistry.internalStart(AbstractComponentRegistry.java:357) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:250) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:774) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:742) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:406) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:96) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at java.base/java.lang.Thread.run(Thread.java:833) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | Caused by: java.lang.Exception: JGRP000002: unable to load protocol aws.S3_PING (either with relative - aws.S3_PING - or absolute - org.jgroups.protocols.aws.S3_PING - class name) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.util.Util.loadProtocolClass(Util.java:3096) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.stack.Configurator.createLayer(Configurator.java:183) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.stack.Configurator.createProtocols(Configurator.java:170) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.stack.Configurator.createProtocolsAndInitializeAttrs(Configurator.java:104) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:65) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:55) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:434) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.JChannel.init(JChannel.java:899) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.JChannel.<init>(JChannel.java:123) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.jgroups.JChannel.<init>(JChannel.java:113) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | at org.infinispan.remoting.transport.jgroups.JGroupsTransport.buildChannel(JGroupsTransport.java:725) | keycloak
6/5/2023, 4:00:59 PM GMT+1 | ... 29 more | keycloak
6/5/2023, 4:00:59 PM GMT+1 | 2023-06-05 15:00:59,526 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller' | keycloak
6/5/2023, 4:00:59 PM GMT+1 | 2023-06-05 15:00:59,511 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled | keycloak
6/5/2023, 4:00:59 PM GMT+1 | 2023-06-05 15:00:59,465 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal | keycloak
6/5/2023, 4:00:59 PM GMT+1 | 2023-06-05 15:00:59,434 WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests. | keycloak
6/5/2023, 4:00:59 PM GMT+1 | 2023-06-05 15:00:59,372 INFO [org.infinispan.SERVER] (keycloak-cache-init) ISPN005054: Native IOUring transport not available, using NIO instead: io.netty.incubator.channel.uring.IOUring | keycloak
6/5/2023, 4:00:58 PM GMT+1 | 2023-06-05 15:00:58,852 WARN [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread: keycloak-default) HHH000342: Could not obtain connection to query metadata: org.h2.jdbc.JdbcSQLNonTransientConnectionException: URL format error; must be "jdbc:h2:{ {.\|mem:}[name] \| [file:]fileName \| {tcp\|ssl}:[//]server[:port][,server2[:port]]/name }[;key=value...]" but is "jdbc:mysql://keycloak-demo-keycloakdatabasedbcluster06e9c0e1-gas8kncgzj1t.cluster-ceinb9vexcbc.eu-west-1.rds.amazonaws.com:3306/keycloak" [90046-214] | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at org.h2.message.DbException.getJdbcSQLException(DbException.java:678) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at org.h2.message.DbException.getJdbcSQLException(DbException.java:477) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at org.h2.message.DbException.get(DbException.java:223) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at org.h2.engine.ConnectionInfo.getFormatException(ConnectionInfo.java:687) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at org.h2.engine.ConnectionInfo.<init>(ConnectionInfo.java:86) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:113) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at org.h2.jdbcx.JdbcDataSource.getXAConnection(JdbcDataSource.java:322) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:232) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:535) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:516) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:75) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1134) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | at java.base/java.lang.Thread.run(Thread.java:833) | keycloak
6/5/2023, 4:00:58 PM GMT+1 | 2023-06-05 15:00:58,852 WARN [io.agroal.pool] (agroal-11) Datasource '<default>': URL format error; must be "jdbc:h2:{ {.\|mem:}[name] \| [file:]fileName \| {tcp\|ssl}:[//]server[:port][,server2[:port]]/name }[;key=value...]" but is "jdbc:mysql://keycloak-demo-keycloakdatabasedbcluster06e9c0e1-gas8kncgzj1t.cluster-ceinb9vexcbc.eu-west-1.rds.amazonaws.com:3306/keycloak" [90046-214] | keycloak
6/5/2023, 4:00:58 PM GMT+1 | 2023-06-05 15:00:58,577 WARN [io.quarkus.agroal.runtime.DataSources] (main) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly | keycloak
6/5/2023, 4:00:58 PM GMT+1 | 2023-06-05 15:00:57,252 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: keycloak-ecs, Strict HTTPS: true, Path: <request>, Strict BackChannel: true, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true | keycloak
6/5/2023, 4:00:55 PM GMT+1 | Appending additional Java properties to JAVA_OPTS: -Djgroups.s3.region_name=eu-west-1 -Djgroups.s3.bucket_name=keycloak-demo-keycloakkeycloakcontainerserivcekey-1n4lwhmmlbjsh
wiedsche commented 1 year ago

I think this is now a duplicate of #199 which was reported by me beginning of last week.

I can confirm, that "hostname" is a required parameter for keycloak. Otherwise it would not run.

Anyways, it will not run currently, even if you set it, as you found out already. The default keycloak image will only run with h2 database when calling startup with --optimized parameter.

After fixing the database issue, then you will run into the caching issue that will cause a failing startup.

We should fix these issues in #199.

094459 commented 1 year ago

Agreed - closing this issue so that attention can be focused on #199

wiedsche commented 1 year ago

I think this ticket needs some attention nevertheless. The documentation doesn't tell, that "hostname" is now a required parameter. At least the documentation should be updated. Or the cdk lib should determine a fallback hostname itself.