Fail to login to admin console after scaling keycloak to 3 instances

[tomhuang12]

Describe the bug

I initially had a Keycloak with 1 instance and able to login to admin console successfully. After setting it to 3 and the other two pods came up, I could no longer login to the admin console with the following error message from the pods:

19:12:42,051 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.15.0.182, error=expired_code, restart_after_timeout=true, authSessionParentId=1562ba06-cf07-4dac-9a80-493914b42400, authSessionTabId=ktPlGGhGRFc
19:12:55,682 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.15.0.182, error=expired_code, restart_after_timeout=true, authSessionParentId=307e0a14-0d7b-4320-b660-b55c22aafa61, authSessionTabId=oPq-sMkr-2o
19:12:56,031 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.15.1.15, error=expired_code, restart_after_timeout=true, authSessionParentId=0bf5f6ff-3c25-42a1-ae0c-4474854ed99a, authSessionTabId=ekBtqQl2QNg
19:12:56,574 WARN  [org.keycloak.events] (default task-5) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.15.0.182, error=expired_code, restart_after_timeout=true, authSessionParentId=472d5675-cb73-4039-a69c-bcb8b8813d62, authSessionTabId=RCqBL8NjBk4

After setting it back to 1, I am able to login again.

Version

17.0.0

Expected behavior

Log in to the admin console without issues.

Actual behavior

The console tells me that my login attempt has timed out and asked me to re-login. Trying multiple times without success.

How to Reproduce?

Keycloak operator version: 17.0.0

Keycloak CR:

apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  name: keycloak
  labels:
    app: sso
spec:
  instances: 3
  migration:
    strategy: rolling
  externalDatabase:
    enabled: True  
  keycloakDeploymentSpec:
    experimental:
      env:
        - name: KEYCLOAK_FRONTEND_URL
          value: https://mydomain.com/auth

Anything else?

No response

[andreaTP]

Hi @tomhuang12 , sorry for the late reply. I have attempted to reproduce this issue without success:

• start a fresh minikube instance (and enable the ingress addon)
• install the keycloak operator
• install a Keycloak CR:

  apiVersion: keycloak.org/v1alpha1
  kind: Keycloak
  metadata:
  name: example-keycloak
  labels:
  app: example-keycloak
  spec:
  instances: 3
  externalAccess:
  enabled: True

  • start minikube tunnel (I'm on Mac)
  • add to /etc/hosts the line 127.0.0.1 keycloak.local
  • access https://keycloak.local and navigate to the admin console

Would you be able to provide additional information to try to narrow down the issue? Thanks in advance!

[tomhuang12]

@andreaTP thanks for looking into this. I think it was due to my network policy defaulting deny all. Opened it up a bit seemed to solve the issue.

[andreaTP]

Thanks for the feedback!