search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
22.49k stars 6.63k forks source link

Support IPv6 only environments #21277

Open stianst opened 1 year ago

stianst commented 1 year ago

Description

As a follow-up to https://github.com/keycloak/keycloak/issues/15003 we should also support IPv6 environments where Keycloak is deployed.

Discussion

No response

Motivation

No response

Details

No response

see-quick commented 1 year ago

As I saw a comment from @vmuzikar I will write it and reference it here

I'm a bit concerned about testing that, mainly from the Operator side (AFAIK, the minikube that we rely on doesn't support IPv6)

for such a testing scenario, you could use kind [1], which supports IPv6 or Dual stack and it's very similar to minikube.

[1] - https://kind.sigs.k8s.io/

vhelke commented 3 months ago

This hasn't progressed for a long time. Has anyone found a workaround for IPv6 only networks?

Ken-Michalak commented 2 months ago

This hasn't progressed for a long time. Has anyone found a workaround for IPv6 only networks?

In EKS with ipv6 only, I was able to get clustering working with these:

JAVA_OPTS_APPEND="-Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Stack=true -Djgroups.bind_addr=match-address:2600:.*"

There's also https://github.com/keycloak/keycloak/issues/12554#issuecomment-1502377881 with -Djgroups.bind_addr=global, but even with the preferred ipv6, jgroups kept binding to some internal ipv4 in the pod, so I had to use match-address instead.

vhelke commented 2 months ago

That looked promising but unfortunately didn't work for me. I'm running self-hosted k8s cluster with cilium networking (native routing mode).

Keycloak output:

Appending additional Java properties to JAVA_OPTS
...
WARN  [org.jgroups.stack.Configurator] (Thread-5) JGRP000026: unable to find an address other than loopback for IP version IPv4
ERROR [org.infinispan.CONFIG] (Thread-5) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheException: Unable to start JGroups Channel
ERROR: Failed to start server in (production) mode
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start embedded or remote cache manager
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: Unable to start JGroups Channel
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Network interface not configured for IPv4