search

thomasdarimont / keycloak-health-checks

Keycloak Extension for health checks
Apache License 2.0
147 stars 65 forks source link

Adjustments/configuration for Keycloak >=17.0.0 #25

Open Wolfsrudel opened 2 years ago

Wolfsrudel commented 2 years ago

I tried to deploy the module/ provider in a new Keycloak 17.0.0 installation. To do this I took the following steps:

cp keycloak-health-checks.jar <keycloak_home>/providers
chown keycloak:keycloak <keycloak_home>/providers/keycloak-health-checks.jar
<keycloak_home>/bin/kc.sh start --auto-build

The provider is deployed and works for filesystem but not for database and infinispan. The following error appears:

curl -s http://localhost:8080/auth/realms/master/health/check | jq -C .
{
  "name": "keycloak",
  "state": "DOWN",
  "details": {
    "database": {
      "connection": "error",
      "message": "Need to specify class name in environment or system property, or in an application resource file: java.naming.factory.initial",
      "state": "DOWN"
    },
    "filesystem": {
      "freebytes": 25301344256,
      "state": "UP"
    },
    "infinispan": {
      "error": "health-check",
      "errorMessage": "javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or in an application resource file: java.naming.factory.initial",
      "state": "DOWN"
    }
  }
}

The database connection is controlled by configuration file (<keycloak_home>/conf/keycloak.conf) and environment variables.

I assume that the module has to be adapted for 17.0.0. Am I right?

fperot74 commented 2 years ago

Hi @Wolfsrudel, I'm interested by an upgrade to KC17 too (or may be KC18 in a few days)... Did you had a chance to resolve these naming issues?

Wolfsrudel commented 2 years ago

No. I also assume with difficulty that something needs to be done here in terms of programming. A "simple" adjustment in terms of configuration doesn't seem to be enough.

fperot74 commented 2 years ago

As answered by @thomasdarimont on keycloak-dev mailing list:

you can already define custom health checks as CDI components for Keycloak-legacy and Keycloak.X if metrics are enabled. See: https://github.com/thomasdarimont/keycloak-project-example/blob/main/keycloak/extensions/src/main/java/com/github/thomasdarimont/keycloak/custom/health/CustomHealthChecks.java

Using Kubernetes, I need to check if our devops are able to check responsiveness directly with these metrics but, if not, I think we can replace the DB datasource lookup in DatabaseHealthIndicator by:

protected DataSource lookupDataSource() throws Exception {
  return CDI.current().select(DataSource.class).get();
}
thomasdarimont commented 2 years ago

Thanks for the heads-up. I just updated the health-checks for Keycloak 17.0.1 with support for Keycloak-Legacy and Keycloak.X.

Wolfsrudel commented 2 years ago

You rock! I will try this tomorrow.

zdykstra commented 2 years ago

I was able to use this under Keycloak.X, 17.0.1. The health check URL is now /realms/$realm/health/check, but it otherwise seems to report useable metrics. Is details.infinispan.healthStatus just a rollup of the details.infinispan.cacheDetails[].healthStatus ?