update keycloak for HA

2025-03-30 18:14:34 +02:00
parent af5f476974
commit 47ecde29fd
1 changed files with 9 additions and 5 deletions
--- a/deploy/keycloak/keycloak.yaml
+++ b/deploy/keycloak/keycloak.yaml
@@ -53,7 +53,7 @@ spec:
            - "start"
            - "--cache=ispn"                      # Enable distributed Infinispan cache (HA mode) [oai_citation_attribution:0‡keycloak.org](https://www.keycloak.org/server/caching#:~:text=When%20you%20start%20Keycloak%20in,in%20your%20network%20are%20discovered)
            - "--cache-stack=kubernetes"          # Use built-in Kubernetes stack for clustering (DNS_PING)
-            - "--hostname=https://sso.panic.haus" # External URL for Keycloak (use HTTPS for TLS offload)
+#            - "--hostname=https://sso.panic.haus" # External URL for Keycloak (use HTTPS for TLS offload)
            - "--http-enabled=true"               # Allow Keycloak to listen on HTTP (for edge TLS termination) [oai_citation_attribution:1‡keycloak.org](https://www.keycloak.org/server/hostname#:~:text=provides%20the%20flexibility%20for%20users,start%20the%20server%20as%20follows)
            - "-Djgroups.dns.query=keycloak-headless"
          env:
@@ -61,8 +61,10 @@ spec:
              value: "admin"
            - name: KEYCLOAK_ADMIN_PASSWORD
              value: "admin"
-            - name: KC_HOSTNAME
-              value: "sso.panic.haus"
+#            - name: KC_PROXY_HEADERS
+#              value: "xforwarded"
+#            - name: KC_HOSTNAME
+#              value: "sso.panic.haus"
            - name: KC_HTTP_ENABLED
              value: "true"
            - name: KC_HEALTH_ENABLED
@@ -91,6 +93,8 @@ spec:
            # Enable proxy address forwarding since Keycloak is behind an NGINX proxy
            - name: PROXY_ADDRESS_FORWARDING
              value: "true"                        # Trust X-Forwarded-* headers [oai_citation_attribution:3‡github.com](https://github.com/codecentric/helm-charts/issues/325#:~:text=extraEnv%3A%20%7C%20,name%3A%20CACHE_OWNERS_AUTH_SESSIONS_COUNT)
+#            - name: KC_PROXY
+#              value: "edge"                        # Keycloak is behind an edge (TLS termination) proxy
            - name: KC_HOSTNAME_STRICT
              value: "false"                       # Disable strict host check (allow internal/external host differences)
            # (Optional) Enable health and metrics endpoints for monitoring:
@@ -108,13 +112,13 @@ spec:
            httpGet:
              path: /health/live
              port: 8080
-            initialDelaySeconds: 60
+            initialDelaySeconds: 90
            periodSeconds: 30
          readinessProbe:
            httpGet:
              path: /health/ready
              port: 8080
-            initialDelaySeconds: 30
+            initialDelaySeconds: 60
            periodSeconds: 15
      affinity:
        # Spread pods across different nodes for higher availability