Identity not connecting to existing Keycloak

hhajian · March 25, 2024, 7:39am

I am trying to connect Camunda 8 Identity to our existing keycloak (v22) using Camunda Helm chart. I have the following definition for Keycloak connection

global:
  identity:
    keycloak:
      url:
        protocol: "https"
        host: "keycloak.keycloak.svc.cluster.local"
        port: "443"
      contextPath: "/"
      realm: "/realms/camunda-platform"
      auth:
        adminUser: "admin"
        existingSecret: "keycloak-auth"
        existingSecretKey: "admin-password"

identity:
  keycloak:
    enabled: false

The pod or Identity container fails with following error:

ingframework.beans.factory.BeanCreationException: Error creating bean with name 'frontendController': Invocation of init method failed
2024-03-23 08:58:26.371 ERROR 1 --- [           main] o.s.b.SpringApplication                  : Application run failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'frontendController': Invocation of init method failed
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:222) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:419) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1760) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:596) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:518) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:325) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:323) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:973) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:949) ~[spring-context-6.0.17.jar!/:6.0.17]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:615) ~[spring-context-6.0.17.jar!/:6.0.17]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.1.9.jar!/:3.1.9]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:738) [spring-boot-3.1.9.jar!/:3.1.9]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:440) [spring-boot-3.1.9.jar!/:3.1.9]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:324) [spring-boot-3.1.9.jar!/:3.1.9]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1317) [spring-boot-3.1.9.jar!/:3.1.9]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1306) [spring-boot-3.1.9.jar!/:3.1.9]
        at io.camunda.identity.Application.main(Application.java:21) [classes!/:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) [identity.jar:?]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:95) [identity.jar:?]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) [identity.jar:?]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65) [identity.jar:?]
Caused by: java.lang.IllegalArgumentException: Expected authority at index 7: http://
        at java.net.URI.create(Unknown Source) ~[?:?]
        at io.camunda.identity.config.IdentityCommon.basePath(IdentityCommon.java:62) ~[classes!/:?]
        at io.camunda.identity.frontend.controller.FrontendController.initialize(FrontendController.java:53) ~[classes!/:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMethod.invoke(InitDestroyAnnotationBeanPostProcessor.java:457) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:401) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:219) ~[spring-beans-6.0.17.jar!/:6.0.17]
        ... 26 more
Caused by: java.net.URISyntaxException: Expected authority at index 7: http://
        at java.net.URI$Parser.fail(Unknown Source) ~[?:?]
        at java.net.URI$Parser.failExpecting(Unknown Source) ~[?:?]
        at java.net.URI$Parser.parseHierarchical(Unknown Source) ~[?:?]
        at java.net.URI$Parser.parse(Unknown Source) ~[?:?]
        at java.net.URI.<init>(Unknown Source) ~[?:?]
        at java.net.URI.create(Unknown Source) ~[?:?]
        at io.camunda.identity.config.IdentityCommon.basePath(IdentityCommon.java:62) ~[classes!/:?]
        at io.camunda.identity.frontend.controller.FrontendController.initialize(FrontendController.java:53) ~[classes!/:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMethod.invoke(InitDestroyAnnotationBeanPostProcessor.java:457) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:401) ~[spring-beans-6.0.17.jar!/:6.0.17]
        at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:219) ~[spring-beans-6.0.17.jar!/:6.0.17]
        ... 26 more

I have double checked the password in the secret and I am able to login to Keycloak admin panel using same credentials.
The chart uses Camunda v8.4.5. I have tried Identity v8.5.0-alpha2 but I get same error

Thank you,
Hazhir

Gerald · March 26, 2024, 12:21pm

Hello,
I fixed this by setting the helm value

identity:
fullURL: <you identity web url>

hhajian · March 27, 2024, 6:55am

Hi @Gerald
Thank you for your reply. Although I can not find such property in the original Helm chart but I have passed it via --set and I dont see the same error but I see that it cant connect to keycloak. Are the additional properties out of original Helm which needs to be set? Do you mind sharing your values?

2024-03-27 07:04:01.631  INFO 1 --- [           main] i.c.i.Application                        : Started Application in 5.825 seconds (process running for 7.048)
2024-03-27 07:04:01.932 ERROR 1 --- [           main] i.c.i.i.k.c.KeycloakConfiguration        : Failure #1. Unable to connect to Keycloak.
2024-03-27 07:04:31.933  WARN 1 --- [           main] i.c.i.i.k.c.KeycloakConfiguration        : Retrying...
2024-03-27 07:04:31.974 ERROR 1 --- [           main] i.c.i.i.k.c.KeycloakConfiguration        : Failure #2. Unable to connect to Keycloak.
2024-03-27 07:05:01.974  WARN 1 --- [           main] i.c.i.i.k.c.KeycloakConfiguration        : Retrying...
2024-03-27 07:05:02.007 ERROR 1 --- [           main] i.c.i.i.k.c.KeycloakConfiguration        : Failure #3. Unable to connect to Keycloak.
2024-03-27 07:05:32.008  WARN 1 --- [           main] i.c.i.i.k.c.KeycloakConfiguration        : Retrying...

Thank you,
Hazhir

Gerald · March 27, 2024, 7:39am

Hi,
This settings is needed to avoid the following error
Caused by: java.net.URISyntaxException: Expected authority at index 7: http://

I simply added it in my own my-values.yaml file applied using helm upgrade … -f my-values.yaml …

it is directly at the yaml root, I added the http/https url of the camunda identity web interface (as you can see it is at the root level i.e. the same as the identityKeycloak I overrided to used my own keycloak instance)

Ex:
identityKeycloak:
enabled: false

identity:
fullURL: https://camunda-identity.my-own-domain.corp

So If you dont have anymore the “Expected authority at index 7: http://” error, so it is fixed.

But now If you have “Failure #1. Unable to connect to Keycloak.” instead of the previous one, their is an issue with the configuration or certificate.

If you wait enough you will have a more detailed error after a certain number of retry. Maybe you use HTTPS by you are under a corporate proxy or use self signed certificate. In this case you need to configure your image to thrust those certificates. Or maybe another kind of issue with keycloak cong
It can be linked

hhajian · March 27, 2024, 3:44pm

Hi @Gerald
Thank you for the details. You are absolutely right. After few keycloak connection attempts I get the following error:

RESTEASY004655: Unable to invoke request: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Which indicate that Identity can not validate Keycloak cert because the Keycloak is using self-signed certs.

Next, I tried to import KC CA cert into Identity container. Downloaded the KC CA cert and imported it into Identity cacert keystore

keytool -import -noprompt -v -alias kc-ca-cert -keystore /opt/java/openjdk/lib/security/cacerts -file /opt/kc-ca.crt -storepass changeit

Now Identity pod runs fine

2024-03-27 15:36:16.442  INFO 1 --- [           main] i.c.i.Application                        : Started Application in 5.755 seconds (process running for 7.019)

system · April 3, 2024, 3:44pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.