Identity unable to connect to keycloak

Due to a shortage in private IP address (10.x.x.x), I had to configure our EKS node to utilize from another CIDR (100.x.x.x).

When deploying Camunda, Identity cannot connect to Keycloak and the following error occurred:

Failure #1. Unable to connect to Keycloak.

From keycloak documentation https://www.keycloak.org/docs/16.1/server_admin/#_ssl_modes, it says

external requests:: Users can interact with Keycloak without SSL so long as they stick to private IP addresses such as localhost, 127.0.0.1, 10.x.x.x, 192.168.x.x, and 172.16.x.x. If you try to access Keycloak without SSL from a non-private IP address, you will get an error.

From Camunda documentation, there’s a workaround which “require ssl” can be disabled

However this is not recommended for non-dev environment. As far as I know, HTTPS is configured in our environment so that should do the trick but it didn’t. What is the solution for this problem?

Environment:

  • Platform: AWS
  • Chart version: 8.1.5
  • Values file:
operate:
  service:
    type: NodePort
identity:
  service:
    type: NodePort
  keycloak:
    service:
      type: NodePort
    extraEnvVars:
      - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
        value: "true"
      - name: KEYCLOAK_FRONTEND_URL
        value: "https://keycloak.example.com"
  env:
    - name: IDENTITY_URL
      value: "https://identity.example.com"
tasklist:
  service:
    type: NodePort
optimize:
  image:
    tag: 3.9.1
  service:
    type: NodePort
zeebe-gateway:
  service:
    type: NodePort
global:
  # image:
  #   tag: 8.0.6
  identity:
    auth:
      publicIssuerUrl: "https://keycloak.example.com/auth/realms/camunda-platform"
      operate:
        redirectUrl: "https://operate.example.com"
      tasklist:
        redirectUrl: "https://tasklist.example.com"
      optimize:
        redirectUrl: "https://optimize.example.com"
1 Like