Will close this: #1819

Hi, thank you for your effort. I'd love to try keycloak in Coolify!

Unfortunately, I had some trouble trying your proposed compose file in Coolify directly. I was sure that it was me who simply didn't understand Docker Compose and Keycloak enough. But the more I dug in, the more questions I found....

• I guess TZ=Europe/Berlin somehow sets the timezone? Why would you set the keycloak container of every Coolify user to German time?
• If I understand correctly, the keycloak dockerfile allows two commands to run: start and start-dev. Given that you used start it seems that you want to offer a production-ready service template. But defaulting the admin credentials to "admin" and "password" contradicts this.
• The option KC_ENABLE_HTTPS=false doesn't even exist in the official keycloak documentation, does it?
• When I tested your proposed keycloak-with-postgres.yaml on Coolify's *.sslip.io domains, the keycloak web app started but logging in failed with "Cookie not found".

Thanks for your help

That's how we Germans are. Just kidding.
You're right, of course. The time zone must of course be a variable.
I have also changed the password and username. That was a good point.
I can't understand the “Cookie not found” error. I'll have to take a closer look at that.

Have you tested another browser to see if the error also occurs there? Unfortunately, I cannot reproduce it.

Amazing! And hello from Hamburg, Germany. I understand your choice of timezone :)

You don't have to look further into the "Cookie not found" error. It was certainly due to a missing TLS certificate.

The number of production-ready docker files I have written in my life is exactly zero. But since you approved my points, I feel encouraged to ask more questions, okay?

• I found very few sources on the internet advocating to define PUID and PGID. I skimmed Coolify's existing templates and found only a handful defining these variables. Are they necessary?
• I'm wondering if we could remove all non-secret Keycloak config variables like KC_DB_POOL_INITIAL_SIZE=${KEYCLOAK_DB_POOL_INITIAL_SIZE}. Currently, Coolify notices them and creates environment variables for them. You could argue that users can edit them in Coolify's UI very easily then. But when they want to set a more advanced Keycloak config, they'd have to open the Docker Compose file anyway, right? So IMHO we'd either have to expose a) the full set of Keycloak's config (hell no) or b) only the minimum (i.e. secrets like password and dynamic values like hostname). Do you agree?
• I found very little documentation about KC_OVERRIDE. It looks dangerous. Do you know what it does?

https://www.keycloak.org/server/all-config

KC_OVERRIDE true is the default.
Regarding your question: kc_overide is only used when you import files.

To be honest, it was my first template for coolify. But I agree with you and can do it like that.

@christiankolbow Does the current setup allow you to complete this simple test flow? For me, when I try to access <hostname>/realms/myrealm/account, to log in a the newly created user I just get shown a loading spinner and chrome devtools show a 403 error.

I followed the tutorial locally. There it works.

@TimKochDev yes sorry, you need another variable if you work with traefik.
KC_PROXY_HEADERS=xforwarded

I have fixed it.

Any updates on this? Would love to consume this service!

FWIW I get this when I try to open a shell in the Keycloak container:

FWIW I tried copy and pasting the YAML from the Keycloak + Postgres, but I couldn't get it to be accessible:

I get this when I try to load it:

Logs do appear ok though 🤷‍♂️:

2024-09-18T10:02:49.456236610Z Changes detected in configuration. Updating the server image.
2024-09-18T10:02:49.510467050Z Updating the configuration and installing your custom providers, if any. Please wait.
2024-09-18T10:03:06.542524723Z 2024-09-18 12:03:06,539 INFO  [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 15642ms
2024-09-18T10:03:06.578734103Z Server configuration updated and persisted. Run the following command to review the configuration:
2024-09-18T10:03:06.578764172Z 
2024-09-18T10:03:06.580222039Z 	kc.sh show-config
2024-09-18T10:03:06.580270947Z 
2024-09-18T10:03:06.583218693Z Next time you run the server, just run:
2024-09-18T10:03:06.583245079Z 
2024-09-18T10:03:06.583249470Z 	kc.sh start --optimized
2024-09-18T10:03:06.583253359Z 
2024-09-18T10:03:14.705868600Z 2024-09-18 12:03:14,695 INFO  [org.infinispan.CONTAINER] (Thread-5) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-09-18T10:03:15.672829355Z 2024-09-18 12:03:15,670 WARN  [org.jgroups.stack.Configurator] (Thread-5) JGRP000014: ThreadPool.thread_dumps_threshold has been deprecated: ignored
2024-09-18T10:03:15.711741729Z 2024-09-18 12:03:15,708 INFO  [org.infinispan.CLUSTER] (Thread-5) ISPN000078: Starting JGroups channel `ISPN` with stack `udp`
2024-09-18T10:03:15.719629513Z 2024-09-18 12:03:15,719 INFO  [org.jgroups.JChannel] (Thread-5) local_addr: 10bb77f1-3fdc-4b0a-b1eb-843842fa9e63, name: d0daa2f9bbce-50718
2024-09-18T10:03:15.733502821Z 2024-09-18 12:03:15,733 WARN  [org.jgroups.protocols.UDP] (Thread-5) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-09-18T10:03:15.734561378Z 2024-09-18 12:03:15,734 WARN  [org.jgroups.protocols.UDP] (Thread-5) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
2024-09-18T10:03:15.734876592Z 2024-09-18 12:03:15,734 WARN  [org.jgroups.protocols.UDP] (Thread-5) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
2024-09-18T10:03:15.735236894Z 2024-09-18 12:03:15,735 WARN  [org.jgroups.protocols.UDP] (Thread-5) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
2024-09-18T10:03:15.746373219Z 2024-09-18 12:03:15,746 INFO  [org.jgroups.protocols.FD_SOCK2] (Thread-5) server listening on *.34752
2024-09-18T10:03:16.369839807Z 2024-09-18 12:03:16,369 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-09-18T10:03:17.759426977Z 2024-09-18 12:03:17,755 INFO  [org.jgroups.protocols.pbcast.GMS] (Thread-5) d0daa2f9bbce-50718: no members discovered after 2004 ms: creating cluster as coordinator
2024-09-18T10:03:17.774187084Z 2024-09-18 12:03:17,772 INFO  [org.infinispan.CLUSTER] (Thread-5) ISPN000094: Received new cluster view for channel ISPN: [d0daa2f9bbce-50718|0] (1) [d0daa2f9bbce-50718]
2024-09-18T10:03:17.870431002Z 2024-09-18 12:03:17,869 INFO  [org.infinispan.CLUSTER] (Thread-5) ISPN000079: Channel `ISPN` local address is `d0daa2f9bbce-50718`, physical addresses are `[172.26.0.3:50288]`
2024-09-18T10:03:18.466190745Z 2024-09-18 12:03:18,465 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: d0daa2f9bbce-50718, Site name: null
2024-09-18T10:03:20.785145485Z 2024-09-18 12:03:20,784 INFO  [io.quarkus] (main) Keycloak 25.0.5 on JVM (powered by Quarkus 3.8.5) started in 13.942s. Listening on: http://0.0.0.0:8080. Management interface listening on http://0.0.0.0:9000.
2024-09-18T10:03:20.785605317Z 2024-09-18 12:03:20,785 INFO  [io.quarkus] (main) Profile prod activated. 
2024-09-18T10:03:20.785783634Z 2024-09-18 12:03:20,785 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-postgresql, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]

I parameterised the version of the image depoyed, but that results in an extra container being listed:

I also force cleaned up containers and deployed again, and now I cannot terminal into any container:

Annnnnd I have no idea what fixed it but it's working now 😅

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
Once a secret has been leaked into a git repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

@liamwh What was your workflow like? You created a project and inserted the yml file as a docker-compose service? Did you change anything or did you deploy it directly?

@liamwh What was your workflow like? You created a project and inserted the yml file as a docker-compose service? Did you change anything or did you deploy it directly?

Yes, a docker compose service. I messed around with the config a little, but not much. Unfortunately I really don't know what made it succeed it the end 🙈

Thank you for the PR 💜. I will test it and fix it if necessary.

Hi, thanks for the work!

I'm having some issues configuring Keycloak.

Navigating to /admin/master/console/ I end up with spinning loading screen then somethingWentWrong error.
I'm using cloudflare tunnel to expose the service and via traefik.

Normally, you would get redirected to the login screen with an url similar to:
/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=<encoded url>&state=...&response_mode=query&response_type=code&scope=openid .... etc.

After doing some testing, I realised that if I construct manually the above url, but in the redirect_uri I use the http version of the domain, the login screen loads up (still does fail the login flow, though). While with https I get Invalid parameter: redirect_uri.

Probably the issue is the mismatch between the internal http version of the domain assigned to the container, against the public https one.

Thanks