We want to deploy Key cloak in GCP Cloud Run.
Is Key cloak suitable to run on GCP Cloud Run? Keycloak’s database will be in Cloud SQL (MySQL).

when we are trying to run key cloak docker image in GCP Cloud Run we are getting below error:

2023-03-31 12:10:15,740 WARN [org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator] (JPA Startup Thread: keycloak-default) HHH000342: Could not obtain connection to query metadata: java.sql.SQLException: Acquisition timeout while waiting for new connection

image1920×740 176 KB

Below is my docker file:
FROM Quay as builder

Enable health and metrics support

ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true

Configure a database vendor

ENV KC_DB=mysql

WORKDIR /opt/keycloak

for demonstration purposes only, please make sure to use proper certificates in production instead

RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname “CN=server” -alias server -ext “SAN:c=DNS:localhost,IP:127.0.0.1” -keystore conf/server.keystore
RUN /opt/keycloak/bin/kc.sh build

FROM Quay
COPY --from=builder /opt/keycloak/ /opt/keycloak/

change these values to point to a running postgres instance

ENV KC_DB=mariadb
ENV KC_DB_URL=jdbc:mysql://mysql:3306/keycloak?useSSL=false&characterEncoding=UTF-8
ENV KC_DB_USERNAME=keycloak
ENV KC_DB_PASSWORD=keycloak.123
ENV KC_HOSTNAME=localhost
ENTRYPOINT [“/opt/keycloak/bin/kc.sh”,“start”]

Please let me know your thoughts.

Hi, were you able to run keycloak on docker? Did you make any changes to Dockerfile?
I am trying to do the same but via postgres database.

Hi
I am able to run keycloak on docker but admin console is not working

Did you make any changes to the docker file also which keycloak image did you use?
Are you using cloudsql for database?

Can you please share your dockerfile.

yes i didn’t make any changes to the docker file it is woking in docker installed in compute engine

and yes i am using cloud sql (MYSQL) and I got the keycloak UI but admin console is disabled

and I followed the different approach to run keycloak it is working perfectly in docker installed compute engine but not in cloud run
Steps:

1. Download the keycloak code
   Downloads - Keycloak

2. change database details in conf/keycloak.conf file and map the VM ip to domain name
   add the SSL certs to that code and add domain name and certs in keycloak.conf file

3. use below docker file:
   FROM adoptopenjdk/openjdk11
   RUN mkdir -p /app
   WORKDIR /app
   COPY . /app
   EXPOSE 8443
   EXPOSE 3306
   CMD [ “./keycloak-21.0.1/bin/kc.sh”, “start --optimized” ]

4. run the image in 8443:8443 ports
   It will work perfectly in docker installed compute engine but not in cloudrun

below is the keycloak.conf file:

Basic settings for running in production. Change accordingly before deploying the server.

Database

The database vendor.

#db=postgres
db=mysql

The username of the database user.

#db-username=keycloak
db-username=keycloak

The password of the database user.

#db-password=password
db-password=keycloak.123

The full database JDBC URL. If not provided, a default URL is set based on the selected database vendor.

#db-url=jdbc:postgresql://localhost/keycloak
db-url=jdbc:mysql://mysql:3306/keycloak

Observability

If the server should expose healthcheck endpoints.

health-enabled=true

If the server should expose metrics endpoints.

metrics-enabled=true

HTTP

The file path to a server certificate or certificate chain in PEM format.

#https-certificate-file=${kc.home.dir}conf/server.crt.pem
https-certificate-file=/opt/keycloak-21.0.1/conf/server.crt.pem

The file path to a private key in PEM format.

#https-certificate-key-file=${kc.home.dir}conf/server.key.pem
https-certificate-key-file=/opt/keycloak-21.0.1/conf/server.key.pem

The proxy address forwarding mode if the server is behind a reverse proxy.

#proxy=reencrypt

Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy

#spi-sticky-session-encoder-infinispan-should-attach-route=false

Hostname for the Keycloak server.

hostname=domainname

Does anyone know why keycloak is not able to run in GCP CloudRun?

Hi @vamsi ;

I successfully deploy my keycloak 21 into cloud run but with some constraints (i’m currently facing to others issues but my keycloak is able to run correctly for now)

• You can not use Cloud SQL Proxy for the communication between Keycloak and Postgres ; your cloud run instance need to be set with a shared vpc ; your cloud sql instance needs to be set with this shared vpc too : Connecting to Private CloudSQL from Cloud Run  |  Google Codelabs
• you can not start keycloak in a tls mode ; only the proxy=edge mode is compatible with cloud run because cloud run kill the container if it start in a tls way: Contrat d'exécution du conteneur  |  Documentation Cloud Run  |  Google Cloud

i hope this helps

How have you integrated a caching solution for keycloak?
We only managed to run it with local caching, but not with infinispan.