Docker Config & "ignored during build time: kc.spi-hostname-v2-hostname"

Configuring the server
1

Hello

I’m a full newbie to keycloak (still on authelia for prod)

I have this conf for Docker

services:
  keycloak:
      container_name: keycloak
      hostname: keycloak
      image: quay.io/keycloak/keycloak:latest
      restart: always
      environment:
        KC_FEATURES: "hostname:v2"
        KC_HOSTNAME: "https://keycloak.xxxx.com"
        KC_HTTP_ENABLED: "true"
        KC_HEALTH_ENABLED: "true"
        KC_BOOTSTRAP_ADMIN_USERNAME: admin
        KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
        PROXY_ADDRESS_FORWARDING: "true"

      ports:
        - "17080:8080"
      networks: 
        - default
        - caddy_ext
      command: start

networks:
  default:
    driver: bridge
  caddy_ext: 
    name: caddy_ext_default
    external: true

Keycloak is working and accessible through caddy with https://keycloak.xxxx.com

BUT
Looking at container log I have this issue:
2024-10-16 09:40:20,961 WARN [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following run time options were found, but will be ignored during build time: kc.spi-hostname-v2-hostname

I can’t understand why.

Thanks for help

2

Because it’s a runtime option and with just using start as the command, the build step will automatically be executed before starting (running) the server, thus the log entry.
Basically, you don’t have to configure explicitly the hostname-v2 feature, as this is default since KC25.

Additionally: NEVER use the latest tag on a Docker image. latest is a moving target and might yield into unexpected behavior when updated. Always use explicit versions, currently e.g. 26.0.0.

Also: PROXY_ADDRESS_FORWARDING is not used at all by Keycloak. If you are running KC behind a reverse proxy, see Using a reverse proxy - Keycloak
Always read the official docs, never use outdated blog posts and copy things without understanding.

3

Thanks for taking the time to answer

TBH I’m only learning through examples.
Thus using blog post etc. to understand

The doc is kind of cryptic to me (I’m not a god of reverse proxy, but I have used a lot of it and the doc is hard to understand)

4

and for example

  keycloak:
      container_name: keycloak
      hostname: keycloak
      image: quay.io/keycloak/keycloak:26.0
      restart: always
      environment:
        KC_HOSTNAME_STRICT: "false"
        KC_HTTP_ENABLED: "true"
        KC_HEALTH_ENABLED: "true"
        KC_BOOTSTRAP_ADMIN_USERNAME: admin
        KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
        KC_PROXY_HEADERS: xforwarded
      ports:
        - "17080:8080"
        - "17090:9000"
      networks: 
        - default
        - caddy_ext
      command:
        - start

Same issue
If you have a good and up to date tuto. Please send it :slight_smile:
Thanks again

5

Hello Stan,

the following configuration works for me (example env with caddy, keycloak and postgresql).

In my example I expose caddy / keycloak via the local domain id.acme.test, which I mapped to 127.0.0.1 in my /etc/hosts file.

I used mkcert to generate local the certificate and key: GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.

docker-compose.yml

services:
  caddy-keycloak-db:
    image: postgres:15
    volumes:
      - postgres_data_kc_caddy:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    ports:
      - 5433:5432

    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U keycloak"]
      interval: 10s
      timeout: 5s
      retries: 5

  caddy-keycloak:
    image: quay.io/keycloak/keycloak:26.0.0
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_DB: postgres
      KC_DB_SCHEMA: public
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: password
      KC_DB_URL: jdbc:postgresql://caddy-keycloak-db/keycloak
      KC_HOSTNAME_STRICT: "false"
      KC_HTTP_ENABLED: "true"
      KC_HTTP_HOSTNAME: "https://id.acme.test:5443"
      KC_PROXY_HEADERS: "xforwarded"
      KC_LOG_LEVEL: "INFO,org.infinispan:INFO,org.jgroups:DEBUG"
      KC_METRICS_ENABLED: "true"
      KC_HEALTH_ENABLED: "true"
      KC_FEATURES: preview
      JAVA_OPTS_APPEND: "-Djgroups.thread_dumps_threshold=1"

    ports:
      - 8080:8080
      - 9000:9000
      - 8443:8443

    command:
      - "--verbose"
      - "start"
      - "--spi-events-listener-jboss-logging-success-level=info"
      - "--spi-events-listener-jboss-logging-error-level=warn"

    depends_on:
      caddy-keycloak-db:
        condition: service_healthy

  caddy-lb:
    image: caddy:2.8-alpine
    volumes:
      - ./caddy.json:/etc/caddy/caddy.json:z
      - ./cert.pem:/etc/caddy/server.crt:z
      - ./cert-key.pem:/etc/caddy/server.key:z
    command: [ "caddy", "run", "--config", "/etc/caddy/caddy.json"]
    ports:
      - "5443:443"
    depends_on:
      - caddy-keycloak

volumes:
  postgres_data_kc_caddy:
    driver: local

caddy.json:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "match": [
                {
                  "host": [
                    "id.acme.test"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "reverse_proxy",
                  "transport": {
                    "protocol": "http"
                  },
                  "upstreams": [
                    {
                      "dial": "caddy-keycloak:8080"
                    }
                  ],
                  "load_balancing": {
                    "selection_policy": {
                      "policy": "ip_hash"
                    },
                    "try_duration": "1s",
                    "try_interval": "250ms"
                  },
                  "health_checks": {
                    "active": {
                      "uri": "/health",
                      "port": 9000,
                      "interval": "3s",
                      "timeout": "2s",
                      "expect_status": 200
                    }
                  }
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/etc/caddy/server.crt",
            "key": "/etc/caddy/server.key",
            "tags": [
              "selfsigned"
            ]
          }
        ]
      }
    }
  }
}

After you created the certificate and key you should be able to do
docker compose up
and access the environment via https://id.acme.test:5443/admin

Note, that if you want to use a custom context path like /auth you need to specify
the env variable: KC_HTTP_RELATIVE_PATH: "/auth" for the Keycloak container AND
adjust the health check uri in the proxy config: "uri": "/auth/health".

Cheers,
Thomas

6

I’ll play with that
Thank you very much
Btw what I have is working
Already add passkey for site (this is my homelab. Like to learn and understand. And passkeys also lol)

7

Working like a charm but still

2024-10-16 16:20:37,058 INFO [org.keycloak.common.Profile] (main) Preview features enabled: admin-fine-grained-authz:v1, client-secret-rotation:v1, dpop:v1, opentelemetry:v1, passkeys:v1, recovery-codes:v1, scripts:v1, token-exchange:v1, update-email:v1

18

2024-10-16 16:20:37,138 WARN [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following run time options were found, but will be ignored during build time: kc.spi-events-listener-jboss-logging-success-level, kc.spi-hostname-v2-hostname-strict, kc.spi-events-listener-jboss-logging-error-level

Glad to use postgres

8

Hi Stan, I’m curious—what’s motivating you to switch to Keycloak instead of sticking with Authelia?
Best regards

9

To learn at first
Website admin
Realm
Passkey :wink: