Hello all, I am working on migrating Keycloak to Kubernetes at our organization. One of our requirements is to have a nightly cronjob that does a realm export. Unfortunately, so far I have had no luck getting anything to work. I have created a Kubernetes service account, role and rolebinding that allows me to exec to the keycloak pod and tries to run:
kubectl exec -n keycloak $POD_NAME -- /opt/bitnami/keycloak/bin/kc.sh export --realm ldap --dir /mnt/keycloak-backups --verbose
However, that gives me this error:
Caused by: java.net.BindException: No available port to bind to in range [7800 .. 7800]
I thought that maybe I could add this:
kubectl exec -n keycloak $POD_NAME -- /opt/bitnami/keycloak/bin/kc.sh stop
But it looks like that is not an option as I get this:
Unknown option: 'stop'
Does anyone have experience with exporting realms in a Kubernetes environment? I’ve reached out on Slack as well, but didn’t get much traction. Any ideas would be most welcome.
Hello @aknight, you cannot run export from an already running Keycloak pod. You can achieve what you are describing by using a Kubernetes CronJob to run the export (keep your keycloak pod, and add a CronJob which will run another pod, to handle the export).
- Use
export --realm ldap --dir /mnt/keycloak-backups --verbose for the CronJob command (the kc.sh part is already the entrypoint of the Keycloak Docker image).
- Set the CronJob
restartPolicy to OnFailure (or to Never, depending on your needs).
- Mount a volume to
/mnt/keycloak-backups in the CronJob in order to be able to retrieve you backups after CronJob is finished.
Each time the CronJob is launched, it will run the kc.sh export command which terminates once the export operation is done.
One thing I don’t know yet (but will know in some days/weeks) is the behaviour / content of the export if it runs during a realm modification (via admin console or any other way). As I don’t have this answer yet, I prefer disabling the Keycloak pod access (by disabling an Ingress) before the CronJob execution (using an InitContainer, having kubectl command, in the Cronjob).
If the aim of doing a nightly export is only for backup purpose, without any operation on the exported data, considering a classical db backup mecanism might be good (better?) option (most of DBS have native backup/restore mecanism).
Thanks for the response. I believe I may have found our issue, we are using a different image that included support for Cockroach, so the entrypoint is different.
Hi @skydrinker-tox — I have a question:
Why do you write that one “cannot run export from an already running Keycloak pod”? In other words, do you mean that logging into the KC pod and running kc.sh export won’t work?
Indeed, I have trouble when running it, as the realm I want to export is not found (see Realm can be seen in admin UI, but cannot be found by 'kc.sh export'). Do you think that my problem could be explained by this?
Thanks in advance for your insights
Hi @bberstel, exactly : Logging into the KC pod and running kc.sh export won’t work !
Extract from Keycloak documentation about importing and exporting realms :
All Keycloak nodes need to be stopped prior to using kc.[sh|bat] import | export commands. This ensures that the resulting operations will have no consistency issues with concurrent requests. It also ensures that running an import or export command from the same machine as a server instance will not result in port or other conflicts.
Regarding your issue, it might be the reason. I don’t have any trouble exporting non-master realms, with their users (federated or not) in separate files. I just followed the above documentation.
1 Like