Update the Keycloak IP address on bare metal clusters¶

The following instruction describes how to update the IP address of the Keycloak service on baremetal-based management clusters.

Note

The commands below contain the default kaas-mgmt name of the management cluster. If you changed the default name, replace it accordingly. To verify the cluster name, run kubectl get clusters.

To update the Keycloak IP address on a bare metal management cluster:

Log in to a node that contains kubeconfig of the required management cluster.

Make sure that the configuration file is in your .kube directory. Otherwise, set the KUBECONFIG environment variable with a full path to the configuration file.

Configure the additional external IP address pool for the metallb load balancer service:

kubectl edit cluster kaas-mgmt

The Keycloak service requires one IP address. Therefore, the external IP address pool must contain at least one IP address.

Add the following lines by replacing the <pool_start_ip> with the first IP address in the desired range and <pool_end_ip> with the last IP address in the range:

spec:
  providerSpec:
    value:
      helmReleases:
      - name: metallb
        values:
          configInline:
            address-pools:
            - name: default
              protocol: layer2
              addresses:
              - 10.0.0.100-10.0.0.120 // example values
            - name: external
              protocol: layer2
              auto-assign: false
              addresses:
              - <pool_start_ip>-<pool_end_ip>

Save and exit to apply changes.

Note

If required, use a different pool name.

Obtain the current Keycloak IP address for reference:

kubectl -n kaas get service iam-keycloak-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}{"\n"}'

Configure the iam-keycloak-http service to listen on one of the IP addresses from the external pool:
```
kubectl -n kaas edit service iam-keycloak-http
```
Add the following annotation to the service:
```
kind: Service
metadata:
  annotations:
    metallb.universe.tf/address-pool: external
```
Save and exit to apply changes.

Verify that the Keycloak service IP address has changed:

kubectl -n kaas get service iam-keycloak-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}{"\n"}'

Monitor the cluster status to verify that the changes are applied:

kubectl get cluster kaas-mgmt -o yaml

In the output, monitor the url parameter value in the keycloak field:

...
status:
  providerStatus:
    helm:
      ready: true
      ...
      releases:
      ...
        iam:
          keycloak:
            url: https://<pool_start_ip>

The value of the parameter is typically the first address of the external pool rage.

Once the parameter has updated, delete the old certificate for the former address:
```
kubectl delete secret keycloak-tls-certs -n kaas
```
Note

The new certificate secret with the same name keycloak-tls-certs will be generated automatically.

Verify the new certificate, once available:

kubectl get secret keycloak-tls-certs -n kaas -o yaml

Restart the iam-keycloak-http pod to ensure that the new certificate is used:
1. Change the number of the iam-keycloak StatefulSet replicas to 0:
```
kubectl -n kaas scale statefulsets iam-keycloak --replicas=0
```
2. Wait until the READY column has 0/0 pods:
```
kubectl -n kaas get statefulsets iam-keycloak
```
3. Change the number of the iam-keycloak StatefulSet replicas back to 3:
```
kubectl -n kaas scale statefulsets iam-keycloak --replicas=3
```
4. Wait until the READY column has at least 1/3 pods:
```
kubectl -n kaas get statefulsets iam-keycloak
```

Verify that the IP address in the status.providerStatus.oidc.issuerUrl field of the Cluster object has changed:

kubectl get cluster kaas-mgmt -o jsonpath='{.status.providerStatus.oidc.issuerUrl}{"\n"}'

If it still contains the old IP address, update it manually:

kubectl edit cluster kaas-mgmt

Under spec.providerSpec.value.kaas.management.helmReleases, update the values.api.keycloak.url field inside the iam Helm object definition:

spec:
  providerSpec:
    value:
      kaas:
        management:
          helmReleases:
            - name: iam
              values:
                api:
                  keycloak:
                    url: https://<newKeycloakServiceIpAddress>

Save and exit to apply changes.

Wait a few minutes until issuerUrl is changed and OIDC is ready.

To verify issuerUrl:

kubectl get cluster kaas-mgmt -o jsonpath='{.status.providerStatus.oidc.issuerUrl}{"\n"}'

To verify OIDC readiness:

kubectl get cluster kaas-mgmt -o jsonpath='{.status.providerStatus.oidc.ready}{"\n"}'

Verify that the Container Cloud and MKE web UIs are accessible with the new Keycloak IP address and certificate.