Update the Keycloak IP address on bare metal clusters¶
The following instruction describes how to update the IP address of the Keycloak service on baremetal-based management clusters.
Note
The commands below contain the default kaas-mgmt
name of the
management cluster. If you changed the default name,
replace it accordingly. To verify the cluster name, run
kubectl get clusters.
To update the Keycloak IP address on a bare metal management cluster:
Log in to a node that contains
kubeconfig
of the required management cluster.Make sure that the configuration file is in your
.kube
directory. Otherwise, set theKUBECONFIG
environment variable with a full path to the configuration file.Configure the additional
external
IP address pool for themetallb
load balancer service:kubectl edit cluster kaas-mgmt
The Keycloak service requires one IP address. Therefore, the
external
IP address pool must contain at least one IP address.Add the following lines by replacing the
<pool_start_ip>
with the first IP address in the desired range and<pool_end_ip>
with the last IP address in the range:spec: providerSpec: value: helmReleases: - name: metallb values: configInline: address-pools: - name: default protocol: layer2 addresses: - 10.0.0.100-10.0.0.120 // example values - name: external protocol: layer2 auto-assign: false addresses: - <pool_start_ip>-<pool_end_ip>
Save and exit to apply changes.
Note
If required, use a different pool name.
Obtain the current Keycloak IP address for reference:
kubectl -n kaas get service iam-keycloak-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}{"\n"}'
Configure the
iam-keycloak-http
service to listen on one of the IP addresses from theexternal
pool:kubectl -n kaas edit service iam-keycloak-http
Add the following annotation to the service:
kind: Service metadata: annotations: metallb.universe.tf/address-pool: external
Save and exit to apply changes.
Verify that the Keycloak service IP address has changed:
kubectl -n kaas get service iam-keycloak-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}{"\n"}'
Monitor the cluster status to verify that the changes are applied:
kubectl get cluster kaas-mgmt -o yaml
In the output, monitor the
url
parameter value in thekeycloak
field:... status: providerStatus: helm: ready: true ... releases: ... iam: keycloak: url: https://<pool_start_ip>
The value of the parameter is typically the first address of the
external
pool rage.Once the parameter has updated, delete the old certificate for the former address:
kubectl delete secret keycloak-tls-certs -n kaas
Note
The new certificate secret with the same name
keycloak-tls-certs
will be generated automatically.Verify the new certificate, once available:
kubectl get secret keycloak-tls-certs -n kaas -o yaml
Restart the
iam-keycloak-http
pod to ensure that the new certificate is used:Change the number of the
iam-keycloak
StatefulSet
replicas to0
:kubectl -n kaas scale statefulsets iam-keycloak --replicas=0
Wait until the
READY
column has0/0
pods:kubectl -n kaas get statefulsets iam-keycloak
Change the number of the
iam-keycloak
StatefulSet
replicas back to 3:kubectl -n kaas scale statefulsets iam-keycloak --replicas=3
Wait until the
READY
column has at least1/3
pods:kubectl -n kaas get statefulsets iam-keycloak
Verify that the IP address in the
status.providerStatus.oidc.issuerUrl
field of theCluster
object has changed:kubectl get cluster kaas-mgmt -o jsonpath='{.status.providerStatus.oidc.issuerUrl}{"\n"}'
If it still contains the old IP address, update it manually:
kubectl edit cluster kaas-mgmt
Under
spec.providerSpec.value.kaas.management.helmReleases
, update thevalues.api.keycloak.url
field inside theiam
Helm object definition:spec: providerSpec: value: kaas: management: helmReleases: - name: iam values: api: keycloak: url: https://<newKeycloakServiceIpAddress>
Save and exit to apply changes.
Wait a few minutes until
issuerUrl
is changed and OIDC is ready.To verify
issuerUrl
:kubectl get cluster kaas-mgmt -o jsonpath='{.status.providerStatus.oidc.issuerUrl}{"\n"}'
To verify OIDC readiness:
kubectl get cluster kaas-mgmt -o jsonpath='{.status.providerStatus.oidc.ready}{"\n"}'
Verify that the Container Cloud and MKE web UIs are accessible with the new Keycloak IP address and certificate.