Search code examples
kuberneteskeycloakkubernetes-helm

Best practices of Export/Import Keycloak data in Kubernetes

I'm trying to figure out, what is import/export best practices in K8S keycloak(version 3.3.0.CR1). Here is keycloak official page import/export explanation, and they example of export to single file json. Going to /keycloak/bin folder and the run this:

./standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=keycloak-export.json

I logged in to pod, and I get errors after run this command:

12:23:32,045 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("management-interface" => "http-interface")
]) - failure description: {
    "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "java.net.BindException: Address already in use /127.0.0.1:9990"},
    "WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => {
        "Services that were unable to start:" => ["org.wildfly.management.http.extensible.shutdown"],
        "Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"]
    }
}

As I see, Keycloak server run on the same port, where I ran backup script. Here helm/keycloak values.yml:

Service:
  Name: keycloak
  Port: 8080
  Type: ClusterIP

Deployment:
  Image: jboss/keycloak
  ImageTag: 2.5.1.Final
  ImagePullPolicy: IfNotPresent
  ContainerPort: 8080
  KeycloakUser: Admin
  KeycloakPassword: Admin

So, server should be stopped, before we ran this scripts? I can't stop keycloak process inside of pod, because ingress will close pod and will create new one. Any suggestions for any other way to export/import(backup/restore) data? Or I missing something?

P.S. I even tried UI import/export. Export work good, and I see all data. But import worked in half way. He Brought me all "Clients", but not my "Realm" and "User Federation".

Solution

  • Basically, you just have to start the exporting Keycloak instance on ports that are different from your main instance. I used something like this just now:

    bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=keycloak-export.json -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777

    The important part are all the ports. If you get more error messages, you might need to add more properties (grep port standalone/configuration/standalone.xml is your friend for finding out property names), but in the end, all error messages stop and you see this message instead:

    09:15:26,550 INFO [org.keycloak.exportimport.singlefile.SingleFileExportProvider] (ServerService Thread Pool -- 52) Exporting model into file /opt/jboss/keycloak/keycloak-export.json [...] 09:15:29,565 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final) started in 12156ms - Started 444 of 818 services (558 services are lazy, passive or on-demand)

    Now you can stop the server with Ctrl-C, exit the container and copy the export file away with kubectl cp.