keycloak: Bug: KC_DB_USERNAME environment variable is causing a crash in latest version

Before reporting an issue

I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

storage

Describe the bug

When I build the following Dockerfile

FROM quay.io/keycloak/keycloak:latest

ENV KEYCLOAK_ADMIN=admin
ENV KC_DB=postgres
ENV KC_DB_URL=jdbc:postgresql://localhost:5432/
ENV KC_DB_USERNAME=postgres

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start-dev"]

And run it with the following command

docker run -p 8080:8080 --network="host" -e KEYCLOAK_ADMIN_PASSWORD=admin -e KC_DB_PASSWORD=password my-image

I get a crash.

2023-11-24 14:11:36,335 DEBUG [io.quarkus.deployment.QuarkusAugmentor] (main) Beginning Quarkus augmentation

2023-11-24 14:11:36,582 TRACE [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Class quarkus.properties not found in parent first load from java.net.URLClassLoader@6af9fcb2

2023-11-24 14:11:36,582 TRACE [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Class quarkus.properties not found in parent first load from java.net.URLClassLoader@6af9fcb2

ERROR: Failed to run 'build' command.
ERROR: Cannot invoke "io.smallrye.config.ConfigValue.withConfigSourceName(String)" because the return value of "org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.transformValue(String, java.util.Optional, io.smallrye.config.ConfigSourceInterceptorContext)" is null
For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

I used this Dockerfile throughout version 22 without issue, and when I specify 22.0 as the version, it works as expected.

When I comment out the KC_DB_USERNAME, I get an expected crash about user authentication failing for Postgres. If I add the variable in my run command instead of the Dockerfile, the same crash happens. Therefore I believe it’s KC_DB_USERNAME causing the issue.

I checked the migration guide and release notes for 23 and could not find anything referring to why KC_DB_USERNAME is failing now, which is why I’m reporting this as a bug. The closest I found was the “kc.sh and shell metacharacters” changes, but I believe that does not affect this environment variable.

Version

Expected behavior

The Dockerfile should successfully build and run.

Actual behavior

The Docker image crashes when ran.

How to Reproduce?

Use the following Dockerfile and connect it using your Postgres database

FROM quay.io/keycloak/keycloak:latest

ENV KEYCLOAK_ADMIN=admin
ENV KC_DB=postgres
ENV KC_DB_URL=jdbc:postgresql://localhost:5432/
ENV KC_DB_USERNAME=postgres

ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start-dev"]

docker build -t your-image .

docker run -p 8080:8080 --network="host" -e KEYCLOAK_ADMIN_PASSWORD=admin -e KC_DB_PASSWORD=your-password keycloak

Of course change --network="host" and localhost in the KC_DB_URL string depending on your platform. https://docs.docker.com/desktop/networking/#use-cases-and-workarounds-for-all-platforms

Anything else?

No response

About this issue

Original URL
State: closed
Created 7 months ago
Reactions: 15
Comments: 21 (13 by maintainers)

Commits related to this issue

fix: corrects the db property handling and null mapped values closes #25010 Signed-off-by: Steve Hawkins <shawkins@redhat.com> — committed to shawkins/keycloak by shawkins 7 months ago
fix: corrects the db property handling and null mapped values closes #25010 Signed-off-by: Steve Hawkins <shawkins@redhat.com> — committed to shawkins/keycloak by shawkins 7 months ago
fix: corrects the db property handling and null mapped values (#25088) closes #25010 Signed-off-by: Steve Hawkins <shawkins@redhat.com> — committed to keycloak/keycloak by shawkins 7 months ago
fix: corrects the db property handling and null mapped values (#25088) closes #25010 Signed-off-by: Steve Hawkins <shawkins@redhat.com> — committed to shawkins/keycloak by shawkins 7 months ago
fix: corrects the db property handling and null mapped values (#25088) (#25159) closes #25010 Signed-off-by: Steve Hawkins <shawkins@redhat.com> — committed to keycloak/keycloak by shawkins 7 months ago
Use KC_DB_URL in compose Keycloak 23.0.1 has a bug where KC_DB_USERNAME=postgres causes the database connection to fail. See: https://github.com/keycloak/keycloak/issues/25010 — committed to espoon-voltti/evaka by akheron 7 months ago
fix: corrects the db property handling and null mapped values (#25088) closes #25010 Signed-off-by: Steve Hawkins <shawkins@redhat.com> — committed to srose/keycloak by shawkins 7 months ago

Most upvoted comments

@Tomtom1410 The fix will be part of 23.0.2 release.

vmuzikar on Dec 4, 2023

when is 23.0.2 be released tried upgrading our dev environment and got the same issue

satanshiro on Dec 10, 2023

As long as it is unclear on how to fix this, maybe we should aim for a revert of https://github.com/keycloak/keycloak/commit/4c8724e7b1a1375810fade399ecced78a792e852 and release a fix version, as this seems to cause quite a lot of trouble in deployments.

@shawkins @pedroigor what do you think?

Morl99 on Nov 28, 2023

For info, as I’m trying to update to 23, I worked around the issue with a custom entry point that sets KC_DB_URL from other components:

export "KC_DB_URL=jdbc:postgresql://$KC_DB_URL_HOST:$KC_DB_URL_PORT/$KC_DB_URL_DATABASE?user=$KC_DB_USERNAME&password=$KC_DB_PASSWORD&ssl=false".
unset KC_DB_USERNAME
unset KC_DB_PASSWORD
unset KC_DB_URL_PORT
unset KC_DB_URL_HOST
unset KC_DB_URL_DATABASE

exec /opt/keycloak/bin/kc.sh "$@"

At least, on my environment, it seems to work. But definitely not a long term solution.

oleastre on Nov 27, 2023

@Morl99 it’s a simple fix to avoid the NPE, but I’d like to understand better why this isn’t occurring on my system - why the mappedValue is null for some options - and have @pedroigor weigh in as well.

shawkins on Nov 28, 2023

For info, as I’m trying to update to 23, I worked around the issue with a custom entry point that sets KC_DB_URL from other components:
export "KC_DB_URL=jdbc:postgresql://$KC_DB_URL_HOST:$KC_DB_URL_PORT/$KC_DB_URL_DATABASE?user=$KC_DB_USERNAME&password=$KC_DB_PASSWORD&ssl=false".
unset KC_DB_USERNAME
unset KC_DB_PASSWORD
unset KC_DB_URL_PORT
unset KC_DB_URL_HOST
unset KC_DB_URL_DATABASE

exec /opt/keycloak/bin/kc.sh "$@"
At least, on my environment, it seems to work. But definitely not a long term solution.

Nice! But beware, that this will break for all URL reserved characters in the password, like + or slash. If you can, set this from within helm and correctly percent-encode the password.

Morl99 on Nov 27, 2023

Yeah there is, see this line in the commit I referenced above.

My appologies, I had assumed that change did not make it into 23 - I should have specifically checked the branch. @pedroigor this definitely looks like a regression with the recent change.

shawkins on Nov 27, 2023

I am also facing the same issue, sharing the verbose logs here: keycloak_1 | 2023-11-27 07:49:20,853 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-logging-json-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD keycloak_1 | keycloak_1 | 2023-11-27 07:49:20,853 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[io.quarkus:quarkus-logging-gelf-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD keycloak_1 | keycloak_1 | 2023-11-27 07:49:20,853 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[org.keycloak:keycloak-quarkus-server-deployment / runtime=false resources=null] to QuarkusClassLoader Augmentation Class Loader: PROD keycloak_1 | keycloak_1 | 2023-11-27 07:49:25,179 DEBUG [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Adding elements io.quarkus.bootstrap.classloading.PathTreeClassPathElement[/ runtime=true resources=null] to QuarkusClassLoader Deployment Class Loader: PROD keycloak_1 | keycloak_1 | 2023-11-27 07:49:25,239 DEBUG [io.quarkus.deployment.QuarkusAugmentor] (main) Beginning Quarkus augmentation keycloak_1 | keycloak_1 | 2023-11-27 07:49:28,660 TRACE [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Class quarkus.properties not found in parent first load from java.net.URLClassLoader@3fed2870 keycloak_1 | keycloak_1 | 2023-11-27 07:49:28,660 TRACE [io.quarkus.bootstrap.classloading.QuarkusClassLoader] (main) Class quarkus.properties not found in parent first load from java.net.URLClassLoader@3fed2870 keycloak_1 | keycloak_1 | ERROR: Failed to run 'build' command. keycloak_1 | Error details: keycloak_1 | java.lang.reflect.InvocationTargetException keycloak_1 | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) keycloak_1 | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) keycloak_1 | at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) keycloak_1 | at java.base/java.lang.reflect.Method.invoke(Method.java:568) keycloak_1 | at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doReaugment(QuarkusEntryPoint.java:84) keycloak_1 | at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:48) keycloak_1 | at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:32) keycloak_1 | at org.keycloak.quarkus.runtime.cli.command.Build.run(Build.java:83) keycloak_1 | at picocli.CommandLine.executeUserObject(CommandLine.java:2026) keycloak_1 | at picocli.CommandLine.access$1500(CommandLine.java:148) keycloak_1 | at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461) keycloak_1 | at picocli.CommandLine$RunLast.handle(CommandLine.java:2453) keycloak_1 | at picocli.CommandLine$RunLast.handle(CommandLine.java:2415) keycloak_1 | at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273) keycloak_1 | at picocli.CommandLine$RunLast.execute(CommandLine.java:2417) keycloak_1 | at picocli.CommandLine.execute(CommandLine.java:2170) keycloak_1 | at org.keycloak.quarkus.runtime.cli.Picocli.runReAugmentation(Picocli.java:218) keycloak_1 | at org.keycloak.quarkus.runtime.cli.Picocli.runReAugmentationIfNeeded(Picocli.java:154) keycloak_1 | at org.keycloak.quarkus.runtime.cli.Picocli.parseAndRun(Picocli.java:105) keycloak_1 | at org.keycloak.quarkus.runtime.KeycloakMain.main(KeycloakMain.java:107) keycloak_1 | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) keycloak_1 | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) keycloak_1 | at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) keycloak_1 | at java.base/java.lang.reflect.Method.invoke(Method.java:568) keycloak_1 | at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:61) keycloak_1 | at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:32) keycloak_1 | Caused by: java.lang.NullPointerException: Cannot invoke "io.smallrye.config.ConfigValue.withConfigSourceName(String)" because the return value of "org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.transformValue(String, java.util.Optional, io.smallrye.config.ConfigSourceInterceptorContext)" is null keycloak_1 | at org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper.getConfigValue(PropertyMapper.java:133) keycloak_1 | at org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers.getValue(PropertyMappers.java:47) keycloak_1 | at org.keycloak.quarkus.runtime.configuration.PropertyMappingInterceptor.getValue(PropertyMappingInterceptor.java:43) keycloak_1 | at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20) keycloak_1 | at io.smallrye.config.PropertyNamesConfigSourceInterceptor.getValue(PropertyNamesConfigSourceInterceptor.java:17) keycloak_1 | at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20) keycloak_1 | at io.smallrye.config.SmallRyeConfig.getConfigValue(SmallRyeConfig.java:323) keycloak_1 | at io.quarkus.deployment.configuration.BuildTimeConfigurationReader$ReadOperation.lambda$run$0(BuildTimeConfigurationReader.java:603) keycloak_1 | at io.smallrye.config.Expressions.withoutExpansion(Expressions.java:29) keycloak_1 | at io.quarkus.deployment.configuration.BuildTimeConfigurationReader$ReadOperation.run(BuildTimeConfigurationReader.java:603) keycloak_1 | at io.quarkus.deployment.configuration.BuildTimeConfigurationReader.lambda$readConfiguration$0(BuildTimeConfigurationReader.java:424) keycloak_1 | at io.smallrye.config.SecretKeys.doUnlocked(SecretKeys.java:28) keycloak_1 | at io.quarkus.deployment.configuration.BuildTimeConfigurationReader.readConfiguration(BuildTimeConfigurationReader.java:424) keycloak_1 | at io.quarkus.deployment.ExtensionLoader.loadStepsFrom(ExtensionLoader.java:150) keycloak_1 | at io.quarkus.deployment.QuarkusAugmentor.run(QuarkusAugmentor.java:107) keycloak_1 | at io.quarkus.runner.bootstrap.AugmentActionImpl.runAugment(AugmentActionImpl.java:332) keycloak_1 | at io.quarkus.runner.bootstrap.AugmentActionImpl.createProductionApplication(AugmentActionImpl.java:175) keycloak_1 | at io.quarkus.deployment.mutability.ReaugmentTask.main(ReaugmentTask.java:69) keycloak_1 | ... 26 more keycloak_1 | JAVA_OPTS already set in environment; overriding default settings with values: -XX:MaxRAMPercentage=75.0

premchavhan99 on Nov 27, 2023