2

I have a Kubernetes cluster where I deployed the following deployment and service:

apiVersion: v1
kind: Service
metadata:
  name: keycloak
  labels:
    app: keycloak
    name: keycloak
spec:
  type: NodePort
  ports:
    - name: http
      protocol: TCP
      port: 8080
  selector:
    app: keycloak
    name: keycloak
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  labels:
    name: keycloak
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      name: keycloak
      labels:
        app: keycloak
        name: keycloak
    spec:
      restartPolicy: Always
      containers:
      - name: keycloak
        image: jboss/keycloak
        ports:
          - containerPort: 8080
            protocol: TCP
        resources:
          requests:
            cpu: 200m
            memory: 256Mi
          limits:
            cpu: 400m
            memory: 512Mi
        env:
          - name: KEYCLOAK_LOGLEVEL
            value: "DEBUG"
          - name: PROXY_ADDRESS_FORWARDING
            value: "true"
          - name: KEYCLOAK_USER
            value: "admin"
          - name: KEYCLOAK_PASSWORD
            value: "password"
          - name: DB_USER
            valueFrom:
              secretKeyRef:
                name: postgres-secret
                key: username
          - name: DB_PASSWORD
            valueFrom:
              secretKeyRef:
                name: postgres-secret
                key: password
          - name: DB_ADDR
            valueFrom:
              configMapKeyRef:
                name: postgres-configmap
                key: HOST
          - name: DB_PORT
            valueFrom:
              configMapKeyRef:
                name: postgres-configmap
                key: PORT
          - name: DB_DATABASE
            valueFrom:
              configMapKeyRef:
                name: postgres-configmap
                key: DATABASE
          - name: DB_VENDOR
            value: "postgres"

The logs in my pod where keycloak is running are confirming that my keycloak is running and using the Postgres database that is provided. I try to add the following ingress rules:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: keycloak
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  rules:
  - host: auth.mydomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: keycloak
          servicePort: 8080
      - path: /auth
        backend:
          serviceName: keycloak
          servicePort: 8080

and I am able to get to the Keycloak home page, but once I click on administration console I keep getting the error: We're sorry .... HTTPS required. Setting the PROXY_ADDRESS_FORWARDING variable to "true", did not help to get it right. I don't just want to run keycloak on port 8443, so I am really looking for another solution than that.

SebastienPattyn
  • 393
  • 4
  • 18
  • so you want to run Keycloak under HTTPS or plain HTTP? If you want to disable HTTPS then take a look here: https://stackoverflow.com/questions/38337895/globally-disable-https-keycloak – Vasili Angapov May 13 '19 at 14:55
  • @VasilyAngapov keycloak has to run under http, since I have a reverse proxy who is redirecting to my ingress controller, Where I have multiple ingress rules, so no need to run it under HTTPS internally. I will check the psql query, but I prefer to not do that. In my other setup where I use my own proxy to redirect to the nodeport of the keycloak service, I am not having this issue. So I hope to just fix this by changing ingress – SebastienPattyn May 13 '19 at 14:57
  • if you have external proxy which only uses HTTP then there is no way how you can enable HTTPS for keycloak. You can use only HTTP. – Vasili Angapov May 13 '19 at 15:01
  • @VasilyAngapov sorry, my explanation is a little bit confusing. my proxy is using HTTPS. And when I go to `https://auth.mydomain.com` I see the keycloak page. just clicking on admin console, gives me the error – SebastienPattyn May 13 '19 at 15:08
  • when you see the error the address in the browser address panel is HTTP or HTTPS? – Vasili Angapov May 13 '19 at 15:11
  • @VasilyAngapov HTTPS – SebastienPattyn May 13 '19 at 15:15

1 Answers1

0

You need to setup TLS termination within your ingress 

spec:
  tls:
    - hosts:
      - auth.mydomain.com
      secretName: tls-secret

With created secret, which contains certificate for auth.mydomain.com:

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
  namespace: default
type: kubernetes.io/tls
data:
  tls.crt:LS0S[...]0tLhsrQo=
  tls.key:LS0t[...]LS1CRUdJ=

This will let your ingress controller to terminate traffic using provided TLS cert, and forward un-encrypted HTTP traffic to your keycloak service.

A_Suh
  • 3,727
  • 6
  • 22
  • Hi, I'm not a big fan of sharing my crt and key in my ingress rules, after all we already have a SSL-termination proxy who is taking care of that, so it's not necessary to do that twice – SebastienPattyn May 16 '19 at 09:33
  • Apparently, you didn't disable SSL for your master realm. Just run this query with psql client `update REALM set ssl_required = 'NONE' where id = 'master';` – A_Suh May 16 '19 at 09:48
  • This might indeed be a solution, but how should I solve this when I'm running keycloak on k8s without postgres? I deployed keycloak again in standalone mode without using an external database (just for test purposes) and I have the same issue. Is there a way to change things in keycloak or give the right annotations in the ingress rule? – SebastienPattyn May 17 '19 at 08:09
  • @SebastienPattyn Even though, you are not using any external databases, Keycloak comes with its own embedded Java-based relational database called H2. So you can ssh to keycloack and use native sql clinet to run a query i.e. - java -cp .jar org.h2.tools.Shell -url "jdbc:h2:file:" -user -password -sql "update REALM set ssl_required='NONE' where id = 'master'" – A_Suh May 28 '19 at 09:14
  • Even after nginx ingress tls termination, I see in my case readiness probe failing – Sanjeev Nov 24 '22 at 22:52