4

I have istio installed and can see it on Rancher. I have keycloak installed as well. I am trying to connect the two and have a gateway setup so I can access keycloak front-end through a URL. In my keycloak manifest I have 

# Source: keycloak/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: keycloak
. 
. #Many other lines here
.
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP

I then setup a gateway with command - 

kubectl apply -f networking/custom-gateway.yaml

And in my custom-gateway.yaml file I have - 

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: keycloak-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: keycloak
spec:
  hosts:
  - "*"
  gateways:
  - keycloak-gateway
  http:
  - match:
    - uri:
        exact: /keycloak 
    rewrite:
      uri: "/" # Non context aware backend
    route:
    - destination:
        host: keycloak
        port:
          number: 80
    websocketUpgrade: true

Now when I try to access the URL with http://node_ip_address:port/keycloak, I find that I am not able to access the front end. I have verified that keycloak is installed and the pod is up and running on Rancher. I also have my istio instance connected to the bookinfo application and am able to run the bookinfo-gateway and connect to http://node_ip_address:port/productpage with a gateway that looks like the one described here. I am trying to setup the same gateway only for keycloak. What am I doing wrong in my yaml files. How do I fix this? Any help is appreciated. Do I have the ports connected correctly?

BipinS.
  • 41
  • 2

1 Answers1

2

As far as I can see, you should fix your Virtual Service.

I prepared small example with helm and keycloak helm chart.

Save this as keycloak.yaml, you can configure your keycloak password here.

keycloak:
  service:
    type: ClusterIP
  password: mykeycloakadminpasswd
  persistence:
    deployPostgres: true
    dbVendor: postgres

Install keycloak with helm and values prepared above.

helm upgrade --install keycloak stable/keycloak -f keycloak.yml

Create gateway and virtual service

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: keycloak-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: keycloak
spec:
  hosts:
  - "*"
  gateways:
  - keycloak-gateway
  http:
  - match:
    - uri:
        prefix: /auth
    - uri:
        prefix: /keycloak
    rewrite:
      uri: /auth
    route:
    - destination:
        host: keycloak-http
        port:
          number: 80

virtual service route.host is name of kubernetes keycloak pod service.

kubectl get svc

NAME                  TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
keycloak-http         ClusterIP   10.0.14.36    <none>        80/TCP     22m

You should be able to connect to keycloak via your ingress_gateway_ip/keycloak or ingress_gateway_ip/auth and login with keycloak credentials, in my example it's login: keycloak and password: mykeycloakadminpasswd.

Note that you need to add prefix for /auth as it's default keycloak web to do everything. Keycloak prefix just rewrite to /auth here.

Jakub
  • 8,189
  • 1
  • 17
  • 31