authenticate session not found in Keycloak-Gatekeeper configuration

Question

I am trying to use keycloak as my identity provider for accessing the k8s dashboard. I use keycloak-gatekeeper to authenticate.

My keycloak config file is as follows on my pod pod1

apiVersion: apps/v1
kind: Deployment
metadata:
  name: db
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: db
  template:
    metadata:
      labels:
        app: db
    spec:
      containers:
      - name: gatekeeper
        image: carlosedp/keycloak-gatekeeper:latest
        args:
        - --config=/etc/keycloak-gatekeeper.conf
        ports:
        - containerPort: 3000
          name: service
        volumeMounts:
        - name: gatekeeper-config
          mountPath: /etc/keycloak-gatekeeper.conf
          subPath: keycloak-gatekeeper.conf
        - name: gatekeeper-files
          mountPath: /html
      volumes:
      - name : gatekeeper-config
        configMap:
          name: gatekeeper-config
      - name : gatekeeper-files
        configMap:
          name: gatekeeper-files
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: gatekeeper-config
  namespace: kubernetes-dashboard
  creationTimestamp: null
data:
  keycloak-gatekeeper.conf: |+
    discovery-url: http://keycloak.<IP>.nip.io:8080/auth/realms/k8s-realm
    skip-openid-provider-tls-verify: true
    client-id: k8s-client
    client-secret: <SECRET>
    listen: 0.0.0.0:3000
    debug: true
    ingress.enabled: true
    enable-refresh-tokens: true
    enable-logging: true
    enable-json-logging: true
    redirection-url: http://k8s.dashboard.com/dashboard/
    secure-cookie: false
    encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6aa
    enable-encrypted-token: false
    upstream-url: http://127.0.0.0:80
    forbidden-page: /html/access-forbidden.html
    headers:
        Bearer : <bearer token>
    resources:
    - uri: /*
      groups:
      - k8s-group
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: gatekeeper-files
  namespace: kubernetes-dashboard
  creationTimestamp: null
data:
  access-forbidden.html: html file
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: db
  name: db
  namespace: kubernetes-dashboard
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: service
  selector:
    app: db
  type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: db
    namespace: kubernetes-dashboard
    annotations:
      kubernetes.io/ingress.class: "nginx"
      nginx.ingress.kubernetes.io/rewrite-target: /
      nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
     
spec:
  rules:
    - host: k8s.dashboard.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
           service:
             name: db
             port:
               number: 80

when I am accessing k8s.dashboard.com I am getting this URL and it is navigating me to the keycloak page for authentication.

http://keycloak.<IP>.nip.io:8080/auth/realms/k8s-realm/protocol/openid-connect/auth?client_id=k8s-client&redirect_uri=http%3A%2F%2Fk8s.dashboard.com%2Fdashboard%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=23c4b0ff-259f-45c0-934a-98fc780363e6

After logging in to the keycloak, it is throwing me 404 page and the URL which is redirecting is

http://k8s.dashboard.com/dashboard/oauth/callback?state=23c4b0ff-259f-45c0-934a-98fc780363e6&session_state=4c698f90-4e03-44a9-b231-01a418f0d569&code=9ab6a309-98ad-4d61-989f-116f0b151522.4c698f90-4e03-44a9-b231-01a418f0d569.520395c1-d601-4502-981a-b1c08861ab3d

As you can see the extra /oauth/callback endpoint is added after k8s.dashboard.com/dashboard. If I remove /oauth/callback then it will redirect me to k8s dashboard login page.

My pod log file is as follows:

{"level":"info","ts":1626074166.8771496,"msg":"client request","latency":0.000162174,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1626074166.9270697,"msg":"client request","latency":0.000054857,"status":307,"bytes":330,"client_ip":"172.17.0.8:43276","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1626074176.2642884,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1626074176.264481,"msg":"client request","latency":0.000197256,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/"}
{"level":"info","ts":1626074176.2680361,"msg":"client request","latency":0.000041917,"status":307,"bytes":330,"client_ip":"172.17.0.8:43276","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1626074185.140641,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1626074185.1407247,"msg":"client request","latency":0.000091046,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/"}
{"level":"info","ts":1626074185.1444902,"msg":"client request","latency":0.000042129,"status":307,"bytes":330,"client_ip":"172.17.0.8:43276","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1626074202.1827211,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1626074202.182838,"msg":"client request","latency":0.000122802,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1626074202.1899397,"msg":"client request","latency":0.000032541,"status":307,"bytes":330,"client_ip":"172.17.0.8:43276","method":"GET","path":"/oauth/authorize"}

What is wrong here? Any help will be appreciated!

Answer 1

I didn't figure out how to do this using keycloak-gatekeeper. But really working solution I found here, it's used oauth2-proxy:
https://artifacthub.io/packages/helm/osc/kubernetes-dashboard-proxy