1

Both are running on an EKS cluster. Every other microservice is working fine through the Ingress. I've tried both a Keycloak helm chart and a manual install, but I cannot get passed this redirect issue. Using kubectl port-forward I can access the dashboard etc just fine.

Using the codecentric helm chart, I am passing these extraEnvs

extraEnv: |
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"
  - name: KEYCLOAK_HOSTNAME
    value: "http://ab12de4e5e0014cce978ff01da712b39-630471733.eu-west-1.elb.amazonaws.com"
  - name: KEYCLOAK_FRONTEND_URL
    value: "http://ab12de4e5e0014cce978ff01da712b39-630471733.eu-west-1.elb.amazonaws.com/v1/auth"

The only advice I can find for this issue is to enable PROXY_ADDRESS_FORWARDING which I have, with no result.

I've tried pointing Nginx to the service.yaml that comes with the chart, as well as writing me own like:

    apiVersion: v1
kind: Service
metadata:
  name: keycloak-service
spec:
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
  type: ClusterIP
  selector:
    app: keycloak-dev-cluster-0

The issue:

If the Nginx path in the ingress.yaml is /v1/auth, the keycloak does respond and sends a redirect to /auth which then 404s.

If the Nginx path is /auth this will cause an infinite loop.

How do I get it to route correctly?

Phil O'Dowd
  • 11
  • 3
  • 1.) `/v1/auth` -> you are trying to change context path - that's not easy config - https://stackoverflow.com/questions/44624844/configure-reverse-proxy-for-keycloak-docker-with-custom-base-url/54311713#54311713 2.) `/auth` you have to proxy `/auth` also to `/auth` on the keycloak (maybe you need rewriting on the ingress, but I'm not sure). Generally, you are trying very advance routing for the keycloak case. I would start with simple one (e.g. https://www.keycloak.org/getting-started/getting-started-kube) and then you may increase complexity step by step (but don't expect easy steps). – Jan Garaj Sep 07 '21 at 19:53
  • @JanGaraj I followed the getting start guide you linked, that was very easy to setup. But I am still confused as to what Ingress configuration I should be using. > /auth you have to proxy /auth also to /auth on the keycloak (maybe you need rewriting on the ingress, but I'm not sure) I am not sure what you mean by this. If I set the ingress path to `path` the request in the logs looks like `GET /auth/ HTTP/1.1" 304 0`. So I would've thought that keycloak would receive `/auth/`. Am I missing headers maybe? – Phil O'Dowd Sep 08 '21 at 11:19
  • Basic mapping is `/` (nginx ingress path) -> `keycloak/` (keycloak app). When Keycloak receives request for `/` it redirects to `/auth/`. You are trying `/auth/` -> `keycloak/`, but it shoud be `/auth/` -> `keycloak/auth/`. I don't know how, you should to check used tools - nginx ingress. – Jan Garaj Sep 08 '21 at 14:20

0 Answers0