0

I have Keyclock installed on my Kubernetes cluster. Default ingress which Keycloak creates looks like this.

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    route.openshift.io/termination: passthrough
  creationTimestamp: "2022-11-09T13:08:00Z"
  generation: 1
  labels:
    app: keycloak
    app.kubernetes.io/managed-by: keycloak-operator
  name: keycloak-kc-ingress
  namespace: default
  ownerReferences:
  - apiVersion: k8s.keycloak.org/v2alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Keycloak
    name: keycloak-kc
    uid: 67a18d00-4bee-4587-b330-cdaf21b39084
  resourceVersion: "155002"
  uid: 87c2aff4-1489-4ba9-bdf6-9fe1a288c800
spec:
  defaultBackend:
    service:
      name: keycloak-kc-service
      port:
        number: 8443
  rules:
  - host: keycloak.example.com
    http:
      paths:
      - backend:
          service:
            name: keycloak-kc-service
            port:
              number: 8443
        pathType: ImplementationSpecific
status:
  loadBalancer:
    ingress:
    - ip: 10.0.0.3

After installing ingress-nginx and adding kubernetes.io/ingress.class=nginx annotation, everything works.

For some reasons, however, I need to use nginx-ingress. My new ingress looks like this.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
    # nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    # route.openshift.io/termination: passthrough
  labels:
    app: keycloak
    app.kubernetes.io/managed-by: keycloak-operator
    # target: keycloak-kc-service
  name: keycloak-kc-ingress
  namespace: default
spec:
  defaultBackend:
    service:
      name: keycloak-kc-service
      port:
        number: 8443
  rules:
  - host: accounts.example.com
    http:
      paths:
      - backend:
          service:
            name: keycloak-kc-service
            port:
              number: 8443
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - accounts.example.com
    secretName: keycloak-tls-secret

Unfortunately, this ingress returns the error "502 Bad Gateway". We can't handle it. Please help.

Information for debugging

kubectl get deployments -A
NAMESPACE              NAME                                        READY   UP-TO-DATE   AVAILABLE   AGE
default                keycloak-operator                           2/2     2            2           141m
kube-system            cilium-operator                             1/1     1            1           148m
kube-system            coredns                                     2/2     2            2           148m
kube-system            konnectivity-agent                          2/2     2            2           148m
kube-system            metrics-server                              2/2     2            2           148m
kubernetes-dashboard   dashboard-metrics-scraper                   2/2     2            2           148m
nginx-ingress          nginx-ingress-nginx-ingress-nginx-ingress   1/1     1            1           127m
olm                    catalog-operator                            1/1     1            1           142m
olm                    olm-operator                                1/1     1            1           142m
olm                    packageserver                               2/2     2            2           142m

kubectl get services -A
NAMESPACE              NAME                                        TYPE           CLUSTER-IP      EXTERNAL-IP                                      PORT(S)                      AGE
default                keycloak-kc-discovery                       ClusterIP      None            <none>                                           7800/TCP                     114m
default                keycloak-kc-service                         ClusterIP      10.240.18.67    <none>                                           8443/TCP                     114m
default                keycloak-operator                           ClusterIP      10.240.24.103   <none>                                           80/TCP                       141m
default                kubernetes                                  ClusterIP      10.240.16.1     <none>                                           443/TCP                      149m
default                postgres-db                                 ClusterIP      10.240.18.157   <none>                                           5432/TCP                     140m
kube-system            hcloud-csi-controller-metrics               ClusterIP      10.240.30.190   <none>                                           9189/TCP                     149m
kube-system            hcloud-csi-node-metrics                     ClusterIP      10.240.26.123   <none>                                           9189/TCP                     149m
kube-system            kube-dns                                    ClusterIP      10.240.16.10    <none>                                           53/TCP,53/UDP                149m
kube-system            metrics-server                              ClusterIP      10.240.31.184   <none>                                           443/TCP                      149m
kubernetes-dashboard   dashboard-metrics-scraper                   ClusterIP      10.240.25.29    <none>                                           8000/TCP                     149m
nginx-ingress          nginx-ingress-nginx-ingress-nginx-ingress   LoadBalancer   10.240.26.173   10.0.0.3,167.235.123.123,2a01:4f8:1c1f:6484::1   80:31670/TCP,443:30557/TCP   128m
olm                    operatorhubio-catalog                       ClusterIP      10.240.22.30    <none>                                           50051/TCP                    142m
olm                    packageserver-service                       ClusterIP      10.240.23.246   <none>

Unfortunately, this ingress returns the error "502 Bad Gateway". We can't handle it. Please help.

portableunit
  • 45
  • 3
  • Please check available `IngressClasses` by `kubectl get ingressclass` and then set it for your new Ingress with `.spec.ingressClassName: XYZ` instead of the annotation which now should be deprecated. – Dawid Kruk Nov 10 '22 at 14:12
  • @DawidKruk Added ```kubectl get ingress -A NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE default keycloak-kc-ingress nginx accounts.example.com 10.0.0.3,167.235.110.143,2a01:4f8:1c1f:6484::1 80, 443 100m ``` but still 502 Bad Gateway – portableunit Nov 10 '22 at 14:22
  • You can check ingress controller logs and also if the `endpoints` are binded correctly to your `Ingress` definition. Also, have you checked if your `Ingress` controller was installed correctly? Have you tried any other basic example to narrow down the issue? – Dawid Kruk Nov 11 '22 at 12:41

1 Answers1

0

I had a similar issue, but with a very simple path rewrite. The nginx-ingress tries to find the index file in the nginx fs, and returns 404.

I simply decided to follow this instead. Now my Ingress works like a charm.

# Source: harness-srm-demo/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: anbu-dev-gke-dietbox
  labels:
    helm.sh/chart: harness-srm-demo-0.1.0
    app.kubernetes.io/name: dietbox
    app.kubernetes.io/instance: anbu-dev-gke
    app.kubernetes.io/version: "1.24.9"
    app.kubernetes.io/managed-by: Helm
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/use-regex: "true"
spec:
  ingressClassName: nginx
  rules:
    - host: "cerioni.harness-demo.site"
      http:
        paths:
          - path: /anbu(/|$)(.*)
            pathType: Prefix
            backend:
              service:
                name: anbu-dev-gke-dietbox
                port:
                  number: 8080
Gabriel Cerioni
  • 1
  • 2