I am working on a project where I'm deploying Keycloak on a Kubernetes (K8s) cluster, with Cloudflare serving as a reverse proxy using Cloudflare Tunnels. The architecture is set up as follows:
- A Cloudflare Tunnel is configured to forward incoming HTTPS traffic from the domain
sso.example.comto my Kubernetes cluster. - Then, Ingress Controller in the Kubernetes cluster routes this incoming traffic to the Keycloak pod. This traffic is unencrypted (HTTP, port 8080)
The main Keycloak server is deployed as a container in the K8s cluster, with the Ingress configured to route traffic from the host at port 80 to Keycloak's cluster IP, which forwards traffic to the actual Keycloak pod serving at port 8080
Below are my K8s deployment config for keycloak
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:21.0.2
args: ["start"]
env:
- name: KC_PROXY
value: "edge"
- name: KC_HOSTNAME_STRICT
value: "false"
- name: KC_HOSTNAME_STRICT_BACKCHANNEL
value: "false"
- name: KC_HOSTNAME
value: "sso.example.com"
- name: KC_HTTP_ENABLED
value: "true"
ports:
- name: http
containerPort: 8080
(Some env variables like DB configs are omitted for simplicity)
The problem I am having is that I am unable to access the admin console on my keycloak server using https despite being able to access the welcome page at sso.example.com. When accessing the admin console the page stuck at Loading Admin UI and console logs error GET https://sso.example.com/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console&origin=https%3A%2F%2Fsso.example.com (403 Forbidden)
I have seen https://github.com/keycloak/keycloak/issues/15107 but I am not sure how to set X-Forwarded-For header with Cloudflare tunnels
I have also tried adding
- name: KC_HOSTNAME_ADMIN
value: "sso.example.com"
to the deployment config but still result in the same error.
However, if I deploy the server with ['start-dev'] instead of ['start'], the 403 error is gone but with a new error of Refused to frame 'http://sso.example.com/' because it violates the following Content Security Policy directive: "frame-src 'self'". It seems like the iframe isn't being served with https despite that I have configured cloudflare to automatically rewrite all url to https.
Lastly, the admin console will load and work if I combine the option ['start-dev'] and change the cloudflare SSL/TLS encryption mode to OFF and accee the console with http.
I want to deploy with HTTPS while being able to access the admin console, please help.
