How to configure keycloak 18.0.0 in kubernetes with Ingress reverse proxy #11886

gohanbg · 2022-05-07T23:22:16Z

gohanbg
May 7, 2022

Hello,

I'm having some troubles configuring the latest keycloak version in k8s with a reverse proxy (I'm a noob in this area, so probably I'm misconfiguring something, but can't figure out what exactly).

keycloak is deployed with the new operator and following CR:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  instances: 1
  image: "my-image:v1.2.3.4"
  hostname: login.my-site.com
  unsupported:
    podTemplate:
      spec:
        imagePullSecrets:
          - name: docker-repo-secret
  serverConfiguration:
    - name: db
      value: postgres
    - name: db-url-host
      value: auth-postgresql-headless
    - name: db-username
      value: keycloak
    - name: db-password
      secret:
        name: auth-postgresql
        key: postgresql-password
    - name: http-enabled
      value: "true"
    - name: proxy
      value: edge
    - name: hostname-strict-https
      value: "false"
    - name: hostname-strict
      value: "false"
  tlsSecret: new-auth-tls

When I deploy this, thats how the namespace looks like:

NAME                                     READY   STATUS    RESTARTS   AGE
pod/auth-postgresql-0                    1/1     Running   0          13d
pod/example-kc-696b8984bc-q8hmm          1/1     Running   0          7m3s
pod/keycloak-operator-678f86b4d9-grfpp   1/1     Running   0          3d1h

NAME                               TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                    AGE
service/auth-postgresql            ClusterIP   10.245.116.28    <none>        5432/TCP                   553d
service/auth-postgresql-headless   ClusterIP   None             <none>        5432/TCP                   553d
service/example-kc-discovery       ClusterIP   None             <none>        7800/TCP                   7m3s
service/example-kc-service         ClusterIP   10.245.4.239     <none>        8443/TCP                   7m3s
service/keycloak-operator          ClusterIP   10.245.63.242    <none>        80/TCP                     5d6h

NAME                                READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/example-kc          1/1     1            1           7m3s
deployment.apps/keycloak-operator   1/1     1            1           5d6h

NAME                                           DESIRED   CURRENT   READY   AGE
replicaset.apps/example-kc-696b8984bc          1         1         1       7m3s
replicaset.apps/keycloak-operator-678f86b4d9   1         1         1       5d6h

NAME                               READY   AGE
statefulset.apps/auth-postgresql   1/1     553d

For proxy, I'm using Ingress the following configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
  name: new-auth-ingress
spec:
  tls:
    - hosts:
        - login.my-site.com
      secretName: new-auth-tls
  rules:
    - host: login.my-site.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: example-kc-discovery
                port:
                  number: 7800

now, when I go to https://login.my-site.com/ I get a 502 Bad Gateway response.
When I look at the logs, I can see that the request is reaching the keycloak pod, and the following error appears: (cookie sent by /10.244.1.233:52494 does not match own cookie)

2022-05-07 23:18:08,174 WARN  [org.jgroups.protocols.TCP] (TcpServer.Acceptor[7800]-2,example-kc-696b8984bc-q8hmm-47510) JGRP000006: failed accepting connection from peer Socket[addr=/10.244.1.233,port=52494,localport=7800]: java.net.SocketException: 10.244.2.114:7800: BaseServer.TcpConnection.readPeerAddress(): cookie sent by /10.244.1.233:52494 does not match own cookie; terminating connection
2022-05-07 23:18:08,177 WARN  [org.jgroups.protocols.TCP] (TcpServer.Acceptor[7800]-2,example-kc-696b8984bc-q8hmm-47510) JGRP000006: failed accepting connection from peer Socket[addr=/10.244.1.233,port=52496,localport=7800]: java.net.SocketException: 10.244.2.114:7800: BaseServer.TcpConnection.readPeerAddress(): cookie sent by /10.244.1.233:52496 does not match own cookie; terminating connection
2022-05-07 23:18:08,179 WARN  [org.jgroups.protocols.TCP] (TcpServer.Acceptor[7800]-2,example-kc-696b8984bc-q8hmm-47510) JGRP000006: failed accepting connection from peer Socket[addr=/10.244.1.233,port=52498,localport=7800]: java.net.SocketException: 10.244.2.114:7800: BaseServer.TcpConnection.readPeerAddress(): cookie sent by /10.244.1.233:52498 does not match own cookie; terminating connection

Can somebody help with advice what I need to change in my configuration?

andreaTP · 2022-05-09T09:32:15Z

andreaTP
May 9, 2022

Hi @gohanbg ,

thanks for your question!

Your configuration looks a little strange to me, especially on those settings:

    - name: http-enabled
      value: "true"
    - name: proxy
      value: edge

Are you trying to use Keycloak with plain HTTP?

Also, I notice that you created an ingress pointing to the Infinispan Discovery Service, and, it's intended to be used only internally.
The service to be used for the ingress is example-kc-service.

Please note that the new operator does deploy a "default" ingress based on nginx, you can take a look at it to check your own configuration.

0 replies

gohanbg · 2022-05-10T06:55:25Z

gohanbg
May 10, 2022
Author

Thank you for your comment @andreaTP. When you said that the operator creates a default ingress I noticed that it was not created, due to the fact that there was already an ingress (the one that I manually created) for the same URL (https://login.my-site.com/ ). When I deleted my ingress the default one was created. It was using its own secret though. Can I somehow give the keycloak custom resource a secret to be used by the ingress it creates?

As a workaround, I saw what was the differences between the default ingress and mine, updated mine, and now I have a proper working ingress endpoint with the secret I want.

0 replies

andreaTP · 2022-05-10T08:26:56Z

andreaTP
May 10, 2022

Thanks for getting back @gohanbg !

I'm happy that you have a working solution!
At the moment the "default ingress" doesn't support the secretName out of the box.
We encourage you to disable it and provide your own ingress.

Please note that is currently not possible to disable the ingress due to a bug, but it is already solved ( #11577 ).

cc. @vmuzikar

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to configure keycloak 18.0.0 in kubernetes with Ingress reverse proxy #11886

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to configure keycloak 18.0.0 in kubernetes with Ingress reverse proxy #11886

Uh oh!

Uh oh!

gohanbg May 7, 2022

Replies: 3 comments

Uh oh!

andreaTP May 9, 2022

Uh oh!

gohanbg May 10, 2022 Author

Uh oh!

andreaTP May 10, 2022

gohanbg
May 7, 2022

andreaTP
May 9, 2022

gohanbg
May 10, 2022
Author

andreaTP
May 10, 2022