I am trying to deploy Keycloak using the operator onto a kubernetes cluster. I need the app to exist on '/auth' and not '/'. I am using the ingress-nginx ingress controller and creating the ingress using a helm template.
ingress-template.yaml:
{{- if .Values.auth.ingress.enabled -}}
{{- $fullName := printf "%s-%s" (include "appname.fullname" .) .Values.auth.name }}
{{- $svcPort := .Values.auth.service.port -}}
{{- if and .Values.auth.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.auth.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "appname.labels" . | nindent 4 }}
{{- with .Values.auth.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.auth.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.auth.ingress.className }}
{{- end }}
{{- if .Values.auth.ingress.tls }}
tls:
{{- range .Values.auth.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.auth.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}-service
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ include "appname.fullname" . }}-{{ .Values.auth.name }}-service
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
keycloak-template.yaml:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: {{ include "appname.fullname" . }}-{{ .Values.auth.name }}
spec:
{{/**
image: {{ .Values.auth.image.repository }}:{{ .Values.auth.image.tag }}
**/}}
ingress:
enabled: false
db:
vendor: {{ .Values.auth.config.vendor }}
usernameSecret:
name: {{ .Values.auth.secret.name }}
key: {{ .Values.auth.secret.usernameKey }}
passwordSecret:
name: {{ .Values.auth.secret.name }}
key: {{ .Values.auth.secret.passwordKey }}
host: "appname-{{ .Values.authdb.name }}.{{ .Release.Namespace }}.svc.cluster.local"
database: {{ .Values.auth.config.dbname }}
port: {{ .Values.authdb.config.dbport }}
schema: {{ .Values.auth.config.schema }}
poolInitialSize: 1
poolMinSize: 1
poolMaxSize: 3
http:
httpEnabled: true
httpPort: {{ .Values.auth.service.port }}
httpsPort: {{ .Values.auth.service.httpsPort }}
tlsSecret: ingress-certificate
hostname:
strict: false
strictBackchannel: false
features:
enabled:
- docker
- authorization
disabled:
- step-up-authentication
transaction:
xaEnabled: false
unsupported:
podTemplate:
metadata:
labels:
{{- include "appname.labels" . | nindent 10 }}
name: {{ include "appname.fullname" . }}-{{ .Values.auth.name }}
spec:
containers:
- name: {{ include "appname.fullname" . }}-{{ .Values.auth.name }}
env:
{{/**}}
- name: PROXY_ADDRESS_FORWARDING
value: "{{ .Values.auth.extraEnv.proxyForwarding.value }}"
- name: KC_HTTP_RELATIVE_PATH
value: "/auth"
**/}}
- name: KC_PROXY
value: "edge"
- name: KC_EXTRA_ARGS
value: "--proxy edge"
- name: KC_HOSTNAME_PATH
value: "/auth"
- name: KC_LOG_LEVEL
value: DEBUG
- name: KC_HOSTNAME_URL
value: "https://devapp.myapps.co.uk/auth"
values.yaml:
auth:
name: auth
replicaCount: 1
image:
tag: "1.42.1"
repository: appname.azurecr.io/appname-keycloak
pullPolicy: IfNotPresent
extraEnv:
proxyForwarding:
value: "true"
ingress:
enabled: true
className: nginx
hosts:
- host: prodapp.myapps.co.uk
paths:
- path: /auth
pathType: Prefix
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/protocol: http
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-*"
tls: []
config:
name: auth-configmap
dbname: database
path: /auth
vendor: postgres
address: '{{ include "appname.fullname" . }}-{{ .Values.authdb.name }}.{{ .Release.Namespace }}.svc.cluster.local'
schema: public
dbhost: "appname-auth-database.appname.svc.cluster.local"
secret:
name: auth-database-env
usernameKey: POSTGRES_USER
passwordKey: POSTGRES_PASSWORD
args: ["start-dev --import-realm"]
probes:
liveness: /auth/
readiness: /auth/realms/master
service:
type: ClusterIP
port: 8080
httpsPort: 8443
nodeSelector: {}
tolerations: []
affinity: {}
serviceAccount:
create: true
annotations: {}
name: ""
podAnnotations: {}
podSecurityContext: {}
securityContext: {}
resources: {}
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
when I install the chart via helm everything appears to deploy fine, but every path I browse to under /auth is getting routed to the keycloak app running in its pod, but I am getting a 404 returned from keycloak for all resources. there are no other errors in the keycloak logs or the ingress controller logs.
any help on what I have misconfigured would be greatly appreciated :-)
I have tried configuring the ingress to do a target rewrite as opposed to configuring the web context of keycloak, meaning that keycloak expects traffic on '/' and the ingress controller rewrites URLS from '/auth' to '/' when forwarding traffic to the pod, however this results in keycloak writing URLS that need resolving on '/' so it doesn't work.
Try by changing
to
in
keycloak-template.yamlfile. It sets the path relative to / for serving resources.