[keycloak-user] Keycloak on Kubernetes - HTTPS required

Meissa M'baye Sakho msakho at redhat.com
Mon Jun 25 11:04:47 EDT 2018 

Sebastien,
I'm trying to use Kubernetes TLS Client side authentication with keycloak
ona cloud environment called Apprenda (based on kubernetes and docker).

I can't manage to make it work and I don't know if the problem is from my
ingress configuration or from the nginx configuration.
In regard to the bug described below:
https://github.com/kubernetes/ingress-nginx/issues/2287
I seems like it's from the nginx configuration. But I'm not sure.

My ingress configuration is the following:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: opengie-proto
  name: keycloak-opengie-proto-ssl
  labels:
    app: keycloak-opengie-proto
  annotations:
   nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
   nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
   nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
   nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
  rules:
  - host: keycloak-opengie-ssl.proto.paas.eclair.local
    http:
      paths:
      - path: /
        backend:
          serviceName: keycloak-opengie-proto
          servicePort: https
  tls:
   - hosts:
     - keycloak-opengie-ssl.proto.paas.eclair.local

Is there something strange that you're seeing in my configuration?
Could you give me some hints in the nginx configuration that I have to pay
attention?
thanks,
Meissa


2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec <slaskawi at redhat.com>:

> I'm an expert on Ingress (I usually work with Routes on OCP) but it
> probably depends on the Ingress configuration.
>
> If I'm not mistaken, the default Ingress configuration terminates TLS and
> sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
> unencrypted HTTP request.
>
> I think you have a couple of options how to solve it:
> - Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
> traffic to the Pod, without termination). A similar configuration to this
> one: https://github.com/kubernetes/ingress-nginx/issues/1947#
> issue-290639351
> - Use a Load Balancer Service to access Keycloak (the final result will be
> the same as in the previous solution - a Pod will get HTTPS traffic)
> - Turn "Require SLL" option in the "Realm Settings". But please remember to
> always use properly configured ingress in front of Keycloak. Otherwise you
> might compromise it!!!
>
> Thanks,
> Sebastian
>
> On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov at sap.com>
> wrote:
>
> > Hi all,
> >
> > I’m evaluating Keycloak as IAM for one open source project [1], so far,
> > I’ve tested it successfully on a minikube (local) Kubernetes cluster and
> I
> > want to run it in on a real cluster.
> >
> > The real cluster (created by Gardener [2]) is running on AWS and the
> > access to the Keycloak is exposed through an Ingress controller [3].
> > We’ve also installed “cert-manager” for automated certificates management
> > of Let’s Encrypt issued certificates.
> >
> > So far so good, but when I try to login to the “Admin Console” I get the
> > following error:
> > “We're sorry... HTTPS required”
> >
> > In the logs of the pod, there is the following warning:
> > “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
> > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
> > error=ssl_required”
> >
> > As far as I understand, the Let’s Encrypt certificated is trusted by the
> > browsers and it appears to be trusted by the OpenJDK also [4].
> > Then what should be done in order to access the Admin Console?
> >
> > Last but not least, we are using jboss/keycloak:latest image (I know that
> > we should be using some stable version like 4.0.0, but it appears that
> the
> > issue is not related to the image version).
> >
> > Regards,
> > Yordan Pavlov
> >
> > [1] ProMART: https://github.com/promart-io | https://www.promart.io/
> > [2] Gardener: https://github.com/gardener
> > [3] Keycloak:
> > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
> > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list