I'm an expert on Ingress (I usually work with Routes on OCP) but it
probably depends on the Ingress configuration.
If I'm not mistaken, the default Ingress configuration terminates TLS and
sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
unencrypted HTTP request.
I think you have a couple of options how to solve it:
- Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
traffic to the Pod, without termination). A similar configuration to this
one:
https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
- Use a Load Balancer Service to access Keycloak (the final result will be
the same as in the previous solution - a Pod will get HTTPS traffic)
- Turn "Require SLL" option in the "Realm Settings". But please
remember to
always use properly configured ingress in front of Keycloak. Otherwise you
might compromise it!!!
Thanks,
Sebastian
On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov(a)sap.com>
wrote:
Hi all,
I’m evaluating Keycloak as IAM for one open source project [1], so far,
I’ve tested it successfully on a minikube (local) Kubernetes cluster and I
want to run it in on a real cluster.
The real cluster (created by Gardener [2]) is running on AWS and the
access to the Keycloak is exposed through an Ingress controller [3].
We’ve also installed “cert-manager” for automated certificates management
of Let’s Encrypt issued certificates.
So far so good, but when I try to login to the “Admin Console” I get the
following error:
“We're sorry... HTTPS required”
In the logs of the pod, there is the following warning:
“WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
error=ssl_required”
As far as I understand, the Let’s Encrypt certificated is trusted by the
browsers and it appears to be trusted by the OpenJDK also [4].
Then what should be done in order to access the Admin Console?
Last but not least, we are using jboss/keycloak:latest image (I know that
we should be using some stable version like 4.0.0, but it appears that the
issue is not related to the image version).
Regards,
Yordan Pavlov
[1] ProMART:
https://github.com/promart-io |
https://www.promart.io/
[2] Gardener:
https://github.com/gardener
[3] Keycloak:
https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
[4] DST Root CA X3:
https://bugs.openjdk.java.net/browse/JDK-8154757
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user