9:26 a.m.
Hi all,
I’m evaluating Keycloak as IAM for one open source project [1], so far, I’ve tested it
successfully on a minikube (local) Kubernetes cluster and I want to run it in on a real
cluster.
The real cluster (created by Gardener [2]) is running on AWS and the access to the
Keycloak is exposed through an Ingress controller [3].
We’ve also installed “cert-manager” for automated certificates management of Let’s Encrypt
issued certificates.
So far so good, but when I try to login to the “Admin Console” I get the following
error:
“We're sorry... HTTPS required”
In the logs of the pod, there is the following warning:
“WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, realmId=master,
clientId=null, userId=null, ipAddress=100.96.0.6, error=ssl_required”
As far as I understand, the Let’s Encrypt certificated is trusted by the browsers and it
appears to be trusted by the OpenJDK also [4].
Then what should be done in order to access the Admin Console?
Last but not least, we are using jboss/keycloak:latest image (I know that we should be
using some stable version like 4.0.0, but it appears that the issue is not related to the
image version).
Regards,
Yordan Pavlov
[1] ProMART: https://github.com/promart-io | https://www.promart.io/
[2] Gardener: https://github.com/gardener
[3] Keycloak: https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
[4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
6:18 a.m.
I'm an expert on Ingress (I usually work with Routes on OCP) but it
probably depends on the Ingress configuration.
If I'm not mistaken, the default Ingress configuration terminates TLS and
sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
unencrypted HTTP request.
I think you have a couple of options how to solve it:
- Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
traffic to the Pod, without termination). A similar configuration to this
one: https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
- Use a Load Balancer Service to access Keycloak (the final result will be
the same as in the previous solution - a Pod will get HTTPS traffic)
- Turn "Require SLL" option in the "Realm Settings". But please
remember to
always use properly configured ingress in front of Keycloak. Otherwise you
might compromise it!!!
Thanks,
Sebastian
On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov(a)sap.com>
wrote:
Hi all,
I’m evaluating Keycloak as IAM for one open source project [1], so far,
I’ve tested it successfully on a minikube (local) Kubernetes cluster and I
want to run it in on a real cluster.
The real cluster (created by Gardener [2]) is running on AWS and the
access to the Keycloak is exposed through an Ingress controller [3].
We’ve also installed “cert-manager” for automated certificates management
of Let’s Encrypt issued certificates.
So far so good, but when I try to login to the “Admin Console” I get the
following error:
“We're sorry... HTTPS required”
In the logs of the pod, there is the following warning:
“WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
error=ssl_required”
As far as I understand, the Let’s Encrypt certificated is trusted by the
browsers and it appears to be trusted by the OpenJDK also [4].
Then what should be done in order to access the Admin Console?
Last but not least, we are using jboss/keycloak:latest image (I know that
we should be using some stable version like 4.0.0, but it appears that the
issue is not related to the image version).
Regards,
Yordan Pavlov
[1] ProMART: https://github.com/promart-io | https://www.promart.io/
[2] Gardener: https://github.com/gardener
[3] Keycloak:
https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
[4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:26 a.m.
There is one more option, if Ingress injects usual Proxy headers:
X-Forwarded-Host && X-Forwarded-Proto, Keycloak docker container can be
instructed to read them when determining connection type (http vs https),
otherwise, it will detect https by socket type, which is plain,
non-encrypted in your case because ssl traffic is terminated on Ingress.
To instruct Keycloak to read those headers -- start docker container with
PROXY_ADDRESS_FORWARDING=true env variable set
On Thu, Jun 21, 2018 at 2:19 PM Sebastian Laskawiec <slaskawi(a)redhat.com>
wrote:
I'm an expert on Ingress (I usually work with Routes on OCP) but
it
probably depends on the Ingress configuration.
If I'm not mistaken, the default Ingress configuration terminates TLS and
sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
unencrypted HTTP request.
I think you have a couple of options how to solve it:
- Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
traffic to the Pod, without termination). A similar configuration to this
one:
https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
- Use a Load Balancer Service to access Keycloak (the final result will be
the same as in the previous solution - a Pod will get HTTPS traffic)
- Turn "Require SLL" option in the "Realm Settings". But please
remember to
always use properly configured ingress in front of Keycloak. Otherwise you
might compromise it!!!
Thanks,
Sebastian
On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov(a)sap.com>
wrote:
> Hi all,
>
> I’m evaluating Keycloak as IAM for one open source project [1], so far,
> I’ve tested it successfully on a minikube (local) Kubernetes cluster and
I
> want to run it in on a real cluster.
>
> The real cluster (created by Gardener [2]) is running on AWS and the
> access to the Keycloak is exposed through an Ingress controller [3].
> We’ve also installed “cert-manager” for automated certificates management
> of Let’s Encrypt issued certificates.
>
> So far so good, but when I try to login to the “Admin Console” I get the
> following error:
> “We're sorry... HTTPS required”
>
> In the logs of the pod, there is the following warning:
> “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
> realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
> error=ssl_required”
>
> As far as I understand, the Let’s Encrypt certificated is trusted by the
> browsers and it appears to be trusted by the OpenJDK also [4].
> Then what should be done in order to access the Admin Console?
>
> Last but not least, we are using jboss/keycloak:latest image (I know that
> we should be using some stable version like 4.0.0, but it appears that
the
> issue is not related to the image version).
>
> Regards,
> Yordan Pavlov
>
> [1] ProMART: https://github.com/promart-io | https://www.promart.io/
> [2] Gardener: https://github.com/gardener
> [3] Keycloak:
> https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
> [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:04 a.m.
Hi Sebastian and Vitalii,
Thank you very much for the replies!!!
I’ve managed to solve the issue by adding “PROXY_ADDRESS_FORWARDING=true” property, after
that I was able to log into the Admin Console.
The next step in my scenario is to secure a web application running on Tomcat server,
where I have the Tomcat adapter and the application “keycloak.json”.
After configuring the keycloak client for my application, I’ve experienced several
issues:
* Invalid redirect_uri
* I had to set “confidential-port” property to be “443” in the keycloak.json of my
application
* Also, for the client configuration in Keycloak, I had to add the http version of
my application URI in the “Valid Redirect URIs”
* After successful authentication into my application, I got 403
* This was really strange as it the user had all required roles and it turn out to
be the “ssl-required” property (now is set to “none”)
Finally, everything works great, but I’m not sure if this configuration isn’t compromised
somehow:
* Keycloak client configuration
* Valid Redirect URIs
* https://<application-url<https://%3capplication-url>>
* http://<application-url<http://%3capplication-url>>
* Application keycloak.json
{
"realm": "master",
"auth-server-url": "https://<auth-server-url>",
"ssl-required": "none",
"resource": "<client-id>",
"public-client": true,
"principal-attribute": "preferred_username",
"confidential-port": "443",
"use-resource-role-mappings": true
}
@Vitalii, Sebastian, what do you think?
Regards,
Yordan
From: Виталий Ищенко <betalb(a)gmail.com>
Date: Thursday, 21 June 2018, 14:27
To: Sebastian Laskawiec <slaskawi(a)redhat.com>
Cc: "Pavlov, Yordan" <yordan.pavlov(a)sap.com>,
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak on Kubernetes - HTTPS required
There is one more option, if Ingress injects usual Proxy headers: X-Forwarded-Host
&& X-Forwarded-Proto, Keycloak docker container can be instructed to read them
when determining connection type (http vs https), otherwise, it will detect https by
socket type, which is plain, non-encrypted in your case because ssl traffic is terminated
on Ingress.
To instruct Keycloak to read those headers -- start docker container with
PROXY_ADDRESS_FORWARDING=true env variable set
On Thu, Jun 21, 2018 at 2:19 PM Sebastian Laskawiec
<slaskawi@redhat.com<mailto:slaskawi@redhat.com>> wrote:
I'm an expert on Ingress (I usually work with Routes on OCP) but it
probably depends on the Ingress configuration.
If I'm not mistaken, the default Ingress configuration terminates TLS and
sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
unencrypted HTTP request.
I think you have a couple of options how to solve it:
- Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
traffic to the Pod, without termination). A similar configuration to this
one: https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
- Use a Load Balancer Service to access Keycloak (the final result will be
the same as in the previous solution - a Pod will get HTTPS traffic)
- Turn "Require SLL" option in the "Realm Settings". But please
remember to
always use properly configured ingress in front of Keycloak. Otherwise you
might compromise it!!!
Thanks,
Sebastian
On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan
<yordan.pavlov@sap.com<mailto:yordan.pavlov@sap.com>>
wrote:
Hi all,
I’m evaluating Keycloak as IAM for one open source project [1], so far,
I’ve tested it successfully on a minikube (local) Kubernetes cluster and I
want to run it in on a real cluster.
The real cluster (created by Gardener [2]) is running on AWS and the
access to the Keycloak is exposed through an Ingress controller [3].
We’ve also installed “cert-manager” for automated certificates management
of Let’s Encrypt issued certificates.
So far so good, but when I try to login to the “Admin Console” I get the
following error:
“We're sorry... HTTPS required”
In the logs of the pod, there is the following warning:
“WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
error=ssl_required”
As far as I understand, the Let’s Encrypt certificated is trusted by the
browsers and it appears to be trusted by the OpenJDK also [4].
Then what should be done in order to access the Admin Console?
Last but not least, we are using jboss/keycloak:latest image (I know that
we should be using some stable version like 4.0.0, but it appears that the
issue is not related to the image version).
Regards,
Yordan Pavlov
[1] ProMART: https://github.com/promart-io | https://www.promart.io/
[2] Gardener: https://github.com/gardener
[3] Keycloak:
https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
[4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:04 a.m.
Sebastien,
I'm trying to use Kubernetes TLS Client side authentication with keycloak
ona cloud environment called Apprenda (based on kubernetes and docker).
I can't manage to make it work and I don't know if the problem is from my
ingress configuration or from the nginx configuration.
In regard to the bug described below:
https://github.com/kubernetes/ingress-nginx/issues/2287
I seems like it's from the nginx configuration. But I'm not sure.
My ingress configuration is the following:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: opengie-proto
name: keycloak-opengie-proto-ssl
labels:
app: keycloak-opengie-proto
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
rules:
- host: keycloak-opengie-ssl.proto.paas.eclair.local
http:
paths:
- path: /
backend:
serviceName: keycloak-opengie-proto
servicePort: https
tls:
- hosts:
- keycloak-opengie-ssl.proto.paas.eclair.local
Is there something strange that you're seeing in my configuration?
Could you give me some hints in the nginx configuration that I have to pay
attention?
thanks,
Meissa
2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec <slaskawi(a)redhat.com>:
I'm an expert on Ingress (I usually work with Routes on OCP) but
it
probably depends on the Ingress configuration.
If I'm not mistaken, the default Ingress configuration terminates TLS and
sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
unencrypted HTTP request.
I think you have a couple of options how to solve it:
- Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
traffic to the Pod, without termination). A similar configuration to this
one: https://github.com/kubernetes/ingress-nginx/issues/1947#
issue-290639351
- Use a Load Balancer Service to access Keycloak (the final result will be
the same as in the previous solution - a Pod will get HTTPS traffic)
- Turn "Require SLL" option in the "Realm Settings". But please
remember to
always use properly configured ingress in front of Keycloak. Otherwise you
might compromise it!!!
Thanks,
Sebastian
On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov(a)sap.com>
wrote:
> Hi all,
>
> I’m evaluating Keycloak as IAM for one open source project [1], so far,
> I’ve tested it successfully on a minikube (local) Kubernetes cluster and
I
> want to run it in on a real cluster.
>
> The real cluster (created by Gardener [2]) is running on AWS and the
> access to the Keycloak is exposed through an Ingress controller [3].
> We’ve also installed “cert-manager” for automated certificates management
> of Let’s Encrypt issued certificates.
>
> So far so good, but when I try to login to the “Admin Console” I get the
> following error:
> “We're sorry... HTTPS required”
>
> In the logs of the pod, there is the following warning:
> “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
> realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
> error=ssl_required”
>
> As far as I understand, the Let’s Encrypt certificated is trusted by the
> browsers and it appears to be trusted by the OpenJDK also [4].
> Then what should be done in order to access the Admin Console?
>
> Last but not least, we are using jboss/keycloak:latest image (I know that
> we should be using some stable version like 4.0.0, but it appears that
the
> issue is not related to the image version).
>
> Regards,
> Yordan Pavlov
>
> [1] ProMART: https://github.com/promart-io | https://www.promart.io/
> [2] Gardener: https://github.com/gardener
> [3] Keycloak:
> https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
> [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:53 a.m.
Hey Meissa,
The more I think about this issue, the more I'm convinced that disabling
SSL is the easiest approach. In most of the scenarios you're operating
within your own Namespace so you can trust it.
Please give me some time to experiment with different options and hopefully
I will be able to give you some better guidance.
Thanks,
Sebastian
On Mon, Jun 25, 2018 at 5:04 PM Meissa M'baye Sakho <msakho(a)redhat.com>
wrote:
Sebastien,
I'm trying to use Kubernetes TLS Client side authentication with keycloak
ona cloud environment called Apprenda (based on kubernetes and docker).
I can't manage to make it work and I don't know if the problem is from my
ingress configuration or from the nginx configuration.
In regard to the bug described below:
https://github.com/kubernetes/ingress-nginx/issues/2287
I seems like it's from the nginx configuration. But I'm not sure.
My ingress configuration is the following:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: opengie-proto
name: keycloak-opengie-proto-ssl
labels:
app: keycloak-opengie-proto
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:
"true"
spec:
rules:
- host: keycloak-opengie-ssl.proto.paas.eclair.local
http:
paths:
- path: /
backend:
serviceName: keycloak-opengie-proto
servicePort: https
tls:
- hosts:
- keycloak-opengie-ssl.proto.paas.eclair.local
Is there something strange that you're seeing in my configuration?
Could you give me some hints in the nginx configuration that I have to pay
attention?
thanks,
Meissa
2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec <slaskawi(a)redhat.com>:
> I'm an expert on Ingress (I usually work with Routes on OCP) but it
> probably depends on the Ingress configuration.
>
> If I'm not mistaken, the default Ingress configuration terminates TLS and
> sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
> unencrypted HTTP request.
>
> I think you have a couple of options how to solve it:
> - Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
> traffic to the Pod, without termination). A similar configuration to this
> one:
> https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
> - Use a Load Balancer Service to access Keycloak (the final result will be
> the same as in the previous solution - a Pod will get HTTPS traffic)
> - Turn "Require SLL" option in the "Realm Settings". But please
remember
> to
> always use properly configured ingress in front of Keycloak. Otherwise you
> might compromise it!!!
>
> Thanks,
> Sebastian
>
> On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov(a)sap.com>
> wrote:
>
> > Hi all,
> >
> > I’m evaluating Keycloak as IAM for one open source project [1], so far,
> > I’ve tested it successfully on a minikube (local) Kubernetes cluster
> and I
> > want to run it in on a real cluster.
> >
> > The real cluster (created by Gardener [2]) is running on AWS and the
> > access to the Keycloak is exposed through an Ingress controller [3].
> > We’ve also installed “cert-manager” for automated certificates
> management
> > of Let’s Encrypt issued certificates.
> >
> > So far so good, but when I try to login to the “Admin Console” I get the
> > following error:
> > “We're sorry... HTTPS required”
> >
> > In the logs of the pod, there is the following warning:
> > “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
> > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
> > error=ssl_required”
> >
> > As far as I understand, the Let’s Encrypt certificated is trusted by the
> > browsers and it appears to be trusted by the OpenJDK also [4].
> > Then what should be done in order to access the Admin Console?
> >
> > Last but not least, we are using jboss/keycloak:latest image (I know
> that
> > we should be using some stable version like 4.0.0, but it appears that
> the
> > issue is not related to the image version).
> >
> > Regards,
> > Yordan Pavlov
> >
> > [1] ProMART: https://github.com/promart-io | https://www.promart.io/
> > [2] Gardener: https://github.com/gardener
> > [3] Keycloak:
> > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
> > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
8:26 a.m.
I have some additionnal input that could help;
when I change my ingress configuration by switching from https service
(exposed to port 8443) to https (https), it works.
The certificate is beeing presented.
I'm getting a 502 bad gateway from the nginx otherwise.
Maybe this will speaks to you.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: opengie-proto
name: keycloak-opengie-proto-ssl
labels:
app: keycloak-opengie-proto
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
rules:
- host: keycloak-opengie-ssl.proto.paas.eclair.local
http:
paths:
- path: /
backend:
serviceName: keycloak-opengie-proto
*servicePort: http <------- this value works*
tls:
- hosts:
- keycloak-opengie-ssl.proto.paas.eclair.local
2018-06-26 13:53 GMT+02:00 Sebastian Laskawiec <slaskawi(a)redhat.com>:
Hey Meissa,
The more I think about this issue, the more I'm convinced that disabling
SSL is the easiest approach. In most of the scenarios you're operating
within your own Namespace so you can trust it.
Please give me some time to experiment with different options and
hopefully I will be able to give you some better guidance.
Thanks,
Sebastian
On Mon, Jun 25, 2018 at 5:04 PM Meissa M'baye Sakho <msakho(a)redhat.com>
wrote:
> Sebastien,
> I'm trying to use Kubernetes TLS Client side authentication with keycloak
> ona cloud environment called Apprenda (based on kubernetes and docker).
>
> I can't manage to make it work and I don't know if the problem is from my
> ingress configuration or from the nginx configuration.
> In regard to the bug described below:
> https://github.com/kubernetes/ingress-nginx/issues/2287
> I seems like it's from the nginx configuration. But I'm not sure.
>
> My ingress configuration is the following:
>
> apiVersion: extensions/v1beta1
> kind: Ingress
> metadata:
> namespace: opengie-proto
> name: keycloak-opengie-proto-ssl
> labels:
> app: keycloak-opengie-proto
> annotations:
> nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
> nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
> nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
> nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:
> "true"
> spec:
> rules:
> - host: keycloak-opengie-ssl.proto.paas.eclair.local
> http:
> paths:
> - path: /
> backend:
> serviceName: keycloak-opengie-proto
> servicePort: https
> tls:
> - hosts:
> - keycloak-opengie-ssl.proto.paas.eclair.local
>
> Is there something strange that you're seeing in my configuration?
> Could you give me some hints in the nginx configuration that I have to
> pay attention?
> thanks,
> Meissa
>
>
> 2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec <slaskawi(a)redhat.com>:
>
>> I'm an expert on Ingress (I usually work with Routes on OCP) but it
>> probably depends on the Ingress configuration.
>>
>> If I'm not mistaken, the default Ingress configuration terminates TLS and
>> sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
>> unencrypted HTTP request.
>>
>> I think you have a couple of options how to solve it:
>> - Use Pass-through TLS termination (this simply forwards encrypted
>> (HTTPS)
>> traffic to the Pod, without termination). A similar configuration to this
>> one: https://github.com/kubernetes/ingress-nginx/issues/1947#
>> issue-290639351
>> - Use a Load Balancer Service to access Keycloak (the final result will
>> be
>> the same as in the previous solution - a Pod will get HTTPS traffic)
>> - Turn "Require SLL" option in the "Realm Settings". But
please remember
>> to
>> always use properly configured ingress in front of Keycloak. Otherwise
>> you
>> might compromise it!!!
>>
>> Thanks,
>> Sebastian
>>
>> On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov(a)sap.com>
>> wrote:
>>
>> > Hi all,
>> >
>> > I’m evaluating Keycloak as IAM for one open source project [1], so far,
>> > I’ve tested it successfully on a minikube (local) Kubernetes cluster
>> and I
>> > want to run it in on a real cluster.
>> >
>> > The real cluster (created by Gardener [2]) is running on AWS and the
>> > access to the Keycloak is exposed through an Ingress controller [3].
>> > We’ve also installed “cert-manager” for automated certificates
>> management
>> > of Let’s Encrypt issued certificates.
>> >
>> > So far so good, but when I try to login to the “Admin Console” I get
>> the
>> > following error:
>> > “We're sorry... HTTPS required”
>> >
>> > In the logs of the pod, there is the following warning:
>> > “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
>> > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
>> > error=ssl_required”
>> >
>> > As far as I understand, the Let’s Encrypt certificated is trusted by
>> the
>> > browsers and it appears to be trusted by the OpenJDK also [4].
>> > Then what should be done in order to access the Admin Console?
>> >
>> > Last but not least, we are using jboss/keycloak:latest image (I know
>> that
>> > we should be using some stable version like 4.0.0, but it appears that
>> the
>> > issue is not related to the image version).
>> >
>> > Regards,
>> > Yordan Pavlov
>> >
>> > [1] ProMART: https://github.com/promart-io | https://www.promart.io/
>> > [2] Gardener: https://github.com/gardener
>> > [3] Keycloak:
>> > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
>> > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
3:43 a.m.
I managed to play a bit with Ingress on my Minikube installation. A good
place to start is the latest Kubernetes Demo, which was implemented by
Stian [1].
Just a couple of observations:
- As Виталий mentioned, PROXY_ADDRESS_FORWARDING variable on the deployment
must be set to true. Otherwise you will get nasty invalid redirect messages
[2].
- Ingress Controller usually pick class A addresses. Therefore I recommend
setting "Require SSL" parameter on the realm to "external requests".
This
shouldn't be mandatory but it expresses your intentions very well.
- Note that the Ingress points to a Service on port 8080. TLS termination
in handled by an Ingress here. That's why we are targeting port 8080 on the
service (http not https).
- The browser (or a client app) needs to trust the certificate used by the
Ingress. A side note - if you're using Java, perhaps you need to use a
Truststore or add a certificate to jre/lib/security/cacerts.
Thanks,
Sebastian
[1] https://github.com/stianst/demo-kubernetes
[2]
https://github.com/stianst/demo-kubernetes/blob/master/keycloak/keycloak....
On Tue, Jun 26, 2018 at 3:26 PM Meissa M'baye Sakho <msakho(a)redhat.com>
wrote:
I have some additionnal input that could help;
when I change my ingress configuration by switching from https service
(exposed to port 8443) to https (https), it works.
The certificate is beeing presented.
I'm getting a 502 bad gateway from the nginx otherwise.
Maybe this will speaks to you.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: opengie-proto
name: keycloak-opengie-proto-ssl
labels:
app: keycloak-opengie-proto
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:
"true"
spec:
rules:
- host: keycloak-opengie-ssl.proto.paas.eclair.local
http:
paths:
- path: /
backend:
serviceName: keycloak-opengie-proto
*servicePort: http <------- this value works*
tls:
- hosts:
- keycloak-opengie-ssl.proto.paas.eclair.local
2018-06-26 13:53 GMT+02:00 Sebastian Laskawiec <slaskawi(a)redhat.com>:
> Hey Meissa,
>
> The more I think about this issue, the more I'm convinced that disabling
> SSL is the easiest approach. In most of the scenarios you're operating
> within your own Namespace so you can trust it.
>
> Please give me some time to experiment with different options and
> hopefully I will be able to give you some better guidance.
>
> Thanks,
> Sebastian
>
> On Mon, Jun 25, 2018 at 5:04 PM Meissa M'baye Sakho <msakho(a)redhat.com>
> wrote:
>
>> Sebastien,
>> I'm trying to use Kubernetes TLS Client side authentication with
>> keycloak ona cloud environment called Apprenda (based on kubernetes and
>> docker).
>>
>> I can't manage to make it work and I don't know if the problem is from
>> my ingress configuration or from the nginx configuration.
>> In regard to the bug described below:
>> https://github.com/kubernetes/ingress-nginx/issues/2287
>> I seems like it's from the nginx configuration. But I'm not sure.
>>
>> My ingress configuration is the following:
>>
>> apiVersion: extensions/v1beta1
>> kind: Ingress
>> metadata:
>> namespace: opengie-proto
>> name: keycloak-opengie-proto-ssl
>> labels:
>> app: keycloak-opengie-proto
>> annotations:
>> nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
>> nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
>> nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
>> nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:
>> "true"
>> spec:
>> rules:
>> - host: keycloak-opengie-ssl.proto.paas.eclair.local
>> http:
>> paths:
>> - path: /
>> backend:
>> serviceName: keycloak-opengie-proto
>> servicePort: https
>> tls:
>> - hosts:
>> - keycloak-opengie-ssl.proto.paas.eclair.local
>>
>> Is there something strange that you're seeing in my configuration?
>> Could you give me some hints in the nginx configuration that I have to
>> pay attention?
>> thanks,
>> Meissa
>>
>>
>> 2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec <slaskawi(a)redhat.com>:
>>
>>> I'm an expert on Ingress (I usually work with Routes on OCP) but it
>>> probably depends on the Ingress configuration.
>>>
>>> If I'm not mistaken, the default Ingress configuration terminates TLS
>>> and
>>> sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
>>> unencrypted HTTP request.
>>>
>>> I think you have a couple of options how to solve it:
>>> - Use Pass-through TLS termination (this simply forwards encrypted
>>> (HTTPS)
>>> traffic to the Pod, without termination). A similar configuration to
>>> this
>>> one:
>>> https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
>>> - Use a Load Balancer Service to access Keycloak (the final result will
>>> be
>>> the same as in the previous solution - a Pod will get HTTPS traffic)
>>> - Turn "Require SLL" option in the "Realm Settings". But
please
>>> remember to
>>> always use properly configured ingress in front of Keycloak. Otherwise
>>> you
>>> might compromise it!!!
>>>
>>> Thanks,
>>> Sebastian
>>>
>>> On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov(a)sap.com>
>>> wrote:
>>>
>>> > Hi all,
>>> >
>>> > I’m evaluating Keycloak as IAM for one open source project [1], so
>>> far,
>>> > I’ve tested it successfully on a minikube (local) Kubernetes cluster
>>> and I
>>> > want to run it in on a real cluster.
>>> >
>>> > The real cluster (created by Gardener [2]) is running on AWS and the
>>> > access to the Keycloak is exposed through an Ingress controller [3].
>>> > We’ve also installed “cert-manager” for automated certificates
>>> management
>>> > of Let’s Encrypt issued certificates.
>>> >
>>> > So far so good, but when I try to login to the “Admin Console” I get
>>> the
>>> > following error:
>>> > “We're sorry... HTTPS required”
>>> >
>>> > In the logs of the pod, there is the following warning:
>>> > “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
>>> > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
>>> > error=ssl_required”
>>> >
>>> > As far as I understand, the Let’s Encrypt certificated is trusted by
>>> the
>>> > browsers and it appears to be trusted by the OpenJDK also [4].
>>> > Then what should be done in order to access the Admin Console?
>>> >
>>> > Last but not least, we are using jboss/keycloak:latest image (I know
>>> that
>>> > we should be using some stable version like 4.0.0, but it appears
>>> that the
>>> > issue is not related to the image version).
>>> >
>>> > Regards,
>>> > Yordan Pavlov
>>> >
>>> > [1] ProMART: https://github.com/promart-io | https://www.promart.io/
>>> > [2] Gardener: https://github.com/gardener
>>> > [3] Keycloak:
>>> >
>>> https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
>>> > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user(a)lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
2364
days inactive
2376
days old
7 comments
4 participants
participants (4)
-
Meissa M'baye Sakho -
Pavlov, Yordan -
Sebastian Laskawiec -
Виталий Ищенко