Hi,
I'm looking for help concerning Keycloak Gatekeeper and subpahts.
I've set up Keycloak in a Kubernetes cluster and aim to provide
authN/authZ through Keycloak Gatekeeper (v7). Everything on the cluster
is hosted under the same domain name, with a Traefik ingress controller
(v1.7) taking care of routing of the paths. There is no option to use
different subdomains.
So far I've managed to get the Gatekeeper working on a subpath, but the
problem is that I'm unable to strip path prefixes.
An example of my current Gatekeeper setup:
1. user goes to `example.site.com/foo/bar`
2. Traefik has an ingress defined for `/foo` and redirects the
user to the corresponding gatekeeper
3. Gatekeeper proxy receives the call and verifies user
authentication (redirects to keycloak if necessary)
4. actual service receives request of user on `/foo/bar`
The problem occurs at the last step. I am running applications which I
do not control that are unaware that they are running on `/foo` and
cannot be told that they are. All they should see is `/bar`.
Under normal conditions, I use the `traefik.frontend.rule.type:
PathPrefixStrip` annotation on the ingress to fix this sort of problem,
but I am unable to make this work with Keycloak Gatekeeper. I've tried
various combinations of `base-uri`, `auth-uri` and `redirection-url`,
without success. Is there any way to make Gatekeeper strip the path
prefix before sending it to the service? Or to make the Gatekeeper work
with the PathPrefixStrip annotation from Traefik?
The working settings as described in the example:
Keycloak Gatekeeper settings:
client-id: <id>
client-secret: <secret>
listen: :3000
redirection-url:
https://example.site.com/
upstream-url:
http://my-app.my-namespace.svc.cluster.local
base-uri: /foo
Traefik ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: traefik
name: my-app-ingress
spec:
rules:
- http:
paths:
- backend:
serviceName: my-app-gatekeeper
servicePort: auth
path: /foo
Kind regards,
Laurens