[keycloak-user] Keycloak on Kubernetes - HTTPS required

Виталий Ищенко betalb at gmail.com
Thu Jun 21 07:26:48 EDT 2018


There is one more option, if Ingress injects usual Proxy headers:
X-Forwarded-Host && X-Forwarded-Proto, Keycloak docker container can be
instructed to read them when determining connection type (http vs https),
otherwise, it will detect https by socket type, which is plain,
non-encrypted in your case because ssl traffic is terminated on Ingress.

To instruct Keycloak to read those headers -- start docker container with
PROXY_ADDRESS_FORWARDING=true env variable set

On Thu, Jun 21, 2018 at 2:19 PM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> I'm an expert on Ingress (I usually work with Routes on OCP) but it
> probably depends on the Ingress configuration.
>
> If I'm not mistaken, the default Ingress configuration terminates TLS and
> sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
> unencrypted HTTP request.
>
> I think you have a couple of options how to solve it:
> - Use Pass-through TLS termination (this simply forwards encrypted (HTTPS)
> traffic to the Pod, without termination). A similar configuration to this
> one:
> https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
> - Use a Load Balancer Service to access Keycloak (the final result will be
> the same as in the previous solution - a Pod will get HTTPS traffic)
> - Turn "Require SLL" option in the "Realm Settings". But please remember to
> always use properly configured ingress in front of Keycloak. Otherwise you
> might compromise it!!!
>
> Thanks,
> Sebastian
>
> On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov at sap.com>
> wrote:
>
> > Hi all,
> >
> > I’m evaluating Keycloak as IAM for one open source project [1], so far,
> > I’ve tested it successfully on a minikube (local) Kubernetes cluster and
> I
> > want to run it in on a real cluster.
> >
> > The real cluster (created by Gardener [2]) is running on AWS and the
> > access to the Keycloak is exposed through an Ingress controller [3].
> > We’ve also installed “cert-manager” for automated certificates management
> > of Let’s Encrypt issued certificates.
> >
> > So far so good, but when I try to login to the “Admin Console” I get the
> > following error:
> > “We're sorry... HTTPS required”
> >
> > In the logs of the pod, there is the following warning:
> > “WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
> > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
> > error=ssl_required”
> >
> > As far as I understand, the Let’s Encrypt certificated is trusted by the
> > browsers and it appears to be trusted by the OpenJDK also [4].
> > Then what should be done in order to access the Admin Console?
> >
> > Last but not least, we are using jboss/keycloak:latest image (I know that
> > we should be using some stable version like 4.0.0, but it appears that
> the
> > issue is not related to the image version).
> >
> > Regards,
> > Yordan Pavlov
> >
> > [1] ProMART: https://github.com/promart-io | https://www.promart.io/
> > [2] Gardener: https://github.com/gardener
> > [3] Keycloak:
> > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
> > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list