[keycloak-user] Keycloak Gatekeeper and Traefik ingress: stripping path prefix

Laurens Martin laurens.martin at ugent.be
Tue Dec 3 09:46:29 EST 2019 

Hi,

I'm looking for help concerning Keycloak Gatekeeper and subpahts.

I've set up Keycloak in a Kubernetes cluster and aim to provide 
authN/authZ through Keycloak Gatekeeper (v7). Everything on the cluster 
is hosted under the same domain name, with a Traefik ingress controller 
(v1.7) taking care of routing of the paths. There is no option to use 
different subdomains.
So far I've managed to get the Gatekeeper working on a subpath, but the 
problem is that I'm unable to strip path prefixes.

An example of my current Gatekeeper setup:

 1.      user goes to `example.site.com/foo/bar`
 2.      Traefik has an ingress defined for `/foo` and redirects the
    user to the corresponding gatekeeper
 3.      Gatekeeper proxy receives the call and verifies user
    authentication (redirects to keycloak if necessary)
 4.      actual service receives request of user on `/foo/bar`

The problem occurs at the last step. I am running applications which I 
do not control that are unaware that they are running on `/foo` and 
cannot be told that they are. All they should see is `/bar`.

Under normal conditions, I use the `traefik.frontend.rule.type: 
PathPrefixStrip` annotation on the ingress to fix this sort of problem, 
but I am unable to make this work with Keycloak Gatekeeper. I've tried 
various combinations of `base-uri`, `auth-uri` and `redirection-url`, 
without success. Is there any way to make Gatekeeper strip the path 
prefix before sending it to the service? Or to make the Gatekeeper work 
with the PathPrefixStrip annotation from Traefik?

The working settings as described in the example:
Keycloak Gatekeeper settings:

client-id: <id>
client-secret: <secret>
listen: :3000
redirection-url: https://example.site.com/
upstream-url: http://my-app.my-namespace.svc.cluster.local
base-uri: /foo

Traefik ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
   name: my-app-ingress
spec:
   rules:
   - http:
       paths:
       - backend:
           serviceName: my-app-gatekeeper
           servicePort: auth
         path: /foo

Kind regards,
Laurens

More information about the keycloak-user mailing list