Skip to content

Fix keycloak ingress #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix keycloak ingress #33

wants to merge 2 commits into from

Conversation

@omrishiv
Copy link

@omrishiv omrishiv commented Apr 1, 2024

On deploying CNOE, the keycloak ingress does not work properly. To fix the issue:

  1. Set KC_HOSTNAME to the subdomain for keycloak
  2. Port 8081 is not exposed by the keycloak service. Switch to port 8080
  3. Set path / for keycloak ingress to match a Prefix, otherwise path based routing doesn't work.

These changes are tested working in my EKS environment.

I'm still trying to sort out how all the templating works, so please check my work on whether the value for KC_HOSTNAME is set correctly

@omrishiv
fix keycloak ingress
dc6ce07 
Signed-off-by: Omri Shiv <[email protected]>
@omrishiv omrishiv force-pushed the fix-keycloak-ingress branch from 08ee79d to dc6ce07 Compare April 1, 2024 18:09
nabuskey
nabuskey reviewed Apr 11, 2024
View reviewed changes
Copy link
Contributor

@nabuskey nabuskey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you say Keycloak ingress is not working, do you mean the admin UI is inaccessible? Or SSO is not working?

terraform/templates/manifests/ingress-keycloak.yaml
Comment on lines +24 to +31
number: 8080
- path: /
pathType: Exact
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8081
number: 8080
Copy link
Contributor

@nabuskey nabuskey Apr 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are set to 8081 and exact is to make sure the Keycloak admin UI is not accessible from anywhere. E.g. you have to use port-foward to access it. I could have used a SG to block access but it's difficult when I cannot be reasonably sure where users are access accessing ingress from.

Copy link
Author

@omrishiv omrishiv Apr 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense, thank you for the clarification. The issue I was having was with the UI not rendering correctly (missing images), but also not forwarding to the admin ui even with port forwarding.

@nabuskey
Copy link
Contributor

nabuskey commented Jul 10, 2024

Closing this due to inactivity. Please feel free to re-open.

@nabuskey nabuskey closed this Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nabuskey nabuskey nabuskey left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@omrishiv @nabuskey