Hi!
I have a Kubernetes cluster (v17.04), Keycloak server (v11.0.2), Traefik (v2.2) and Gatekeeper Docker Image (v7.0.0). Using these components I’ve deployed Kibana using Elastic ECK (v1.1.1) and added Gatekeeper as an “authentication proxy” in the Kibana podTemplate section such as:
podTemplate:
spec:
containers:
- name: kibana
env:
- name: SERVER_BASEPATH
value: {{ .Values.kibana.serverBasePath }}
resources:
requests:
{{- if not .Values.kibana.cpu.enableBurstableQoS }}
cpu: {{ .Values.kibana.cpu.requests }}
{{- end }}
memory: {{ .Values.kibana.memory.requests }}Gi
limits:
{{- if not .Values.kibana.cpu.enableBurstableQoS }}
cpu: {{ .Values.kibana.cpu.limits }}
{{- end }}
memory: {{ .Values.kibana.memory.limits }}Gi
# Gatekeeper proxy goes here
- name: {{ .Values.kibana.name }}-gatekeeper
image: "{{ .Values.kibana.keycloak.gatekeeper.repository }}/docker-r/keycloak/keycloak-gatekeeper:{{ .Values.kibana.keycloak.gatekeeper.version }}"
args:
- --config=/etc/keycloak-gatekeeper.conf
ports:
- containerPort: 3000
name: proxyport
volumeMounts:
- name: gatekeeper-config
mountPath: /etc/keycloak-gatekeeper.conf
subPath: keycloak-gatekeeper.conf
volumes:
- name: gatekeeper-config
configMap:
name: {{ .Release.Name }}-gatekeeper-config
The Gatekeeper ConfigMap referred to above looks like:
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-gatekeeper-config
namespace: {{ .Release.Namespace }}
data:
keycloak-gatekeeper.conf: |+
verbose: true
redirection-url: {{ .Values.kibana.keycloak.gatekeeper.redirectionUrl }}{{ .Values.kibana.serverBasePath }}
discovery-url: "https://keycloak-server/auth/realms/{{ .Values.kibana.keycloak.gatekeeper.realm }}"
skip-openid-provider-tls-verify: true
client-id: kibana
client-secret: {{ .Values.kibana.keycloak.gatekeeper.clientSecret }}
enable-refresh-tokens: true
encryption-key: ...
listen: :3000
enable-logging: true
tls-cert:
tls-private-key:
secure-cookie: false
upstream-url: {{ .Values.kibana.keycloak.gatekeeper.upstreamUrl }}
resources:
- uri: /*
groups:
- kibana
redirection-url: is set to “kibana-host/service/logging/kibana”
discovery-url: is set to our Keycloak server and “my kibana realm”
upstream-url: is set to “127.0.0.1:5601” which is the port Kibana is listening on
When Gatekeeper is launched I can see the following in the log file:
1.601903901333602e+09 info keycloak-gatekeeper/server.go:84 starting the service {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "7.0.0 (git+sha: f66e137, built: 03-09-2019)"}
1.6019039013342984e+09 info keycloak-gatekeeper/server.go:686 attempting to retrieve configuration discovery url {"url": "keycloak-server/auth/realms/cap-ops-logging", "timeout": "30s"}
1.6019039013674948e+09 info keycloak-gatekeeper/server.go:702 successfully retrieved openid configuration from the discovery
1.601903901369036e+09 info keycloak-gatekeeper/server.go:157 enabled reverse proxy mode, upstream url {"url": "http://127.0.0.1:5601"}
1.6019039013691397e+09 info keycloak-gatekeeper/server.go:228 using session cookies only for access and refresh tokens
1.6019039013691642e+09 info keycloak-gatekeeper/server.go:260 protecting resource {"resource": "uri: /*, methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE, required: authentication only"}
1.601903901369461e+09 info keycloak-gatekeeper/server.go:384 keycloak proxy service starting {"interface": ":3000"}
Now when I hit the URL “kibana-host/service/logging/kibana” I’m redirected to the following URL:
"kibana-host/oauth/authorize?state=e002f3d0-4b9a-42fe-b3b1-7b0d72f96d53"
In the Gatekeeper log file I see:
1.6019040389802275e+09 error keycloak-gatekeeper/middleware.go:108 no session found in request, redirecting for authorization {"error": "authentication session not found"}
1.6019040389803205e+09 info keycloak-gatekeeper/middleware.go:90 client request {"latency": 0.000347522, "status": 307, "bytes": 95, "client_ip": "10.42.8.3:56064", "method": "GET", "path": "/"}
I find those lines a good sign because 1) correct: there is no session established yet 2) the URL should be redirected to Keycloak in order to authenticate.
The problem is that the redirect doesn’t work! As you can see I’m redirected to:
"kibana-host/oauth/authorize?state=e002f3d0-4b9a-42fe-b3b1-7b0d72f96d53"
Please note: I’ve excluded “http://” from all URLs above! Also I’ve excluded certificates etc in order to keep this as simple as possible. What am I doing wrong here?