Gatekeeper fails to redirect on authentication

Kodo65 · October 6, 2020, 5:20am

Hi!

I have a Kubernetes cluster (v17.04), Keycloak server (v11.0.2), Traefik (v2.2) and Gatekeeper Docker Image (v7.0.0). Using these components I’ve deployed Kibana using Elastic ECK (v1.1.1) and added Gatekeeper as an “authentication proxy” in the Kibana podTemplate section such as:

  podTemplate:
    spec:
      containers:


      - name: kibana
        env:
        - name: SERVER_BASEPATH
          value: {{ .Values.kibana.serverBasePath }}
        resources:
          requests:
            {{- if not .Values.kibana.cpu.enableBurstableQoS }}
            cpu: {{ .Values.kibana.cpu.requests }}
            {{- end }}
            memory: {{ .Values.kibana.memory.requests }}Gi
          limits:
            {{- if not .Values.kibana.cpu.enableBurstableQoS }}
            cpu: {{ .Values.kibana.cpu.limits }}
            {{- end }}

            memory: {{ .Values.kibana.memory.limits }}Gi

# Gatekeeper proxy goes here
      - name: {{ .Values.kibana.name }}-gatekeeper
        image: "{{ .Values.kibana.keycloak.gatekeeper.repository }}/docker-r/keycloak/keycloak-gatekeeper:{{ .Values.kibana.keycloak.gatekeeper.version }}"
        args:
          - --config=/etc/keycloak-gatekeeper.conf
        ports:
          - containerPort: 3000
            name: proxyport
        volumeMounts:
        - name: gatekeeper-config
          mountPath: /etc/keycloak-gatekeeper.conf
          subPath: keycloak-gatekeeper.conf
      volumes:
        - name: gatekeeper-config
          configMap:
            name: {{ .Release.Name }}-gatekeeper-config

The Gatekeeper ConfigMap referred to above looks like:

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ .Release.Name }}-gatekeeper-config 
  namespace: {{ .Release.Namespace }}
data: 
  keycloak-gatekeeper.conf: |+
    verbose: true
    redirection-url: {{ .Values.kibana.keycloak.gatekeeper.redirectionUrl }}{{ .Values.kibana.serverBasePath }}
    discovery-url: "https://keycloak-server/auth/realms/{{ .Values.kibana.keycloak.gatekeeper.realm }}"
    skip-openid-provider-tls-verify: true
    client-id: kibana
    client-secret: {{ .Values.kibana.keycloak.gatekeeper.clientSecret }}
    enable-refresh-tokens: true
    encryption-key: ...
    listen: :3000
    enable-logging: true
    tls-cert:
    tls-private-key:
    secure-cookie: false
    upstream-url: {{ .Values.kibana.keycloak.gatekeeper.upstreamUrl }}
    resources:
    - uri: /*
    groups:
    - kibana

redirection-url: is set to “kibana-host/service/logging/kibana”
discovery-url: is set to our Keycloak server and “my kibana realm”
upstream-url: is set to “127.0.0.1:5601” which is the port Kibana is listening on

When Gatekeeper is launched I can see the following in the log file:

1.601903901333602e+09 info keycloak-gatekeeper/server.go:84 starting the service {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "7.0.0 (git+sha: f66e137, built: 03-09-2019)"}

1.6019039013342984e+09 info keycloak-gatekeeper/server.go:686 attempting to retrieve configuration discovery url {"url": "keycloak-server/auth/realms/cap-ops-logging", "timeout": "30s"}

1.6019039013674948e+09 info keycloak-gatekeeper/server.go:702 successfully retrieved openid configuration from the discovery

1.601903901369036e+09 info keycloak-gatekeeper/server.go:157 enabled reverse proxy mode, upstream url {"url": "http://127.0.0.1:5601"}

1.6019039013691397e+09 info keycloak-gatekeeper/server.go:228 using session cookies only for access and refresh tokens

1.6019039013691642e+09 info keycloak-gatekeeper/server.go:260 protecting resource {"resource": "uri: /*, methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE, required: authentication only"}

1.601903901369461e+09 info keycloak-gatekeeper/server.go:384 keycloak proxy service starting {"interface": ":3000"}

Now when I hit the URL “kibana-host/service/logging/kibana” I’m redirected to the following URL:

"kibana-host/oauth/authorize?state=e002f3d0-4b9a-42fe-b3b1-7b0d72f96d53"

In the Gatekeeper log file I see:

1.6019040389802275e+09 error keycloak-gatekeeper/middleware.go:108 no session found in request, redirecting for authorization {"error": "authentication session not found"}

1.6019040389803205e+09 info keycloak-gatekeeper/middleware.go:90 client request {"latency": 0.000347522, "status": 307, "bytes": 95, "client_ip": "10.42.8.3:56064", "method": "GET", "path": "/"}

I find those lines a good sign because 1) correct: there is no session established yet 2) the URL should be redirected to Keycloak in order to authenticate.

The problem is that the redirect doesn’t work! As you can see I’m redirected to:

"kibana-host/oauth/authorize?state=e002f3d0-4b9a-42fe-b3b1-7b0d72f96d53"

Please note: I’ve excluded “http://” from all URLs above! Also I’ve excluded certificates etc in order to keep this as simple as possible. What am I doing wrong here?

psyLilyFu · December 9, 2020, 9:54pm

I am facing with the same issue right now. Were you able to find a solution for/around this?

Topic		Replies	Views
Keycloak & Traefik access to Kibana	0	349	October 1, 2020
Problems with Traefik/Keycloak in front of Kibana Securing applications authentication , gatekeeper , oidc	0	1495	October 4, 2020
Kubernetes Redirect Issues with Gatekeeper Getting advice gatekeeper	5	1184	June 14, 2020
Cloud not get EKS gatekeeper setup running Configuring the server admin-console	0	564	June 4, 2020
Issue with Keycloak running on Kubernetes in production mode (HTTPS) Configuring the server authentication , oidc	0	1179	May 31, 2023

Gatekeeper fails to redirect on authentication

Related Topics