Keycloak admin console behind ingress

RbBrDkie · July 27, 2022, 8:36am

When I start keycloak using keycloak-quickstarts/kubernetes-examples at latest · keycloak/keycloak-quickstarts · GitHub

I can port-forward and see the admin console.

when I try and access the host using the ingress when I click on admin console it resolves https://example.com:80/admin instead of https://example.com/admin

there doesn’t seem to be a way to either ignore the port 80 or change it to 443



---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak
  namespace: keycloak
spec:
  ingressClassName: nginx
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: keycloak
            port:
              number: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: keycloak
  namespace: keycloak
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/name: keycloak
    app: keycloak
  ports:
    - protocol: TCP
      port: 8080
      name: http

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: keycloak
  labels:
    app: keycloak
    app.kubernetes.io/name: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
        app.kubernetes.io/name: keycloak
    spec:
      containers:
      - name: keycloak
        image: quay.io/keycloak/keycloak:18.0.2
        args: ["start-dev","--health-enabled=true", "--proxy=edge"]
        env:
        - name: KEYCLOAK_ADMIN
          value: "admin"
        - name: KEYCLOAK_ADMIN_PASSWORD
          value: "admin"
        - name: KEYCLOAK_LOGLEVEL
          value: "DEBUG"
        ports:
        - name: http
          containerPort: 8080
        readinessProbe:
          httpGet:
            path: /realms/master
            port: 8080

tlann · July 27, 2022, 8:47pm

I’m not sure if this applies, but when doing it behind a reverse proxy you have to set headers. I noticed a similar behavior when X-Forwarded-Proto wasn’t set to https

RbBrDkie · July 28, 2022, 7:16am

Thank for the help, I changed the headers as follows but still get the same result

  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto: https;

RbBrDkie · July 28, 2022, 8:10am

I I replace the port 80 with 443 in the url I get this error:

2022-07-28 08:07:59,021 WARN  [org.keycloak.events] (executor-thread-1) type=LOGIN_ERROR, realmId=60d58146-60d0-4e38-baa9-6af85c353e08, clientId=security-admin-console, userId=null, ipAddress=197.84.242.2, error=invalid_redirect_uri, redirect_uri=https://example.com/admin/master/console/

So how do I set the redirect uri without being able to log in to the admin console?

weltonrodrigo · July 28, 2022, 3:53pm

Hi.

you need to run Keycloak with proxy mode set to edge and hostname-strict set to false.

This can be done either via command or via environment variables. env vars are:

KC_PROXY=edge
KC_HOSTNAME_STRICT=false

Also, if your ingress is not using HTTPS (it definitively should, in production), you can enable http via

KC_HOSTNAME_STRICT_HTTPS=false

Also, you need a valid url in your ingress, no example.com. If you don’t have a valid domain, you can use the load balancer IP as the host

RbBrDkie · July 29, 2022, 11:17am

I think the problem is there is a reverse proxy that terminates the tls
proxy1: example.com:443 terminates the encrypted packet and forwards unencrypted to the cluster
proxy2 : example.com:80 http then forwards to keycloak svc.

This will explain why the port keeps staying on 80 even when proxy_set_header X-Forwarded-Port 443; is set