Keycloak in Kubernetes / Openshift

Configuring the server
1

I’m running into an issue getting Keycloak to play nice in a kubernetes cluster.

Using image: jboss/keycloak:9.0.2

Fronting the pod with a service:

apiVersion: v1
kind: Service
metadata:
name: keycloak-svc
spec:
# selector tells Kubernetes what Deployment this Service
# belongs to
selector:
app: keycloak
ports:
# web console
- port: 8080
protocol: TCP
name: web
nodePort: 30082
type: NodePort

Can access and login to web console with no problem. Using http://devserver:30082/auth.

If I connect internally from another microservice using the service name http://keycloak-svc:8080/auth, I receive an issuer mismatch error validating tokens.

I can set the KEYCLOAK_FRONTEND_URL on the container to “http://keycloak-svc:8080/auth” which allows the token to be validated, but the admin application attempts to rewrite URLs to that internal host which isn’t addressable.

Any thoughts on how to balance both things working?

2

Things I’ve tried:

  • Setting PROXY_ADDRESS_FORWARDING to true
  • Setting keycloak.hostname.default.forceBackendUrlToFrontendUrl=true

For now, I’ve set allow-any-hostname=true which can’t be a sustainable solution.

3

Hey @joshdcollins

we have exactly the same problem with the Keycloak.
Have you meanwhile a solution found?

Thanks :slight_smile: