Kubernetes Redirect Issues with Gatekeeper

Getting advice
1

I’m trying to run keycloak and gatekeeper within the same kubernetes cluster, and I’m a litlle confused as to how to configure the redirects and discovery.

I have the following configuration:

discovery-url: http://keycloak-http.default.svc.cluster.local/auth/realms/myrealm
redirection-url: https://example.com # the actual site? or should this be the sidecar
upstream-url: http://127.0.0.0:3000 # sidecar
client-id: myclient-dev
listen: 0.0.0.0:5000
headers:
  X-Forwarded-Host: keycloak.example.com
  X-Forwarded-Proto: https

So basically, I’m trying to grab the openid configuration from the internal kubernetes service. What ends up happening, however, is when gatekeeper tries to create a new session, it redirects to that internal service URL. This is why I used the X-Fowarded-* headers in an attempt to resolve to the proper keycloak URL.

Any help would be appreciated!

2

Hi,

Are you using this flow so that a user can see the UI to login or for bearer-only?
For loggin in it only worked for me when i put the ingress-URL of keycloak for discovery-url.

3

Ah ok, thanks for the reply!

For some reason when I try the ingress url for keycloak the request times out and I cant figure out why.

I’m using traefik for ingress.

4

If you have gatekeeper running as a sidecar container it works for me with the following settings:

redirection-url: http://localhost:3000 # sidecar
upstream-url: http://127.0.0.0:3000 # sidecar
5

Oh the upstream and redirection are gatekeeper?!

6

from your setup it looks like gatekeeper is listening on port 5000
listen: 0.0.0.0:5000

so that the application your protecting is on port 3000.

In general:

listen: 0.0.0.0:<GATEKEEPER_PORT>
redirection-url: http://localhost:<APPLICATION_PORT>
upstream-url: http://127.0.0.0:<APPLICATION_PORT>