Problems with Keycloak in Kubernetes behind a Network Load Balancer in AWS

Hello,
I’m having a similar problem to Not able to deploy Keycloak into Kubernetes - #3 by davinwang
I’m running Keycloak in AWS with a Network Load Balancer, and I get the main page just fine but when I hit the Administration Console link, it tries to log me in with http:// on port 8080 rather than https:// (which is how I access the main page)
I do have PROXY_ADDRESS_FORWARDING=true set which was what fixed the person in that other thread, but I still have the same problem. I’m using ingress-nginx and all of this worked fine when I was on a classic ELB, but when I switched it to an NLB, it broke keycloak.

1 Like

Does your load balancer forward the proper headers like mentioned here?
https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses

ELB does (did) this per default, ALB also does this, I don’t know about NLB.

NLB is LB on OSI level 4, so LB can’t indicate used host, protocol,… as LB on level 7 (ALB).

My guess: properly configured KEYCLOAK_FRONTEND_URL should fix it.

What jangaraj said makes sense, as I keep trying all kinds of combinations of using x-forwarded-for and x-forwarded-proto in my ingress-nginx annotation, and it’s still failing. I tried settings KEYCLOAK_FRONTEND_URL to https://id.dev.example.com (with my actual domain) and yet I still get a link to http://id.dev.example.com:8080/auth/admin/ when I try and log in to the administration console. Is using a NLB for this just a bad idea, and I should try and switch it to an NLB? I switched from using a Classic Load Balancer (ELB) because I needed websocket support for a different application, and NLB supported websockets. Application Load Balancers (ALB) seem to also support websockets, would that be a better way to go?

I would use ALB and then just forward proper x-forwarded-* headers to the Keycloak. It’s not clear where is nginx, but I assume ALB → Nginx → Keycloak:

1.) ALB adds x-forwarder-* headers automatically (no special config needed)
2.) Nginx ingress needs to pass existing x-forwarded-* headers to upstream (how to configure that it is not in the scope of the Keycloak forum, probably use-forwarded-headers)
3.) Keycloak with PROXY_ADDRESS_FORWARDING=true will use received x-forwarded-* headers, which have been configured by first LB (ALB in this case).

BTW: I’m still scratching head - why you need nginx ingress - IMHO ALB ingress should be enough (Kubernetes Ingress with AWS ALB Ingress Controller | AWS Open Source Blog), so you can save nginx hop.

@jangaraj Hello,
I’ve the same configuration.
If you don’t use NGINX, u have to use separate LB for each ingress; extra cost and many unnecessary loadbalancers.

If you put an NGINX behind of an AWS LB Controller, you can define/configure many ingresses use NGINX ingress controller. NGINX uses AWS LB Controller. So u can use many ingresses only with 1 load balancer (ALB).

Also;
Most of community ingress controllers don’t have WAF. If u use the scnario above, you can enable the WAF feature of ALB.

Regards