Spring OAuth2 Keycloak Kubernetes internal/external access

I have Keycloak (10.0.3) server configured inside a Kubernetes Cluster.

The keycloak server has to handle authentification for external user (using an external url) and also handle oauth2 token for Spring microservices communications.

Then web application spring services uses oidc providers :

spring:
  security:
    oauth2:
      client:
        provider:
          oidc:
            issuer-uri: xxx://keycloak-cluster-http.keycloak-cluster.svc.cluster.local/auth/realms/myrealm
            authorization-uri: http://keycloak-cluster-http.keycloak-cluster.svc.cluster.local/auth/realms/myrealm/protocol/openid-connect/auth
            jwk-set-uri: xxx://keycloak-cluster-http.keycloak-cluster.svc.cluster.local/auth/realms/myrealm/protocol/openid-connect/certs
            token-uri: xxx://keycloak-cluster-http.keycloak-cluster.svc.cluster.local/auth/realms/myrealm/protocol/openid-connect/token
            user-name-attribute: preferred_username

The external URL of keycloak is xxx://keycloak.localhost, managed by ingress redirection handled by Traefik v2

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: keycloak-https
  namespace: keycloak-cluster
  annotations:
    traefik.frontend.passHostHeader: "true"
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`keycloak.localhost`)
      kind: Rule
      services:
        - name: keycloak-cluster-http
          port: 80
  tls:
    options:
      name: mytlsoption
      namespace: traefik
    store:
      name: default

I can access Keycloak using xxx://keycloak.localhost, no problem, it works.

The problem is that when I try to access my web application, it will always redirect to ‘xxx://keycloak-cluster-http.keycloak-cluster.svc.cluster.local/auth/realms/myrealm’, which is not resolved outside k8s.

If I change issuer-uri to http://keycloak.localhost then it doesn’t work as keycloak.locahost is not resolved inside k8s.

I tried to set the KEYCLOAK_FRONTEND_URL to https://keycloak.localhost/auth, but no change.

Please, does someone has the same kind of settings and managed to make it working ?

Best regards

Managed to fix it using coredns and adding a rewrite rule… :

rewrite name keycloak.localhost keycloak-cluster-http.keycloak-cluster.svc.cluster.local

apiVersion: v1
data:
  Corefile: |
    .:53 {
        errors
        health
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        rewrite name keycloak.localhost keycloak-cluster-http.keycloak-cluster.svc.cluster.local
        prometheus :9153
        forward . /etc/resolv.conf
        cache 30
        loop
        reload
        loadbalance
    }
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system

just out of curiosity why didn’t you use keycloak-spring-boot-starter (example in https://www.baeldung.com/spring-boot-keycloak)?

First, in order to be independent of any OAuth2 provider and second to be independent regarding client-lib version of Keycloak.