X509 authentication with Keycloak-on-kubernetes via ingress

Try those settings with keycloak 18:

If that doens’t work, deploy daime/http-dump image and point your ingress to that just to check if the mutual-ssl is really ok at the ingress level. You should see the correct headers being set, with certificate at the Ssl-Client-Cert header (that would be ssl-client-cert for keycloak at the header name config).

If that is already ok at your side, I’d begin investigating the settings for the actual authenticator. I followed the x509 guide and it worked like a charm once the certificate was at the header and the keystore was correct.