@weltonrodrigo thanks for responding so quickly → really appreciate your efforts no this! Just to reiterate…x509 authentication is working perfectly IF I am not accessing Keycloak via ingress on Kubernetes, so this is definitely and only an issue with configuring the ingress element of the Keycloak kubernetes deployment.
Specifically, the truststore element is correct (otherwise x509 authentication would not work at all), both the truststore and the Nginx x509cert-lookup provider are loaded/registered correctly:
[[0m^[[32m09:11:02,226 DEBUG [org.keycloak.services.DefaultKeycloakSessionFactory] (ServerService Thread Pool -- 63) Loaded SPI x509cert-lookup (provider = nginx)
^[[0m^[[32m09:11:02,227 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanStickySessionEncoderProviderFactory] (ServerService Thread Pool -- 63) Should attach route to the sticky session cookie: true
^[[0m^[[32m09:11:02,233 DEBUG [org.keycloak.truststore.FileTruststoreProviderFactory] (ServerService Thread Pool -- 63) Trusted root CA found in trustore : alias : caroot | Subject DN : CN=TrustForge Root CA-1
^[[0m^[[32m09:11:02,240 DEBUG [org.keycloak.truststore.FileTruststoreProviderFactory] (ServerService Thread Pool -- 63) File truststore provider initialized: /opt/bitnami/keycloak/certs/keycloak.truststore.jks
…and the NginxProxySslClientCertificateLookup is loaded correctly and the lookup on the incoming request is attempted as shown below. What is also shown below is that, at a minimum, the certificate headers are not making it through. I believe the certificate appears to be making it through; otherwise, there would be a 400 error at the Nginx controller.
[[0m^[[32m21:51:56,387 DEBUG [org.keycloak.services.x509.NginxProxySslClientCertificateLookup] (default task-1) Loading Keycloak truststore ...
^[[0m^[[32m21:51:56,387 DEBUG [org.keycloak.services.x509.NginxProxySslClientCertificateLookup] (default task-1) Keycloak truststore loaded for NGINX x509cert-lookup provider.
^[[0m^[[33m21:51:56,387 WARN [org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup] (default task-1) HTTP header "" is empty
^[[0m^[[32m21:51:56,387 DEBUG [org.keycloak.services] (default task-1) [X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.
^[[0m^[[32m21:51:56,387 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) authenticator ATTEMPTED: auth-x509-client-username-form
So I am thinking there is an error in the keycloak values.yaml file in the nginx ingress annotations section and that’s where I am focusing. If you have an example of accessing ingress-enabled keycloak on kubernetes, that would be totally awesome. I’ve scoured the internet and have yet to find an example of someone doing this, which I find puzzling since the bitnami keycloak kubernetes deployment has an ingress section.
If you have the actual, deployed keycloak ingress output via the following kubectl command…
kubectl edit -o yaml ingress keycloak
…that’s what I really need. I can edit my deployment in place to match what you have.