Hi all,
I’m trying to use keycloak for user authentication and authorization.
If I try to create a Request Authorization with the demo tokens and it works correctly.
Here in the file:
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "h-ingress-jwt"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json"
---
But If I try to use keycloak the ingressgateway pod never starts (see this thread)
Here is the file:
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "h-ingress-jwt"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "https://192.168.202.21:30000/auth/realms/hproject"
jwksUri: "https://192.168.202.21:30000/auth/realms/hproject/protocol/openid-connect/certs"
---
The issuer url give
sysop@hdev:~/software/hproject$ curl --insecure https://192.168.202.21:30000/auth/realms/hproject |jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 620 100 620 0 0 16756 0 --:--:-- --:--:-- --:--:-- 17222
{
"realm": "hproject",
"public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmcQm7YJZFMWVuFinL6HDwHO9q2QGqZj+TFLLWsdDmyr8eowBQwA7SZT1pTFsqdLqv6QTGJvYaxoHMLHSahwc0hcbFFnu8dsiQ+Hi0xXQBqKU+/uH4CyNZq0aLI3c2BqhV8ntLE5NKJyxDbe6BGbQhr0Te3BG4SmqZtya0WLtQ1BC/Mi+1v+C7QqRo4yNIl6Csu4gfAe8CopEudM2tynuDkQVDKrcI3qQrqrvVoJsWOKv66rPy1QejLyOHrkF0fcKKSxmWQmdyo6rkGhwLPJ/bVnI+WpZjnhubCwAxd3HuJsTG7Inwq9pR/09BnOJc1t4rlch9OoHW33EvCfKHdCYuQIDAQAB",
"token-service": "https://192.168.202.21:30000/auth/realms/hproject/protocol/openid-connect",
"account-service": "https://192.168.202.21:30000/auth/realms/hproject/account",
"tokens-not-before": 0
}
sysop@hdev:~/software/hproject$
The jwksury url give:
sysop@hdev:~/software/hproject$ curl --insecure https://192.168.202.21:30000/auth/realms/hproject/protocol/openid-connect/certs |jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1466 100 1466 0 0 25275 0 --:--:-- --:--:-- --:--:-- 25275
{
"keys": [
{
"kid": "ZeZlzvgsOIgdbVyz8RF3jisSpsvrYKFyGfFpqkIuLRE",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "mcQm7YJZFMWVuFinL6HDwHO9q2QGqZj-TFLLWsdDmyr8eowBQwA7SZT1pTFsqdLqv6QTGJvYaxoHMLHSahwc0hcbFFnu8dsiQ-Hi0xXQBqKU-_uH4CyNZq0aLI3c2BqhV8ntLE5NKJyxDbe6BGbQhr0Te3BG4SmqZtya0WLtQ1BC_Mi-1v-C7QqRo4yNIl6Csu4gfAe8CopEudM2tynuDkQVDKrcI3qQrqrvVoJsWOKv66rPy1QejLyOHrkF0fcKKSxmWQmdyo6rkGhwLPJ_bVnI-WpZjnhubCwAxd3HuJsTG7Inwq9pR_09BnOJc1t4rlch9OoHW33EvCfKHdCYuQ",
"e": "AQAB",
"x5c": [
"MIICnzCCAYcCBgFyxvWYmTANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhocHJvamVjdDAeFw0yMDA2MTgxMDIzMDNaFw0zMDA2MTgxMDI0NDNaMBMxETAPBgNVBAMMCGhwcm9qZWN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmcQm7YJZFMWVuFinL6HDwHO9q2QGqZj+TFLLWsdDmyr8eowBQwA7SZT1pTFsqdLqv6QTGJvYaxoHMLHSahwc0hcbFFnu8dsiQ+Hi0xXQBqKU+/uH4CyNZq0aLI3c2BqhV8ntLE5NKJyxDbe6BGbQhr0Te3BG4SmqZtya0WLtQ1BC/Mi+1v+C7QqRo4yNIl6Csu4gfAe8CopEudM2tynuDkQVDKrcI3qQrqrvVoJsWOKv66rPy1QejLyOHrkF0fcKKSxmWQmdyo6rkGhwLPJ/bVnI+WpZjnhubCwAxd3HuJsTG7Inwq9pR/09BnOJc1t4rlch9OoHW33EvCfKHdCYuQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBM0GufqiKBWyoCFlv51mGpMsSRQ2znPzpu31zcZT98kXaBaWDguBd6GbrpSHEoAFCx5sv9lihSsn2KoBy0nFR4lHVP2NYR8no3DzDqZPuOEcJpwlM+H3QzV2pT4fKyyMH+yf0VBaeLplMLYUwV+nsYYqD9ReXWCPbhoTPhemPi5ENTugHGCVjEfOtlBtfY0o+giumltFJoRTuYkGY8V4xtk3Gdjt19dY5DhjaSDZsCxHlpf99dSHKfmBkbMlsOrkI4M9cdAm0HXl2IFisDnNYQqGGLvPFmOMbQOUNFS+yAA9OiEBL6hlIaw2rDCuFvw8vpXs9y9w7i/LLSPBgsGAMk"
],
"x5t": "Njkffzqf4gZ_yqXLkqegOScyocg",
"x5t#S256": "H2jZbULZ7epMjGLLZVm6rjizdYPEc7D4X6TvfE8aRrU"
}
]
}
sysop@hdev:~/software/hproject$
The keycloak server is deployed on the same cluster and is exposed with NodePort 30000
The 192.168.202.21 is also the ingressgateway address
Istio version is 1.6.3 (but was upgraded from 1.6.1 which was upgraded from 1.6.0)
What I’m doing wrong?