Hello Guys good evening.
Basically I have in minikube already deploy keycloak and now I want to ingress using Istio Ingress Gateway.
However I haven’t been able to do it.
The steps that I follow are next:
Note: I’m working in a namespace called test.
- Create a ssl certificate using the next command:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=auth.localtest.me/O=test" - Create a secret in the cluster:
kubectl create secret -n test tls auth-tls-secret --key tls.key --cert tls.crt - Deploy keycloak:
apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
app: keycloak
spec:
ports:
- name: https
port: 443
targetPort: 8443
selector:
app: keycloak
type: ClusterIP
clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
app: keycloak
spec:
replicas: 2
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:20.0.2
args: ["start", "--cache-stack=kubernetes"]
volumeMounts:
- name: certs
mountPath: "/etc/certs"
readOnly: true
env:
- name: KEYCLOAK_ADMIN
value: "admin"
- name: KEYCLOAK_ADMIN_PASSWORD
value: "admin"
- name: KC_HTTPS_CERTIFICATE_FILE
value: "/etc/certs/tls.crt"
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: "/etc/certs/tls.key"
- name: KC_HEALTH_ENABLED
value: "true"
- name: KC_METRICS_ENABLED
value: "true"
- name: KC_HOSTNAME
value: keycloak.localtest.me
- name: KC_PROXY
value: "edge"
- name: KC_DB
value: postgres
- name: KC_DB_URL
value: "jdbc:postgresql://keycloak-db-postgresql-ha-pgpool/postgres"
- name: KC_DB_USERNAME
value: "postgres"
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-db-postgresql-ha-postgresql
key: password
- name: jgroups.dns.query
value: keycloak
ports:
- name: jgroups
containerPort: 7600
- name: https
containerPort: 8443
readinessProbe:
httpGet:
scheme: HTTPS
path: /health/ready
port: 8443
initialDelaySeconds: 60
periodSeconds: 1
volumes:
- name: certs
secret:
secretName: auth-tls-secret
- Create the Istio gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: test-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- '*'
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: auth-tls-secret
hosts:
- '*'
- create a virtual service for keycloak
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: keycloak-vs
spec:
hosts:
- keycloak.localtest.me
gateways:
- test-gateway
tls:
- match:
- port: 443
sniHosts:
- keycloak.localtest.me
route:
- destination:
host: keycloak.test.svc.cluster.local
port:
number: 443
However when I try to enter to keycloak.localtes.me, the connection is closed and I get the next error in the pod log:
error cache resource:file-cert:/etc/certs/tls.crt~/etc/certs/tls.key failed to generate secret for proxy from file: open /etc/certs/tls.crt: no such file or directory
I understand what is happening but I don’t know exactly what is wrong in my configuration or how to solve it.
I really appreciate if you can help me and if you have any idea how to solve this.