Keycloak Istio Ingress Gateway

Click0910 · March 14, 2023, 7:48pm

Hello Guys good evening.

Basically I have in minikube already deploy keycloak and now I want to ingress using Istio Ingress Gateway.

However I haven’t been able to do it.

The steps that I follow are next:

Note: I’m working in a namespace called test.

Create a ssl certificate using the next command: openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=auth.localtest.me/O=test"
Create a secret in the cluster: kubectl create secret -n test tls auth-tls-secret --key tls.key --cert tls.crt
Deploy keycloak:

apiVersion: v1
kind: Service
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  ports:
    - name: https
      port: 443
      targetPort: 8443
  selector:
    app: keycloak
  type: ClusterIP
  clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  replicas: 2
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:20.0.2
          args: ["start", "--cache-stack=kubernetes"]
          volumeMounts:
          - name: certs
            mountPath: "/etc/certs"
            readOnly: true
          env:
            - name: KEYCLOAK_ADMIN
              value: "admin"
            - name: KEYCLOAK_ADMIN_PASSWORD
              value: "admin"
            - name: KC_HTTPS_CERTIFICATE_FILE
              value: "/etc/certs/tls.crt"
            - name: KC_HTTPS_CERTIFICATE_KEY_FILE
              value: "/etc/certs/tls.key"
            - name: KC_HEALTH_ENABLED
              value: "true"
            - name: KC_METRICS_ENABLED
              value: "true"
            - name: KC_HOSTNAME
              value: keycloak.localtest.me
            - name: KC_PROXY
              value: "edge"
            - name: KC_DB
              value: postgres
            - name: KC_DB_URL
              value: "jdbc:postgresql://keycloak-db-postgresql-ha-pgpool/postgres"
            - name: KC_DB_USERNAME
              value: "postgres"
            - name: KC_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-db-postgresql-ha-postgresql
                  key: password
            - name: jgroups.dns.query
              value: keycloak
          ports:
            - name: jgroups
              containerPort: 7600
            - name: https
              containerPort: 8443
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /health/ready
              port: 8443
            initialDelaySeconds: 60
            periodSeconds: 1
      volumes:
      - name: certs
        secret:
          secretName: auth-tls-secret

Create the Istio gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-gateway
 
spec:
  selector:
    istio: ingressgateway
  servers:

    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - '*'

    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls: 
        mode: SIMPLE
        credentialName: auth-tls-secret
        
      hosts:
        - '*'

create a virtual service for keycloak

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: keycloak-vs
spec:
  hosts:
    - keycloak.localtest.me
  gateways:
    - test-gateway

  tls:
    - match:
      - port: 443
        sniHosts:
        - keycloak.localtest.me
      route:
        - destination:
            host: keycloak.test.svc.cluster.local
            port:
               number: 443

However when I try to enter to keycloak.localtes.me, the connection is closed and I get the next error in the pod log:

error cache resource:file-cert:/etc/certs/tls.crt~/etc/certs/tls.key failed to generate secret for proxy from file: open /etc/certs/tls.crt: no such file or directory

I understand what is happening but I don’t know exactly what is wrong in my configuration or how to solve it.

I really appreciate if you can help me and if you have any idea how to solve this.

sivaram_narala · June 16, 2023, 3:55am

Hello @Click0910

I am facing same issue , did you identify any fix for the same, on the other hand my scenario is i am try to connecting external postgresql with client certificate.

Thanks,
Siva

pavan-gwda · July 8, 2023, 8:40am

Hello everyone,

Let me take a moment and address the same issue i faced.
@Click0910 , ur configuration files are correct .
And if anyone is trying the keycloak setup with istio on local minikube , here is the main difference,
1.Check the istio-system svc , kubectl get svc -n istio-system.
2. check the ingress-gateway port mapping
3. port 80 would be mapped to some other node port
This is because in minikube for single node cluster the gateway load balancer ports are mapped to node ports.
So whenever u r accessing keycloak.localtest.me , add node port from kubectl get svc -n istio-system

Topic		Replies	Views
Ingressgateway not grabbing end user authentication certs? Security	1	1756	January 30, 2019
Help needed: Istio gateway ingress is not working as expected Networking	0	462	November 24, 2022
How to use keycloak for RequestAuthentication in Istio 1.6.3?	1	2927	July 7, 2020
Authentication and Authorization with JWT get 403 Security	3	3412	December 5, 2019
Access istio/k8s service via HTTPS Security	0	552	December 8, 2019

Keycloak Istio Ingress Gateway

Related Topics