Keycloak Istio Ingress Gateway

1

Hello Guys good evening.

Basically I have in minikube already deploy keycloak and now I want to ingress using Istio Ingress Gateway.

However I haven’t been able to do it.

The steps that I follow are next:

Note: I’m working in a namespace called test.

  1. Create a ssl certificate using the next command: openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=auth.localtest.me/O=test"
  2. Create a secret in the cluster: kubectl create secret -n test tls auth-tls-secret --key tls.key --cert tls.crt
  3. Deploy keycloak:
apiVersion: v1
kind: Service
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  ports:
    - name: https
      port: 443
      targetPort: 8443
  selector:
    app: keycloak
  type: ClusterIP
  clusterIP: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  labels:
    app: keycloak
spec:
  replicas: 2
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:20.0.2
          args: ["start", "--cache-stack=kubernetes"]
          volumeMounts:
          - name: certs
            mountPath: "/etc/certs"
            readOnly: true
          env:
            - name: KEYCLOAK_ADMIN
              value: "admin"
            - name: KEYCLOAK_ADMIN_PASSWORD
              value: "admin"
            - name: KC_HTTPS_CERTIFICATE_FILE
              value: "/etc/certs/tls.crt"
            - name: KC_HTTPS_CERTIFICATE_KEY_FILE
              value: "/etc/certs/tls.key"
            - name: KC_HEALTH_ENABLED
              value: "true"
            - name: KC_METRICS_ENABLED
              value: "true"
            - name: KC_HOSTNAME
              value: keycloak.localtest.me
            - name: KC_PROXY
              value: "edge"
            - name: KC_DB
              value: postgres
            - name: KC_DB_URL
              value: "jdbc:postgresql://keycloak-db-postgresql-ha-pgpool/postgres"
            - name: KC_DB_USERNAME
              value: "postgres"
            - name: KC_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-db-postgresql-ha-postgresql
                  key: password
            - name: jgroups.dns.query
              value: keycloak
          ports:
            - name: jgroups
              containerPort: 7600
            - name: https
              containerPort: 8443
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /health/ready
              port: 8443
            initialDelaySeconds: 60
            periodSeconds: 1
      volumes:
      - name: certs
        secret:
          secretName: auth-tls-secret
  1. Create the Istio gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-gateway
 
spec:
  selector:
    istio: ingressgateway
  servers:

    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - '*'

    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls: 
        mode: SIMPLE
        credentialName: auth-tls-secret
        
      hosts:
        - '*'
  1. create a virtual service for keycloak
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: keycloak-vs
spec:
  hosts:
    - keycloak.localtest.me
  gateways:
    - test-gateway

  tls:
    - match:
      - port: 443
        sniHosts:
        - keycloak.localtest.me
      route:
        - destination:
            host: keycloak.test.svc.cluster.local
            port:
               number: 443

However when I try to enter to keycloak.localtes.me, the connection is closed and I get the next error in the pod log:

error cache resource:file-cert:/etc/certs/tls.crt~/etc/certs/tls.key failed to generate secret for proxy from file: open /etc/certs/tls.crt: no such file or directory

I understand what is happening but I don’t know exactly what is wrong in my configuration or how to solve it.

I really appreciate if you can help me and if you have any idea how to solve this.

2

Hello @Click0910

I am facing same issue , did you identify any fix for the same, on the other hand my scenario is i am try to connecting external postgresql with client certificate.

Thanks,
Siva

3

Hello everyone,

Let me take a moment and address the same issue i faced.
@Click0910 , ur configuration files are correct .
And if anyone is trying the keycloak setup with istio on local minikube , here is the main difference,
1.Check the istio-system svc , kubectl get svc -n istio-system.
2. check the ingress-gateway port mapping
3. port 80 would be mapped to some other node port
This is because in minikube for single node cluster the gateway load balancer ports are mapped to node ports.
So whenever u r accessing keycloak.localtest.me , add node port from kubectl get svc -n istio-system