1

Current flow:

incoming request (/sso-kibana) --> Envoy proxy --> /sso-kibana

Expected flow:

incoming request (/sso-kibana) --> Envoy proxy --> keycloak-gatekeeper --> keycloak

--> If not logged in --> keycloak loging page --> /sso-kibana

--> If Already logged in --> /sso-kibana

I deployed keycloak-gatekeeper as a k8s cluster which has the following configuration:

keycloak-gatekeeper.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: keycloak-gatekeeper
  name: keycloak-gatekeeper
spec:
  selector:
    matchLabels:
      app: keycloak-gatekeeper
  replicas: 1
  template:
    metadata:
      labels:
        app: keycloak-gatekeeper
    spec:
      containers:
        - image: keycloak/keycloak-gatekeeper
          imagePullPolicy: Always
          name: keycloak-gatekeeper
          ports:
            - containerPort: 3000
          args:
            - "--config=/keycloak-proxy-poc/keycloak-gatekeeper/gatekeeper.yaml"
            - "--enable-logging=true"
            - "--enable-json-logging=true"
            - "--verbose=true"
          volumeMounts:
             -
              mountPath: /keycloak-proxy-poc/keycloak-gatekeeper
              name: secrets
      volumes:
        - name: secrets
          secret:
           secretName: gatekeeper

gatekeeper.yaml 

discovery-url: https://keycloak/auth/realms/MyRealm
enable-default-deny: true
listen: 0.0.0.0:3000
upstream-url: https://kibana.k8s.cluster:5601
client-id: kibana
client-secret: d62e46c3-2a65-4069-b2fc-0ae5884a4952

Envoy.yaml

- name: kibana
    hosts: [{ socket_address: { address: keycloak-gatekeeper, port_value: 3000}}]

Problem:

I am able to invoke keycloak login on /Kibana but after login user is not going to /Kibana url i.e. Kibana dashboard is not loading.

Note: Kibana is also running as k8s cluster.

References:
https://medium.com/@vcorreaniche/securing-serverless-services-in-kubernetes-with-keycloak-gatekeeper-6d07583e7382

https://medium.com/stakater/proxy-injector-enabling-sso-with-keycloak-on-kubernetes-a1012c3d9f8d

Update 1:

I'm able to invoke keycloak login on /sso-kibana but after entering credentials its giving 404. The flow is following:

Step 1. Clicked on http://something/sso-kibana
Step 2. Keycloak login page opens at https://keycloak/auth/realms/THXiRealm/protocol/openid-connect/auth?...
Step 3. After entering credentials redirected to this URL https://something/sso-kibana/oauth/callback?state=890cd02c-f...
Step 4. 404

Update 2:

404 error was solved after I added a new route in Envoy.yaml

Envoy.yaml 

  - match: { prefix: /sso-kibana/oauth/callback }
                route: { prefix_rewrite: "/", cluster: kibana.k8s.cluster }

Therefore, Expected flow (as shown below) is working fine now.

incoming request (/sso-kibana) --> Envoy proxy --> keycloak-gatekeeper --> keycloak

--> If not logged in --> keycloak loging page --> /sso-kibana

--> If Already logged in --> /sso-kibana

4

1 に答える 1