keycloak stops working when enabling tls behind nginx ingress controller

0
votes

I need advice on how to configure nginx ingress controller and keycloak on eks kubernetes with TLS.

My first attempt was to get keycloak working without TLS. This works fine. But when I add TLS to the ingress definition, keycloak gives a Invalid parameter: redirect_uri error.

This is the working sample:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: keycloak-tls-test
  namespace: keycloak-tls-test
spec:
  rules:
  - host: keycloak.test.myhops.com
    http:
      paths:
      - backend:
          serviceName: keycloak
          servicePort: 80

When I add the tls part, I get the aforementioned error. See yaml file below.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: keycloak-tls-test
  namespace: keycloak-tls-test
spec:
  tls:
  - hosts:
    - keycloak.test.myhops.com
    secretName: test-myhops-tls
  rules:
  - host: keycloak.test.myhops.com
    http:
      paths:
      - backend:
          serviceName: keycloak
          servicePort: 80

Any suggestions on how to solve this? One online suggestion was to add https://keycloak.test.myhops.com/* to the Valid Redirect URL for the security-admin-console client in the master realm. This solved the invalid redirect_uri error, but then I only got blank pages. I could not find hints in the keycloak logging.

1
sslkeycloaknginx-ingressamazon-eks

1 Answers

2
votes

I figured out what caused the problem. It seems that when keycloak is used behind a reverse proxy that terminates the TLS, then keycloak needs proxy-address-forwarding to be set. For the docker container this means that the env var PROXY_ADDRESS_FORWARDING=true does the trick. So Ingress was correct and the keycloak deployment needed an extra environment variable.

Please not that ingress-nginx already set the correct headers for this to work:

  • X-Forwarded-For
  • X-Forwarded-Proto

Docker documentation [keycloak documentation2