Reputation: 4387
Keycloak gatekeeper: set base URL
I'm not able to find a way to update the base URL of my keycloak gatekeeper sidecar. My configuration works well with services set to the base URL(ex: https://monitoring.example.com/), not with a custom base path(ex: https://monitoring.example.com/prometheus).
My yaml config is:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: prometheus-deployment
spec:
replicas: 1
template:
metadata:
name: prometheus
spec:
containers:
- name: prometheus
image: quay.io/coreos/prometheus:latest
args:
- '--web.external-url=https://monitoring.example.com/prometheus'
- '--web.route-prefix=/prometheus
- name: proxy
image: keycloak/keycloak-gatekeeper:5.0.0
imagePullPolicy: Always
args:
- --resource=uri=/*
- --discovery-url=https://auth.example.com/auth/realms/MYREALM
- --client-id=prometheus
- --client-secret=XXXXXXXX
- --listen=0.0.0.0:5555
- --enable-logging=true
- --enable-json-logging=true
- --upstream-url=http://127.0.0.1:9090/prometheus
My problem is to be able to set a different base URL path("/prometheus") for the sidecar as, when I open https://monitoring.example.com/prometheus, I receive a 307 redirection to https://monitoring.example.com/oauth/authorize?state=XXXXXXX Whereas it should be https://monitoring.example.com/prometheus/oauth/authorize?state=XXXXXXX
I tried with the parameter "--redirection-url=https://monitoring.example.com/prometheus" But this still redirects me to the same URL.
EDIT:
My objective is to be able to protect multiple Prometheus and restrict access to them. I'm also looking for a solution to set permission regarding the realm or the client. I mean, some of the keycloak users should be able, for example, to auth and see the content of /prometheus-dev but not /prometheus-prod.
EDIT2:
I missed the parameter 'base_uri". When I set it to "/prometheus" and try to connect to "https://monitoring.example.com/prometheus/", I receive the good redirection "https://monitoring.example.com/prometheus/oauth/authorize?state=XXXXXXX" but doesn't work. In keycloak, the log is:
"msg: no session found in request, redirecting for authorization,error:authentication session not found"
Upvotes: 4
Views: 6136
Answers (2)
Reputation: 370
It can be done if you rewrite the location header on the 307 responses to the browser. If you are behind an nginx ingress add these annotations.
nginx.ingress.kubernetes.io/proxy-redirect-from: /
nginx.ingress.kubernetes.io/proxy-redirect-to: /prometheus/
Upvotes: 0
Reputation: 691
In Gatekeeper version 7.0.0 you can use one of these options:
--oauth-uri--base-uri
But currently if you use --base-uri, then a trailing / will be added to the callback url after baseUri (i.e. /baseUri//oauth/callback). But for me it works fine with oauth-uri=/baseUri/oauth.
Upvotes: 2
Related Questions
- Configure reverse-proxy for Keycloak docker with custom base URL
- Keycloak redirect page shows We are sorry.. page not found
- Keycloak urls setup
- Keycloak Client settings, what URLs do I need?
- Keycloak and Docker - Cannot set two types of URLs
- Changing the basepath of keycloak in values.yaml doesn't change the URL it goes to on hitting http://<internal ip address>:<internal port>/
- Keycloak gatekeepr behind nginx ingress reverse proxy
- keycloak gateway ERR_TOO_MANY_REDIRECTS after login
- How can I configure a containerized Keycloak-gatekeeper to act as a reverse proxy?
- keycloak gatekeeper 404 after credentials