CODEWITHSUNDEEP
keycloak-gatekeeper
Pawel.S.
Pawel.S.

Reputation: 224

Keycloak gatekeepr behind nginx ingress reverse proxy

Objective: Keycloak gatekeeper deployment when nginx ingress has active rewrite-target feature.

Ingress rewrites target according to:

And adds following header:

X-Forwarded-Prefix: /something

Keycloak gatekeeper configuration:

#deployment.yaml:
...
- name: keycloak-gatekeeper
  image: quay.io/keycloak/keycloak-gatekeeper:9.0.2
  imagePullPolicy: IfNotPresent
  args:
    - --listen=0.0.0.0:3000
    - --discovery-url=https://auth.server.com/auth/realms/realm
    - --client-id={client_id}
    - --client-secret={client_secret}
    - --redirection-url=https://rewrite.bar.com/something/
    - --upstream-url=http://127.0.0.1:8080
    - --skip-upstream-tls-verify=false
    - --skip-openid-provider-tls-verify=false
    - --enable-default-deny=true

Issue:
Gatekeeper redirects unauthorized requests to https://rewrite.bar.com/oauth/authorize?state=00191... but the endpoint is at https://rewrite.bar.com/something/oauth/authorize. Gatekeeper ignores X-Forwarded-Prefix header. When path is manually corrected in the browser by adding something/ to the path, everything works. There is correct redirection to authentication server and callback also works.

When gatekeeper configuration is augmented by setting base uri in deployment:

    ...
    - --redirection-url=https://rewrite.bar.com/something/
    - --base-uri=/something
    ...

unauthorized requests are redirected correctly to https://rewrite.bar.com/something/oauth/authorize which is rewritten by ingress to https://rewrite.bar.com/oauth/authorize which does not match unprotected authorization endpoint in gatekeeper (something/oauth/authorize). It results in constant redirection.

Question: Is there any way to configure a gateway in a way that it adds /something to redirection requests but does not expect it (proxy-base-url)?

Upvotes: 4

Views: 1973

Answers (1)

jokarls
jokarls

Reputation: 370

You can use the proxy-redirect annotation to accomplish this: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#proxy-redirect

It will change the location header to what you want.

nginx.ingress.kubernetes.io/proxy-redirect-from: /oauth
nginx.ingress.kubernetes.io/proxy-redirect-to: /something/oauth

Upvotes: 1

Related Questions