Can't access Administration Console page with keycloak behind Kong Ingress Controller

5/7/2019

I have Keycloak behind Kong Ingress Controller. I 'm able to see keycloak welcome page at my {url}/auth/. However, when I click at Administration Console I am redirected to {url}:8443/auth/admin/master/console/

When I click at Administration Console I should be redirect to {url}/auth/admin/master/console/

When I install keycloak (with helm) on minikube exposing the the service as a NodePort service without using ingress and load balancer I'm able to access Administration Console page.

I have detailed information about this problem in this link -> https://github.com/codecentric/helm-charts/issues/17

I'm stuck in this and have no idea how to solve the problem.

-- J. Jhonys C. Camacho
amazon-web-services
keycloak
kong
kubernetes
kubernetes-helm

1 Answer

5/7/2019

I have faced this issue may be a year ago, I remember that stupid redirect but I was not using Kong Ingress Controller, just a plain Kong. The problem I faced is that Kong runs as unprivileged user and cannot bind to low number ports. So Kong binds to 8443 ssl and places stupid redirect from 443 to 8443. I could not normally fix that and reinvented the wheel.

I used ports 80 and 443 for Kong:

    ports:
    - name: kong-proxy
      containerPort: 80
    - name: kong-proxy-ssl
      containerPort: 443
    - name: kong-admin
      containerPort: 8001
    - name: kong-admin-ssl
      containerPort: 8444

Then defined new ports and capability:

securityContext:
  capabilities:
    add:
    - NET_BIND_SERVICE
env:
  - name: KONG_PROXY_LISTEN
    value: 0.0.0.0:80, 0.0.0.0:443 ssl
  - name: KONG_ADMIN_LISTEN
    value: 0.0.0.0:8001, 0.0.0.0:8444 ssl

After that that stupid redirect disappeared.

Hope that helps.

UPDATE

Sorry, forgot to mention that for ports 80 and 443 to work I build custom Docker image with that lines:

FROM  kong:1.1.1-centos
RUN chown -R kong:kong /usr/local/kong \
    && setcap 'cap_net_bind_service=+ep' /usr/local/bin/kong \
    && setcap 'cap_net_bind_service=+ep' /usr/local/openresty/nginx/sbin/nginx
-- Vasily Angapov
Source: StackOverflow