Kubernetes Keycloak Gatekeeper Bad Gateway

9/8/2019

I'm trying to setup ProxyInjector to automatically inject keycloak-gateway into any container that has annotations like the following I have for a service I'm deploying on kubernetes:

"annotations": {
  "authproxy.stakater.com/client-id": "bitwarden",
  "authproxy.stakater.com/client-secret": "<secret>",
  "authproxy.stakater.com/discovery-url": "https://keycloak.example.com/auth/realms/realmname",
  "authproxy.stakater.com/enabled": "true",
  "authproxy.stakater.com/listen": "127.0.0.1:3000",
  "authproxy.stakater.com/redirection-url": "http://127.0.0.1:3000",
  "authproxy.stakater.com/source-service-name": "bitwarden",
  "authproxy.stakater.com/target-port": "3000",
  "authproxy.stakater.com/upstream-url": "http://127.0.0.1:80",
}

This is for a bitwardenrs deployment in Kubernetes. The service is as follows:

---
kind: Service
apiVersion: v1
metadata:
  name: bitwarden
spec:
  selector:
    app: bitwarden
  ports:
    - protocol: TCP
      name: bitwarden-http
      port: 80
      targetPort: 80
    - protocol: TCP
      name: bitwarden-https
      port: 443
      targetPort: 443
  type: NodePort

I can access the service normally through ingress. But when I add the annotations to authenticate in front of it, I get a 502 bad gateway error.

Checking the bitwarden pod logs, I can see the proxy container successfully starts up and proxying according to what I defined here. But I don't see any logs about it actually attempting to proxy anything (either in that pod, or my ingress-controller pod).

Am I doing something wrong for it to be returning a 502?

-- cclloyd
keycloak
kubernetes

1 Answer

12/3/2019

As per documentation here, authproxy.stakater.com/listen is what proxy listens on. so it should be either 0.0.0.0:80 or 0.0.0.0:443. So every call redirected by nginx to the service lands on the proxy container. After the request is verified by keycloak. it will redirect it to the url mentioned in authproxy.stakater.com/redirection-url e.g. https://cool.myweb.app.com (should be accessible to keycloak). The redirected request from keycloak will land again on the proxy container but this time is authenticated and will be redirected to authproxy.stakater.com/upstream-url i.e. your app you are trying to proxy e.g.

Recommended setting is to run proxy on port 80/443 and app on any other port e.g. 3000 etc.

See Flow diagram for further reference.

Feel free to open an issue in the repository, if you have any further questions. or ask in the Stakater slack channel

-- U. Ahmad
Source: StackOverflow