K
Q

How do I create a URL frontend to my keycloak instance after connecting it up to istio

4/10/2020

I have istio installed and can see it on Rancher. I have keycloak installed as well. I am trying to connect the two and have a gateway setup so I can access keycloak front-end through a URL. In my keycloak manifest I have

# Source: keycloak/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: keycloak
. 
. #Many other lines here
.
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP

I then setup a gateway with command -

kubectl apply -f networking/custom-gateway.yaml

And in my custom-gateway.yaml file I have -

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: keycloak-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: keycloak
spec:
  hosts:
  - "*"
  gateways:
  - keycloak-gateway
  http:
  - match:
    - uri:
        exact: /keycloak 
    rewrite:
      uri: "/" # Non context aware backend
    route:
    - destination:
        host: keycloak
        port:
          number: 80
    websocketUpgrade: true

Now when I try to access the URL with http://node_ip_address:port/keycloak, I find that I am not able to access the front end. I have verified that keycloak is installed and the pod is up and running on Rancher. I also have my istio instance connected to the bookinfo application and am able to run the bookinfo-gateway and connect to http://node_ip_address:port/productpage with a gateway that looks like the one described here. I am trying to setup the same gateway only for keycloak. What am I doing wrong in my yaml files. How do I fix this? Any help is appreciated. Do I have the ports connected correctly?

-- BipinS.
istio
keycloak
keycloak-services
kubernetes
rancher

Similar Questions

VM Image resize keep failing when using CDI to import image into openshift
Can't exec into pod after setting securityContext
RabbitMQ pod web username and password?
how to hide some spec values from kubernetes custom resource?

1 Answer

4/14/2020

As far as I can see, you should fix your Virtual Service.

I prepared small example with helm and keycloak helm chart.

Save this as keycloak.yaml, you can configure your keycloak password here.

keycloak:
  service:
    type: ClusterIP
  password: mykeycloakadminpasswd
  persistence:
    deployPostgres: true
    dbVendor: postgres

Install keycloak with helm and values prepared above.

helm upgrade --install keycloak stable/keycloak -f keycloak.yml

Create gateway and virtual service

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: keycloak-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: keycloak
spec:
  hosts:
  - "*"
  gateways:
  - keycloak-gateway
  http:
  - match:
    - uri:
        prefix: /auth
    - uri:
        prefix: /keycloak
    rewrite:
      uri: /auth
    route:
    - destination:
        host: keycloak-http
        port:
          number: 80

virtual service route.host is name of kubernetes keycloak pod service.

kubectl get svc

NAME                  TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
keycloak-http         ClusterIP   10.0.14.36    <none>        80/TCP     22m

You should be able to connect to keycloak via your ingress_gateway_ip/keycloak or ingress_gateway_ip/auth and login with keycloak credentials, in my example it's login: keycloak and password: mykeycloakadminpasswd.

Note that you need to add prefix for /auth as it's default keycloak web to do everything. Keycloak prefix just rewrite to /auth here.

-- jt97
Source: StackOverflow