Hello there, If you came here I guess you are also tired of finding the solution to Deploy KeyCloak with Ingress(Nginx) in Kubernetes (K8s), I have faced the some issue that are not available very openly, so I'm here to make sure you didn't go through the pain I have gone through 😅 so let's start.
Perquisite
Kubernetes Cluster(can create with KOps), Ingress Controller (Nginx)
Step I
Select Which chart you want to use, there are 2 helm chart
Feel Free to Use anyone of these you can just google them or click on the link provided above. For this Example we'll use the Bitnami KeyCloak, personally I think it's easier to deploy with this chart.
Step II
So I guess you decided to use the Bitnami Chart too, so there are few thing you need to take care otherwise the deployment will fail.
NOTICE
Make sure you have set the password for the external database by passing into values.yaml
externalDatabase.password
postgresql.auth.password
These 2 field should have same value otherwise you'll run into postgres error and pod will go crashback-loop
And Since we are using Nginx as Ingress-Controller we are going to to enable the ingress
ingress.enabled
ingress.hostname
ingress.pathType
I hope you are finding these value in values.yaml and overwriting them, now most Important thing since we are using Application Load Balancer in our case (I'll attach the link how to do that too soon.)
I have configure it in such a way that Before ALB all traffic is in HTTPS and from there in HTTP if you have the same case
make sure you have done this change.
proxy: edge
And You can configure the username and its password as well I hope you'll find the values.
Now You can deploy the helm chart with updated values and the wait for few seconds as it will take some time grab a water bottle for yourself 🍾.
STEP III
Confirmation that it's running successfully try the kube-proxy command to proxy the port to you're local system and see if it's running if yes then we can move forward, if not 🥺 plz check the configuration that you have made or feel free to ask in comments.
STEP IV
If you have done this step while setting up the ingress it's well and good but if not you are like me😊.
KeyCloak needs some headers to work behind proxy as it's mentioned here
We need to configure our Nginx Ingress Controller to pass the headers so after digging for 5 Days I found this,
We need to create a configmap which contains the following data
kind: ConfigMap
apiVersion: v1
metadata:
name: <chart-name-with-which-deployed>-nginx-ingress-controller
namespace: <namespace-in-which-deployed-nginx-ingress-controller>
data:
use-forwarded-headers: "true"
forwarded-for-header: "X-Forwarded-For"
and make sure the name is correct otherwise it will not work, to verify it's working see the logs of the pod
nginx-controller-nginx-ingress-controller
You'll see something like
Found the configmap needed to reload backend, reload complete
not exactly but something like this and you're done
Now go to your hostname that associated with keycloak you'll be able to access the admin-panel without issue.
Let's Discuss the Error if These Steps are not Completed
First if you didn't set the password whenever you'll upgrade the helm chart you'll loose the connection with postgres as the by default password is randomly generated it will change after upgrade so make sure you have provided the password.
Second if the header are not making through Ingress You'll not be able to access the admin console rather than you'll be stuck with
/admin/master/console
if it's already configure you'll not face this error.
Third too many redirect
This is due the proxy=passthrough which lead to this error.
And its default value so make sure if your tls terminate at loadbalancer or proxy which is in front of keycloak then you have to use the
proxy: edge
and it will start working
And
My Friend if you have done all this right you will be able to see the login screen of admin console
Thank you for reading this long hope, it help you
Feel Free to ask any question
Top comments (5)
Hi I'm not able to impersonate users in the admin console, it gives me 502 error, I tried with LoadBalancer service type and it works.
just resolved it, I had to configure the header buffer size in the ingress-nginx controller configmap
Hi, thanks for sharing.
I'm not able to access keycloak admin panel.
Also I'm using nginx ingress controller deployed via helm chart.
Hi did u check the error that I mentioned
Hi, thank you for posting.
Have you come across something as persisting Keycloak user sessions to external storage (in case Keycloak crashes) ?