DEV Community

Cover image for KeyCloak with Nginx Ingress
Ashutosh Singh for AWS Community Builders

Posted on • Edited on

KeyCloak with Nginx Ingress

Hello there, If you came here I guess you are also tired of finding the solution to Deploy KeyCloak with Ingress(Nginx) in Kubernetes (K8s), I have faced the some issue that are not available very openly, so I'm here to make sure you didn't go through the pain I have gone through 😅 so let's start.

Perquisite

Kubernetes Cluster(can create with KOps), Ingress Controller (Nginx)

Step I

Select Which chart you want to use, there are 2 helm chart

Bitnami KeyCloak
Codecentric KeyCloak

Feel Free to Use anyone of these you can just google them or click on the link provided above. For this Example we'll use the Bitnami KeyCloak, personally I think it's easier to deploy with this chart.

Step II

So I guess you decided to use the Bitnami Chart too, so there are few thing you need to take care otherwise the deployment will fail.

NOTICE

Make sure you have set the password for the external database by passing into values.yaml

externalDatabase.password

postgresql.auth.password

These 2 field should have same value otherwise you'll run into postgres error and pod will go crashback-loop
And Since we are using Nginx as Ingress-Controller we are going to to enable the ingress

ingress.enabled

ingress.hostname

ingress.pathType

I hope you are finding these value in values.yaml and overwriting them, now most Important thing since we are using Application Load Balancer in our case (I'll attach the link how to do that too soon.)
I have configure it in such a way that Before ALB all traffic is in HTTPS and from there in HTTP if you have the same case
make sure you have done this change.

proxy: edge

And You can configure the username and its password as well I hope you'll find the values.

Now You can deploy the helm chart with updated values and the wait for few seconds as it will take some time grab a water bottle for yourself 🍾.

STEP III

Confirmation that it's running successfully try the kube-proxy command to proxy the port to you're local system and see if it's running if yes then we can move forward, if not 🥺 plz check the configuration that you have made or feel free to ask in comments.

STEP IV

If you have done this step while setting up the ingress it's well and good but if not you are like me😊.

KeyCloak needs some headers to work behind proxy as it's mentioned here

We need to configure our Nginx Ingress Controller to pass the headers so after digging for 5 Days I found this,
We need to create a configmap which contains the following data


kind: ConfigMap
apiVersion: v1
metadata:
name: <chart-name-with-which-deployed>-nginx-ingress-controller
namespace: <namespace-in-which-deployed-nginx-ingress-controller>
data:
use-forwarded-headers: "true"
forwarded-for-header: "X-Forwarded-For"

and make sure the name is correct otherwise it will not work, to verify it's working see the logs of the pod

nginx-controller-nginx-ingress-controller

You'll see something like

Found the configmap needed to reload backend, reload complete

not exactly but something like this and you're done

Now go to your hostname that associated with keycloak you'll be able to access the admin-panel without issue.

Let's Discuss the Error if These Steps are not Completed

First if you didn't set the password whenever you'll upgrade the helm chart you'll loose the connection with postgres as the by default password is randomly generated it will change after upgrade so make sure you have provided the password.

Second if the header are not making through Ingress You'll not be able to access the admin console rather than you'll be stuck with

/admin/master/console

if it's already configure you'll not face this error.

Third too many redirect

This is due the proxy=passthrough which lead to this error.
And its default value so make sure if your tls terminate at loadbalancer or proxy which is in front of keycloak then you have to use the

proxy: edge

and it will start working

And

My Friend if you have done all this right you will be able to see the login screen of admin consoleImage description

Thank you for reading this long hope, it help you

Feel Free to ask any question

Top comments (5)

Collapse
 
andres_guerrero_c42519ee6 profile image
Andres Guerrero

Hi I'm not able to impersonate users in the admin console, it gives me 502 error, I tried with LoadBalancer service type and it works.

Collapse
 
andres_guerrero_c42519ee6 profile image
Andres Guerrero

just resolved it, I had to configure the header buffer size in the ingress-nginx controller configmap

Collapse
 
ketul1999 profile image
Ketul Radadiya

Hi, thanks for sharing.
I'm not able to access keycloak admin panel.

/admin/master/console

Also I'm using nginx ingress controller deployed via helm chart.

Collapse
 
ashutosh5786 profile image
Ashutosh Singh

Hi did u check the error that I mentioned

Collapse
 
therdvn profile image
RP

Hi, thank you for posting.
Have you come across something as persisting Keycloak user sessions to external storage (in case Keycloak crashes) ?