KeyCloak with Nginx Ingress

#kubernetes #devops #aws #productivity

Hello there, If you came here I guess you are also tired of finding the solution to Deploy KeyCloak with Ingress(Nginx) in Kubernetes (K8s), I have faced the some issue that are not available very openly, so I'm here to make sure you didn't go through the pain I have gone through 😅 so let's start.

Perquisite

Kubernetes Cluster(can create with KOps), Ingress Controller (Nginx)

Step I

Select Which chart you want to use, there are 2 helm chart

Bitnami KeyCloak
Codecentric KeyCloak

Feel Free to Use anyone of these you can just google them or click on the link provided above. For this Example we'll use the Bitnami KeyCloak, personally I think it's easier to deploy with this chart.

Step II

So I guess you decided to use the Bitnami Chart too, so there are few thing you need to take care otherwise the deployment will fail.

NOTICE

Make sure you have set the password for the external database by passing into values.yaml

externalDatabase.password

postgresql.auth.password

These 2 field should have same value otherwise you'll run into postgres error and pod will go crashback-loop
And Since we are using Nginx as Ingress-Controller we are going to to enable the ingress

ingress.enabled

ingress.hostname

ingress.pathType

I hope you are finding these value in values.yaml and overwriting them, now most Important thing since we are using Application Load Balancer in our case (I'll attach the link how to do that too soon.)
I have configure it in such a way that Before ALB all traffic is in HTTPS and from there in HTTP if you have the same case
make sure you have done this change.

proxy: edge

And You can configure the username and its password as well I hope you'll find the values.

Now You can deploy the helm chart with updated values and the wait for few seconds as it will take some time grab a water bottle for yourself 🍾.

STEP III

Confirmation that it's running successfully try the kube-proxy command to proxy the port to you're local system and see if it's running if yes then we can move forward, if not 🥺 plz check the configuration that you have made or feel free to ask in comments.

STEP IV

If you have done this step while setting up the ingress it's well and good but if not you are like me😊.

KeyCloak needs some headers to work behind proxy as it's mentioned here

We need to configure our Nginx Ingress Controller to pass the headers so after digging for 5 Days I found this,
We need to create a configmap which contains the following data

kind: ConfigMap apiVersion: v1 metadata: name: <chart-name-with-which-deployed>-nginx-ingress-controller namespace: <namespace-in-which-deployed-nginx-ingress-controller> data: use-forwarded-headers: "true" forwarded-for-header: "X-Forwarded-For"

and make sure the name is correct otherwise it will not work, to verify it's working see the logs of the pod

nginx-controller-nginx-ingress-controller

You'll see something like

Found the configmap needed to reload backend, reload complete

not exactly but something like this and you're done

Now go to your hostname that associated with keycloak you'll be able to access the admin-panel without issue.

Let's Discuss the Error if These Steps are not Completed

First if you didn't set the password whenever you'll upgrade the helm chart you'll loose the connection with postgres as the by default password is randomly generated it will change after upgrade so make sure you have provided the password.

Second if the header are not making through Ingress You'll not be able to access the admin console rather than you'll be stuck with

/admin/master/console

if it's already configure you'll not face this error.

Third too many redirect

This is due the proxy=passthrough which lead to this error.
And its default value so make sure if your tls terminate at loadbalancer or proxy which is in front of keycloak then you have to use the

proxy: edge

and it will start working