Quantcast
Channel: Active questions tagged https - Stack Overflow
Viewing all articles
Browse latest Browse all 1639

Deploying Keycloak on Kubernetes with Cloudflare Reverse Proxy

May 24, 2024, 4:51 pm
$
0
0

I am working on a project where I'm deploying Keycloak on a Kubernetes (K8s) cluster, with Cloudflare serving as a reverse proxy using Cloudflare Tunnels. The architecture is set up as follows:

  • A Cloudflare Tunnel is configured to forward incoming HTTPS traffic from the domain sso.example.com to my Kubernetes cluster.
  • Then, Ingress Controller in the Kubernetes cluster routes this incoming traffic to the Keycloak pod. This traffic is unencrypted (HTTP, port 8080)

The main Keycloak server is deployed as a container in the K8s cluster, with the Ingress configured to route traffic from the host at port 80 to Keycloak's cluster IP, which forwards traffic to the actual Keycloak pod serving at port 8080

Below are my K8s deployment config for keycloak

apiVersion: apps/v1kind: Deploymentmetadata:  name: keycloak  labels:    app: keycloakspec:  replicas: 1  selector:    matchLabels:      app: keycloak  template:    metadata:      labels:        app: keycloak    spec:      containers:      - name: keycloak        image: quay.io/keycloak/keycloak:21.0.2        args: ["start"]        env:        - name: KC_PROXY          value: "edge"        - name: KC_HOSTNAME_STRICT          value: "false"        - name: KC_HOSTNAME_STRICT_BACKCHANNEL          value: "false"        - name: KC_HOSTNAME          value: "sso.example.com"        - name: KC_HTTP_ENABLED          value: "true"        ports:        - name: http          containerPort: 8080

(Some env variables like DB configs are omitted for simplicity)

The problem I am having is that I am unable to access the admin console on my keycloak server using https despite being able to access the welcome page at sso.example.com. When accessing the admin console the page stuck at Loading Admin UI and console logs error GET https://sso.example.com/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console&origin=https%3A%2F%2Fsso.example.com (403 Forbidden)

I have seen https://github.com/keycloak/keycloak/issues/15107 but I am not sure how to set X-Forwarded-For header with Cloudflare tunnels

I have also tried adding

- name: KC_HOSTNAME_ADMIN  value: "sso.example.com"

to the deployment config but still result in the same error.

However, if I deploy the server with ['start-dev'] instead of ['start'], the 403 error is gone but with a new error of Refused to frame 'http://sso.example.com/' because it violates the following Content Security Policy directive: "frame-src 'self'". It seems like the iframe isn't being served with https despite that I have configured cloudflare to automatically rewrite all url to https.

Lastly, the admin console will load and work if I combine the option ['start-dev'] and change the cloudflare SSL/TLS encryption mode to OFF and accee the console with http.

I want to deploy with HTTPS while being able to access the admin console, please help.

Search
Viewing all articles
Browse latest Browse all 1639
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>