search

camunda-community-hub / camunda-platform-7-keycloak

Camunda Keycloak Identity Provider Plugin
Apache License 2.0
132 stars 74 forks source link

sso-kubernetes Cluster doesn't start on Kubernetes engine in Docker desktop #175

Closed ingorichtsmeier closed 3 months ago

ingorichtsmeier commented 10 months ago

Hi @VonDerBeck,

I've spend some time recently with your sso-kuberntes example to answer a question from a customer and could not get it running on my local kubernetes Engine in Docker Desktop.

Running the k8s-deploy.sh script, only the two pods with keycloak and postgres start successfully.

The Camunda pod fails with an exception:

2023-12-22 10:10:42 Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "http://armstrong02/auth/realms/camunda/.well-known/openid-configuration": Connect timed out
2023-12-22 10:10:42 at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:888) ~[spring-web-6.0.12.jar:6.0.12]
2023-12-22 10:10:42 at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:868) ~[spring-web-6.0.12.jar:6.0.12]
2023-12-22 10:10:42 at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:714) ~[spring-web-6.0.12.jar:6.0.12]
2023-12-22 10:10:42 at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:163) ~[spring-security-oauth2-client-6.1.4.jar:6.1.4]
2023-12-22 10:10:42 at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:216) ~[spring-security-oauth2-client-6.1.4.jar:6.1.4]
2023-12-22 10:10:42 ... 111 common frames omitted

After my experiments, I have some questions about this example:

I've tried with a different setup and change the KEYCLOAK_URL_AUTH in deployment.yaml to point to the keycloak pod and the server starts successfully.

           - name: KEYCLOAK_URL_AUTH
#             value: http://armstrong02/auth
             value: http://keycloak-server-service:8080/auth

But I'm unsure how this change affects the Spring Boot setup.

VonDerBeck commented 10 months ago

@ingorichtsmeier

The local Kubernetes setup requires some prerequesites and configuration...

1.) Install ingress in your local Docker Desktop Kubernetes instance with something like this:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml
kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch

2.) Find out your local hostname (e.g. type hostname in powershell on windows), then replace armstrong02 with your own hostname in the configuration files. Spring Security will redirect unauthenticated requests from a browser to this URL. The configuration under k8s/localhost does the rest of the trick. Your browser can handle your local hostname without problems. But requests inside Kubernetes need to use the IP of host.docker.internal from the inside of pod.