Keycloak-x: How to block console (/auth) access on default ingress?

[skripted-io]

The Keycloak-x helm chart provides two ingress resources where the first one is default and the second is for console access only.

See https://github.com/codecentric/helm-charts/blob/master/charts/keycloakx/README.md

However, enabling the second ingress still leaves the /auth path exposed on the default ingress resource.

How can the admin console be disabled on the default ingress?

I read about people adding WAF to the default ingress, but I rather just remove the path entirely.

(Using Keycloak hind an AWS ALB)

Thanks.

[darioef]

/auth needs to be exposed because almost all the application is under that endpoint but you can explicity tell the public ingress to expose only needed endpoints.

This is an example of my configuration, just add this rules to ingress.rules in your values:

ingress:
    rules:
      - host: auth.mydomain.com
        paths:
          - path: "/auth/realms/(?!master).*"
            pathType: Prefix
      - host: auth.mydomain.com
        paths:
          - path: "/auth/js/"
            pathType: Prefix
      - host: auth.mydomain.com
        paths:
          - path: "/auth/resources/"
            pathType: Prefix
      - host: auth.mydomain.com
        paths:
          - path: "/auth/robots.txt"
            pathType: Prefix

In my first rule I also exclude the "master" realm. Don't want it to be public.

Here's a list of exposed paths recommendations by Keycloak: https://www.keycloak.org/server/reverseproxy (under Exposed path recommendations).

Hope it helps.

[github-actions[bot]]

This issue has been marked as stale because it has been open for 30 days with no activity. It will be automatically closed in 10 days if no further activity occurs.