How to expose the keycloak service into https with Azure application gateway ingress controller

ADiTuri commented 2 years ago

Describe the bug

I would like to expose the keycloak serivce to a public ip bound to the application gateway in azure. The health probe reports this errror:

The Common Name (CN) of the backend server certificate does not match the host header 
entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). 
Verify if the hostname matches with the CN of the backend server certificate.

I saw that the keycloak-operator ingress is using nginx ingress controller. Is it possible to use the azure ingress controller (application gateway)?

Below please fine attached the ingress I am trying to use with the azure ingress controller.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    appgw.ingress.kubernetes.io/backend-hostname: keycloak.local
    appgw.ingress.kubernetes.io/backend-protocol: https
    appgw.ingress.kubernetes.io/health-probe-path: /auth/
    kubernetes.io/ingress.class: azure/application-gateway
  creationTimestamp: "2022-06-22T15:25:49Z"
  generation: 5
  labels:
    app: keycloak
  name: keycloak
  namespace: my-keycloak-operator
  ownerReferences:
  - apiVersion: keycloak.org/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Keycloak
    name: mykeycloak
    uid: a63cb2f8-eb1e-4915-9d61-42bfb293906b
  resourceVersion: "702155"
  uid: a777f6b3-51a5-4b4b-a00f-512e44a514a5
spec:
  rules:
  - host: keycloak.local
    http:
      paths:
      - backend:
          service:
            name: keycloak
            port:
              number: 8443
        path: /
        pathType: ImplementationSpecific
status:
  loadBalancer:
    ingress:
    - ip: 20.79.226.201

Where can I find the certificate to read the CN? Should I upload a certificate my self and load it into the keykloak pod using the sso-x509-https-secret secret? Is there a way to let keycloak work in http only?

Documentation is not very clear on how certificates are internally handled

Version

v0.21.2

Expected behavior

The admin page should come into the public ip using the ingress resource.

Actual behavior

502 gateway error due to probe not passed because of the underlined error

How to Reproduce?

Get a kubernetes cluster in azure
Install the operator on the cluster (https://operatorhub.io/operator/keycloak-operator) with application gateway enabled
Edit the ingress provided by the operator with the code specified above
See the azure application gateway health probe

Anything else?

No response

ahatting commented 1 year ago

I ran into the same issue. To workaround this, I first created the ingress in Azure (generating the certificate and saving as a secret with the name sso-x509-http-secret) and then deployed Keycloak. This will ensure the keycloak-operator will use that certificate.

stianst commented 1 year ago

Thanks (again) for reporting this issue. Keycloak 19 was the last version that included this legacy Operator, and with the release of Keycloak 20 the Operator reached EOL and this repository will be archived, please see our blog post on this topic. If this issue is still valid for the Realm Operator, please re-open it there. Thanks for your understanding. And be sure to check out our new Operator!

keycloak / keycloak-operator