Kubernetes redirect with kong ingress controller

[mountaineerduke]

I'm trying to use the nokia-oidc plugin with the kong ingress controller (0.2.2) I can get the controller to setup a service/route for a backend service and everything routes correctly. Once I setup the plugin however I am not rerouted to the login page (I am using keycloak for the backend OAuth). Have you ever deployed the plugin with kubernetes and if so how do you handle the routing.

I set up the introspection endpoint to be http://10.1.0.73:8080/auth/realms/gccs-je/protocol/openid-connect/token/introspect, where 10.1.0.73 is the host ip of the keycloak pod. the redirect in the chrome debugger looks like this:

http://10.1.0.73:8080/auth/realms/gccs-je/protocol/openid-connect/auth?response_type=code&client_id=echochamber-client&state=4981d0fbf966cbdcda2de1cf20df57ac&redirect_uri=http%3A%2F%2Flocalhost%2Fechochamber%2F&nonce=22ee855bd7c67716cd1ace4a5ed45d08&scope=openid

It never ends up redirecting to the keycloak login page. Any thoughts?

[Trojan295]

If I understand correctly 10.1.0.73 is the Keycloak pod IP address, right? In this case I believe it's not a routable IP outside the k8s cluster. So making a request from your PC to this IP will timeout. Can you access the Keycloak administration console under http://10.1.0.73:8080?

Besides, have you though about setting a service/route in your ingress controller to point to Keycloak and use this route to access it? Of course for this route you will need to disable the kong-oidc plugin, to allow accessing it for login.

[mountaineerduke]

I've tried that and kept getting a constant redirect at /auth for keycloak. My best guess is that I probably have something configured incorrectly with the ingress that I've set up. Have you ever deployed the nokia plugin inside a kubernetes cluster to control authorization?

Also are you aware of any issues with the nokia-oidc plugin and the newest versions of kong (1.x). An update for konga came out over the weekend to fix compatibility issues caused by changes to the underlying kong admin api. Was wondering if there was anything similar for the plugin.

[mountaineerduke]

I figured out the redirect issue. You are correct; once I got that figured out, it was much easier to do all that with an ingress for keycloak in kong. I'll close this issue. Thanks for you help.

[Trojan295]

@mountaineerduke, can you elaborate more about what was the exact solution? Did you expose the Keycloak pod via a k8s service and create a route in Kong pointing to it?

[mountaineerduke]

That is exactly what I did. My problem was that I wasn't aware that you needed to provide an extra environment variable in the deployment yaml for keycloak in kubernetes:

name: PROXY_ADDRESS_FORWARDING
value: "true"