Closed mhutter closed 2 years ago
So 2 things here:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
annotation is not honored and the resulting Route always uses edge
termination -> report as bug to Red Hat, but in the mean time we probably want to implement this in the component instead.keycloak-http.<namespace>.svc
and be generated by OpenShift, or otherwise the cert's root must be added to the route. Service serving certificate secrets can be used for thisOpened Red Hat case #03068352 for the original issue and preparing a workaround in the component.
Can you share the parameters you used for an installation on OCP 4? Because APPUiO Cloud is using parameters that work for an ingress, so Ingress works but not quite "out of the box". Did you also consider https://hub.syn.tools/keycloak/how-tos/openshift-4.html?
When converting from an Ingress to a route, the nginx.ingress.kubernetes.io/backend-protocol: HTTPS annotation is not honored
Yes, that's expected, as its an annotation meant for the nginx controller. It doesn't hurt either and we didn't yet invest much into cleaning up unsupported annotations when a certain distribution is targeted. This component has default values targeting a non-Openshift cluster with nginx as ingress controller.
Can you share the parameters you used for an installation on OCP 4?
Did you also consider https://hub.syn.tools/keycloak/how-tos/openshift-4.html?
Yes, that's what we used to configure initially.
The setup where we discovered those issues have been removed again, but we'll set up a development environment that we can use for investigations soon. Once this is done I'll send a bunch of PRs
I did spot an issue :see_no_evil:
It's a classic YAML indentation problem. The ingress.servicePort
should be beneath helm_values
. This is wrong in the docs.
The config should be:
keycloak_test:
...
helm_values:
ingress:
servicePort: http
Once you fixed this, can you please try again? Meanwhile I'll open a PR
This just saved me so much time for investigation 😂 Thanks!
:)
You might also want to set the database.jdbcParams
to empty string, if you don't want any encryption to DB (in your case maxscale)
Would adding route.openshift.io/termination: "reencrypt"
[1] to keycloak:ingress:annotations
work in your use-case with OpenShift? If so, we could think about adding this to the defaults.
IMHO converting nginx.ingress.kubernetes.io/backend-protocol: HTTPS
should not be done when translating an Ingress to a Route, as it is an annotation specific to NGINX. Otherwise all annotations for the different Ingress implementations would have to be translated.
Is this still an issue here?
Will review when improving OCP4 compatibility
Adding route.openshift.io/termination: "reencrypt"
to the Ingress object fixes the Route to correctly use "reencrypt" as its tlsTermination mode, but still yields an "Application is not available" when accessing it.
I suppose this is caused by the router not trusting the upstream certificate.
I'll try to use a service serving cert instead (which is trusted by default by the router)
Also, I suppose disabling cluster-internal TLS would work but that kinda misses the point of having it in the first place?
We've not invested time to make it work with Openshift + Ingress + reencrypt...
If you do find a working solution, would you mind sharing it?
Ah I think I have it figured out
keycloak-tls
secret from vault or cert-managerservice.beta.openshift.io/serving-cert-secret-name: "keycloak-tls"
annotation to the keycloak-http
serviceI'm currently testing this on our dev instance and will send a PR when ready
Have some PRs :P #89 #90 #91 #92
They are based off each other to avoid merge conflicts on everyone so make sure to rebase them before merging
Steps to Reproduce the Problem
Actual Behavior
Expected Behavior
The application is served