I had installed a microk8s cluster on ubuntu wsl2, I had some services running in that cluster, I want to add security by keycloak, I already had configured a deployment, a service and a ingress, but for some reason I can not access to keycloak by browser.
for test to access keycloak I had been changing some environment parameter but I still without connection to keycloak
if I try by the browser <WLS2_IP>:32292 I get "The connection was reset"
but if I try by command line using curl from windows(the host of my wsl2) I get:
curl -vk https://<WLS2_IP>/realms/master
* Trying <WLS2_IP>:32282...
* Connected to <WLS2_IP> (<WLS2_IP>) port 32282
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET /realms/master HTTP/1.1
> Host: <WLS2_IP>:32282
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< content-length: 616
< Cache-Control: no-cache
< Content-Type: application/json;charset=UTF-8
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
<
{"realm":"master","public_key":"<public_key>","token-service":"https://auth.<mydomain>:32282/realms/master/protocol/openid-connect","account-service":"https://auth.<mydomain>:32282/realms/master/account","tokens-not-before":0}* Connection #0 to host <WLS2_IP> left intact
some Ideas?
those are my yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: auth
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:26.1.4
args: ["start"]
env:
# keycloak configuration
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-admin-secret
key: password
# Database configuration
- name: KC_DB
value: postgres
- name: KC_DB_URL_HOST
value: postgres.database
- name: KC_DB_URL_DATABASE
value: keycloak_db
- name: KC_DB_USERNAME
value: keycloak_user
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-posgres-pass
key: password
# HTTPS configuration
- name: KC_HTTP_ENABLED
value: "false"
- name: KC_HTTPS_CERTIFICATE_FILE
value: /etc/keycloak/tls/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /etc/keycloak/tls/tls.key
- name: KC_HTTPS_PORT
value: "8443"
# network configuration
# - name: KC_HOSTNAME_URL
# value: "https://auth.<mydomain>"
- name: KC_HOSTNAME
value: auth.<mydomain>
# - name: KC_HOSTNAME_PORT
# value: "443"
# - name: KC_PROXY
# value: edge
# - name: KC_HOSTNAME_STRICT
# value: "true"
# - name: KC_HOSTNAME_STRICT_HTTPS
# value: "true"
# - name: KC_HOSTNAME_STRICT_BACKCHANNEL
# value: "false"
ports:
# - containerPort: 8080
# name: http
- containerPort: 8443
name: https
volumeMounts:
- name: keycloak-tls-cert
mountPath: /etc/keycloak/tls
readOnly: true
readinessProbe:
httpGet:
path: /realms/master
port: 8443
scheme: HTTPS
initialDelaySeconds: 120
timeoutSeconds: 30
volumes:
- name: keycloak-tls-cert
secret:
secretName: cert-<mydomain>-auth-tls-secret
apiVersion: v1
kind: Service
metadata:
name: keycloak
namespace: auth
spec:
type: NodePort
selector:
app: keycloak
ports:
# - name: http
# protocol: TCP
# port: 8080
# targetPort: 8080
# nodePort: 32281
- name: https
protocol: TCP
port: 8443
targetPort: 8443
nodePort: 32282
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: auth
annotations:
# nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/issuer: "<mydomain>-auth-letsencrypt"
spec:
tls:
- hosts:
- auth.<mydomain>
secretName: cert-<mydomain>-auth-tls-secret
rules:
- host: auth.<mydomain>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8443