Istio's Gateway tls passthrough and keycloak
738 views
Skip to first unread message
Gerardo Gómez Rodríguez
Feb 12, 2021, 8:17:27 AM2/12/21
to keyclo...@googlegroups.com
Hi all,
We are currently integrating keycloak, deployed via Keycloak-operator, with Istio's VirtualService and Gateway.
Is tls mode: PASSTHROUGH the only way to expose the keycloak service to Istio's gateway?, e.g:
VirtualService manifest:
```yaml
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: keycloak
namespace: istio-system
spec:
hosts:
- example.com
gateways:
- my-gateway
tls:
- match:
- port: 443
sniHosts:
- example.com
route:
- destination:
host: keycloak.default.svc.cluster.local
port:
number: 8443
```
Gateway manifest:
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: tls
number: 443
protocol: TLS
tls:
mode: PASSTHROUGH
```
We would like to host more applications using the same domain name (e.g example.com for keycloak and example.com/frontend for another frontend service) but because keycloak requires passthrough we need to have a specific gateway for it.
Thank you and best regards.
--
Gerardo Gomez
We are currently integrating keycloak, deployed via Keycloak-operator, with Istio's VirtualService and Gateway.
Is tls mode: PASSTHROUGH the only way to expose the keycloak service to Istio's gateway?, e.g:
VirtualService manifest:
```yaml
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: keycloak
namespace: istio-system
spec:
hosts:
- example.com
gateways:
- my-gateway
tls:
- match:
- port: 443
sniHosts:
- example.com
route:
- destination:
host: keycloak.default.svc.cluster.local
port:
number: 8443
```
Gateway manifest:
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: tls
number: 443
protocol: TLS
tls:
mode: PASSTHROUGH
```
We would like to host more applications using the same domain name (e.g example.com for keycloak and example.com/frontend for another frontend service) but because keycloak requires passthrough we need to have a specific gateway for it.
Thank you and best regards.
--
Gerardo Gomez
Cloud Platform Engineer
Gertigstraße 48
22303 Hamburg
Amtsgericht Hamburg - HRB 151721
Geschäftsführer: Michael Kühne-Schlinkert, Anne Mareike Schlinkert
Eric Tavela
Apr 3, 2021, 5:31:41 PM4/3/21
to Keycloak User
Granted this is a couple months after the original post, but for the benefit of others (like myself) who were searching for this same info, the Keycloak pods do expose the unencrypted 8080 HTTP port. My solution was to add a new service keycloak-http with port 8080 and the same selector used by the https service (app: keycloak and component: keycloak), terminate TLS at my ingressgateway as usual and set up a virtual service that uses the unencrypted http service.
Cheerfully,
Eric
Reply all
Reply to author
Forward
0 new messages