Hello,
I ran into the same issue. I solved it with a 'workaround'. If this workaround
works for you, depends on your setup.
Problem is keycloak expects exactly the same url to be able to authorize the
requests from the frontend and backend.
I solved this by using the same url for internal and external access but with a
different ip for both. On the (secure) keycloak service I defined an additional
route with hostname of the external url. I added this hostname to the
/etc/hosts files on the openshift nodes with the ip address of my openshift
router host. In my regular DNS I added the external url with the external IP
address. See the setup below including a reverse proxy we have in between. This
proxies to the internal keycloak route, but with the external-url in the header
referrer. On the keycloak pod an environmental variable
proxy_address_forwarding=true is set.
Not very nice and probably better solutions are possible (e.g. internal DNS or
static routes) but this works for now.
---------------------------
| user browser |
| react app |
| <keycloak-ext-url> |
----------------------------
|
v
----------------------------------
| reverse proxy |
| <keycloak-internal-url> |
----------------------------------
|
v
-------------------------------
| openshift-router |
-------------------------------
|
v
-------------------------------------------------------
----------------------------
| keycloak pod | |
backend pod |
| service: secure-keycloak | <- |
<keycloak-ext-url > |
| route: <keycloak-internal-url> |
-----------------------------
| route: <keycloak-ext-url> |
| env variable: |
| PROXY_ADDRESS_FORWARDING=True |
--------------------------------------------------------
External DNS: <keycloak-ext-url> -> <external-ip-address>
On the openshift (application) nodes /etc/hosts:
<openshift-router-host-ip-address> <keycloak-ext-url>
Info on the keycloak proxy settings derived from:
http://markus.co/howto/2017/07/27/keycloak-apache.html
with the addition of:
RequestHeader edit Referer ^<keycloak-ext-url> <keycloak-internal-url>
Regards, Kees
Message: 1
Date: Wed, 26 Jun 2019 15:56:17 +0000
From: Alix ander <[email protected]>
To: OpenShift Users List <[email protected]>
Subject: accessing another pod on the cluster over the public url
Message-ID:
<am7pr04mb6840b1166967b950c5ab2a0fc7...@am7pr04mb6840.eurprd04.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Hi,
I have a react app which interacts with Keycloak. The front-end forwards to
Keycloak for authentication and the backend checks if the url is correct. When
i give the back-end the internal url of keycloak service "keycloak.project.svc"
the back-end works find but it's another url than the one given for front-end
"keycloak.domain.com". When i give the back-end the public url
"keycloak.domain.com", i get connect: no route to host. The host in our case is
the master where the tls certificates are located.
The pods inside the cluster can not reach other pods on the public url. I tried
with curl on different pods, i got no route to host. Is that normal ?
I should also mention that we have two network interfaces on each node. One for
internal connection (openshift_ip) and other one for external connection
(openshift_public_hostname).
Cheers,
Alix
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.openshift.redhat.com/openshift-archives/users/attachments/20190626/8ab9904f/attachment.html>
------------------------------
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
End of users Digest, Vol 83, Issue 28
*************************************
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
