docker-composekeycloak-gatekeeper

Keycloak Gatekeeper (forwarding proxy) does nothing

I have a docker-compose setup with service 1 (grafana) sending requests to service 2 (prometheus). I've put a Keycloak Gatekeeper in front of service 2, asking for authentication. That works perfectly fine.

Now my idea was to also place a second Keycloak Gatekeeper in front of service 1, injecting said authentication.

Unfortunately, that doesnt work. Observing my traffic via wireshark, it seems my second Keycloak Gatekeeper is not even involved in any communication.

My docker compose file for service 1 and the forwarding proxy looks roughly like this:

keycloak-forwarder:
    image: quay.io/keycloak/keycloak-gatekeeper
    command:
      - --enable-forwarding=true
      - --forwarding-username=<my_username>
      - --forwarding-password=<my_password>
      - --forwarding-domains=${BASE_DOMAIN}/grafana
      - --listen=:3001
      - --client-id=<my_keycloak_client_id>
      - --client-secret=<my_keycloak_client_secret>
      - --discovery-url=${DOMAIN_PROTOCOL}://${KEYCLOAK_DOMAIN}/auth/realms/<my_keycloak_realm>
    networks:
      - webgateway

grafana:
    image: grafana/grafana
    networks:
      - webgateway
    labels:
      traefik.enable: true
      traefik.backend: grafana
      traefik.frontend.rule: Host:${BASE_DOMAIN};PathPrefix:/grafana;PathPrefixStrip:/grafana
      traefik.port: 3000
      traefik.docker.network: webgateway
Solution

  • Ok, I've found the solution. There are several things, that I did wrong.

    1. The forwarding-domains flag describes the domains the request goes to, not comes from. So if grafana talks to prometheus, the prometheus domain needs to be entered here.
    2. The Keycloak Gatekeeper doesn't automatically intercept communication. So grafana needs to use it explicitly as proxy.

    So the fixed docker-compose looks the following:

    keycloak-forwarder:
    image: quay.io/keycloak/keycloak-gatekeeper
    command:
      - --enable-forwarding=true
      - --forwarding-username=<my_username>
      - --forwarding-password=<my_password>
      - --forwarding-domains=${BASE_DOMAIN}/prometheus
      - --listen=:3001
      - --client-id=<my_keycloak_client_id>
      - --client-secret=<my_keycloak_client_secret>
      - --discovery-url=${DOMAIN_PROTOCOL}://${KEYCLOAK_DOMAIN}/auth/realms/<my_keycloak_realm>
    networks:
      - webgateway

grafana:
    image: grafana/grafana
    networks:
      - webgateway
    environment:
      - HTTP_PROXY=http://keycloak-forwarder:3001
      - HTTPS_PROXY=http://keycloak-forwarder:3001
    labels:
      traefik.enable: true
      traefik.backend: grafana
      traefik.frontend.rule: Host:${BASE_DOMAIN};PathPrefix:/grafana;PathPrefixStrip:/grafana
      traefik.port: 3000
      traefik.docker.network: webgateway