kuberneteskeycloakamazon-ekstraefik-ingresskeycloak-gatekeeper

traefik ingress with keycloak authentication on AWS EKS


We are developing our enterprise microservice architecture based product on AWS EKS. We have several applications which are deployed as separate containers on EKS.
We have deployed traefik ingress controller (with LB service as ELB) and ingress service in front of all these applications to do the routing to specific services. This works perfectly fine. So far so good.
We have also deployed keycloak container for auth which also works fine.

Now, we want to integrate traefik with the keycloak so that any request that come to traefik should go to keycloak for auth/SSO and then redirected to particular service for which the original call was there.
It is the piece where we are struggling to make any progress. Firstly few doubts:

1) There is traefik forward-auth. Can this be used here? Any example/link would be appreciated esp. if it is for kubernetes.
2) There is keycloak-gatekeeper. As far as I read about it, it is deployed as side car to main apps and do all the auth work. My problem with this is that in side car design, every app will have its own gatekeeper. So once logged-in to an app or service, user need to authenticate again if he wants to access different app. We don't want this, we want SSO session to be applicable across apps.
Secondly, how can we give dynamic upstream-url in gatekeeper config e.g. /service1 should automatically redirect to gatekeeper to service1 and similarly for service2 and so on.

We are not able to decide which way to go. There is limited documentation for both of the approaches mainly for kubernetes deployment. Is there any other approach that we can take here?
Please help. Let me know if you need further details.

UPDATE1:
For now, I went ahead with keycloak-gatekeeper. I put it as side car to my kibana pod. Below is yml portion for gatekeeper:

    containers:
      - name: gatekeeper-sidecar
          image: keycloak/keycloak-gatekeeper
            ports:
            - containerPort: 3000 # expose port 3000
            args:
            - --discovery-url=http://keycloak:8080/auth/realms/realm1
            - --secure-cookie=false
            - --enable-default-deny=true
            - --client-id=Vista
            - --client-secret=2f1aa7dd-2aa9-4fd0-956c-5c45b2bf2091
            - --listen=0.0.0.0:3000 # listen on port 3000 on all interfaces
            - --redirection-url=http://127.0.0.1:3000
            - --upstream-url=http://127.0.0.1:5601
            - --enable-logging=true
            - --enable-json-logging=true
            - --verbose=true

In my traefik ingress service, I have added below (kibana is the clusterIP service for kibana app which has kibana + gatekeeper pods)

- match: PathPrefix(`/path1`)
    kind: Rule
    services:
    - name: kibana
      port: 3000
    middlewares:
      - name: stripprefix

Now, whenever i browse to https://elb_host/path1, it just redirects it https://elb_host/ouath/authorize?state=<..> and throws 404.
I expect it to first redirect to keycloak auth url (https://elb_host/auth/realms/realm1?..) for authentication.
I also in gatekeeper logs that it successfully fetches the oidc configurations. But after I hit the url following error occurs in gatekeeper logs:

{"level":"error","ts":1584946244.340905,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1584946244.340992,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client  

What can be possibly wrong here? Please help.


Solution

  • Finally managed to solve the issue. Two options:
    1) Either you define ingress /oauth route to keycloak gatekeper itself
    2) or have --base-uri=/path1 in your gatekeeper config. This will add /path1 to all of your redirect url which will be routed as per your ingress