oauth-2.0keycloakistiojaegerambassador

x-requext-id header propagation in keycloak


I am using keycloak to implement OAuth2 code authorization flow in a kubernetes cluster governed by an API gatware Ambassador, I am using Istio Service mesh to add all the tracability, mTLS features to my cluster. One of which is Jaeger which requires all the services to forward x-request-id header in order to link the spans into a specific trace.

When request is sent, Istio's proxy attached to ambassador will generate the x-request-id and forward the request keycloak for authorization, when the results are sent back to the ambassador, the header is dropped and therefore, the istio proxy of keycloak will be generating a new x-header-id. The following image shows the problem:

enter image description here

Here is a photo of the trace where I lost the x-request-id:

enter image description here

Is there a way I can force Keycloak to forward the x-request-id header if passed to it?

Update here is the environment variables (ConfigMap) associated with Keycloak:

kind: ConfigMap
apiVersion: v1
metadata:
  name: keycloak-envars
data:
  KEYCLOAK_ADMIN: "admin"
  KC_PROXY: "edge"
  KC_DB: "postgres"
  KC_DB_USERNAME: "test"
  KC_DB_DATABASE: "keycloak"
  PROXY_ADDRESS_FORWARDING: "true"

Solution

  • It seems keycloak have the opentelemetry plugin that is disabled by default. Enabling it allows to send trace ids to Jaeger, you can enable it by setting KC_OTEL to True. For more information look into the doc.