[bitnami/keycloak] is not allowing local hostname with port forwarding when Ingress also enabled

[knraju483]

Name and Version

bitnami/keycloak 26.0.7

What architecture are you using?

arm64

What steps will reproduce the bug?

Hi,

I need configurations for accepting Keycloak UI with Ingress and port forward at the same. I also disabled admin UI ingress for production and disabled access through normal ingress and it only allow auth API request.

Kindly help me on supporting both Ingress/port forwarding connection with local host.

Following my configuration for keycloak

data:
  JAVA_OPTS_APPEND: -Djgroups.dns.query=keycloak-headless.svc.cluster.local
  KC_BOOTSTRAP_ADMIN_USERNAME: ""
  KC_DB: postgres
  KC_DB_URL: jdbc:postgresql://postgres:5432/idam
  KC_PROXY: edge
  KEYCLOAK_CACHE_STACK: kubernetes
  KEYCLOAK_CACHE_TYPE: ispn
  KEYCLOAK_DATABASE_HOST: plt-postgres-pooler-rw
  KEYCLOAK_DATABASE_NAME: idam
  KEYCLOAK_DATABASE_PORT: "5432"
  KEYCLOAK_ENABLE_HTTPS: "false"
  KEYCLOAK_ENABLE_STATISTICS: "true"
  KEYCLOAK_HOSTNAME: https://keycoak.abc.net/auth/
  KEYCLOAK_HOSTNAME_STRICT: "false"
  KEYCLOAK_HTTP_PORT: "8080"
  KEYCLOAK_LOG_LEVEL: INFO
  KEYCLOAK_LOG_OUTPUT: default
  KEYCLOAK_PRODUCTION: "false"
  KEYCLOAK_PROXY_HEADERS: xforwarded

Regards

Are you using any custom parameters or values?

No response

What is the expected behavior?

No response

What do you see instead?

I want to access the Keycloak Admin UI with portforwarding local host connection when I am disabled admin Ingress and annotation is added for normal ingress to block the access for UI and allow only for auth api requst.

Additional information

No response

[knraju483]

Hi,

Following annotation on ingress to block the Keycloak admin Ui and allowing the UI through port forwarding

nginx.ingress.kubernetes.io/server-snippet: |-
  location /auth/admin/master/console/ {
    return 403;
  }
  location ~* /console {
    return 403;
  }

[javsalgar]

Hi,

Did the ingress annotation fix the issue?

[knraju483]

HI,

Yes, it worked after removing KEYCLOAK_HOSTNAME in Keycloak Configuration and accepting front channel URL same as back channel also. For this, i have to keep KEYCLOAK_HOSTNAME_STRICT false.

As per Keycloak document, Keycloak mandates the configuration of the hostname option and does not dynamically resolve URLs. This is a security measure

How to prevent the security?

[migruiz4]

Hi @knraju483,

Please correct me if I misunderstood something.

You would like to access your keycloak with both your ingress (keycoak.abc.net/auth) and port-forwarding (localhost), but Keycloak refuses localhost connections because it enforces KEYCLOAK_HOSTNAME and dynamically rewrites your requests.

You would like to allow only auth API calls through the ingress while no restrictions through localhost (port-forward).

The access issue is solved by setting KEYCLOAK_HOSTNAME_STRICT=false and KEYCLOAK_HOSTNAME="", but you are then worried about the security implications that may have.

I think the current Keycloak v2 does not have a native solution for this, but I was able to make get your setup working with a simple workaround.

• Deploy Keycloak normally, in my case I used helm install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak --set ingress.enabled=true --set ingress.hostname=keycloak.test (no need to set KEYCLOAK_HOSTNAME_STRICT=false).
• Checked that I'm indeed able to access using ingress
• As mentioned, I can not access using sudo kubectl port-forward svc/keycloak 80:80 + http://localhost because browser redirects me to keycloak.test.

Workaround: by setting 127.0.0.1 keycloak.test locally in my /etc/hosts, I'm able to bypass the URL restriction and I can access locally using either localhost/keycloak.test through the port-forward.

I think this is the only way to have Keycloak hostname v2 configured and still be able to access using different URLs. If this workaround doesn't work your you, I would suggest asking in the keycloak support sources for an alternative, since I don't know if Keycloak natively supports your use case and it may not be related to the chart.

[knraju483]

Hi,

Thanks a lot. this is really good solution to map the localhost instead but I have annotation ingress controller to block the Auth console.

In this scenario, whether DNS resolve will happen from local or internet ? as I still need the DNS resolve over internet for API calls and Auth console from local host.

Following annotation in Ingress controller to block the Admin console for Auth API.

nginx.ingress.kubernetes.io/server-snippet: |-
location /auth/admin/master/console/ {
return 403;
}
location ~* /console {
return 403;
}

[migruiz4]

Hi @knraju483,

Names configured at /etc/hosts have priority over DNS name resolution. So my proposal was to use Auth API normally through the ingress as you intended.

Then when you need to access the Auth Console, you can enable port-forward + /etc/hosts and access.

From a networking perspective both routes are completely different:

• Auth API: Resolve 'keycloak.abc.net' (DNS) -> Nginx ingress public IP (with annotation rules) -> Keycloak service
• Auth Console: Resolve 'keycloak.abc.net' (/etc/hosts) -> Kubectl port-forward at localhost: -> Keycloak service

The main disadvantage would be that you can not have both routes at the same time, because as I said /etc/hosts has priority over DNS, so you would need to add/remove the entry from /etc/hosts for example when you start/stop the port-forward.