4

I'm not able to find a way to update the base URL of my keycloak gatekeeper sidecar. My configuration works well with services set to the base URL(ex: https://monitoring.example.com/), not with a custom base path(ex: https://monitoring.example.com/prometheus).

My yaml config is:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: prometheus-deployment
spec:
  replicas: 1
  template:
    metadata:
      name: prometheus
    spec:
      containers:
      - name: prometheus
        image: quay.io/coreos/prometheus:latest
        args:
          - '--web.external-url=https://monitoring.example.com/prometheus'
          - '--web.route-prefix=/prometheus
      - name: proxy
        image:  keycloak/keycloak-gatekeeper:5.0.0
        imagePullPolicy: Always
        args:
          - --resource=uri=/*
          - --discovery-url=https://auth.example.com/auth/realms/MYREALM
          - --client-id=prometheus
          - --client-secret=XXXXXXXX
          - --listen=0.0.0.0:5555
          - --enable-logging=true
          - --enable-json-logging=true
          - --upstream-url=http://127.0.0.1:9090/prometheus

My problem is to be able to set a different base URL path("/prometheus") for the sidecar as, when I open https://monitoring.example.com/prometheus, I receive a 307 redirection to https://monitoring.example.com/oauth/authorize?state=XXXXXXX Whereas it should be https://monitoring.example.com/prometheus/oauth/authorize?state=XXXXXXX

I tried with the parameter "--redirection-url=https://monitoring.example.com/prometheus" But this still redirects me to the same URL.

EDIT:

My objective is to be able to protect multiple Prometheus and restrict access to them. I'm also looking for a solution to set permission regarding the realm or the client. I mean, some of the keycloak users should be able, for example, to auth and see the content of /prometheus-dev but not /prometheus-prod.

EDIT2:

I missed the parameter 'base_uri". When I set it to "/prometheus" and try to connect to "https://monitoring.example.com/prometheus/", I receive the good redirection "https://monitoring.example.com/prometheus/oauth/authorize?state=XXXXXXX" but doesn't work. In keycloak, the log is:

"msg: no session found in request, redirecting for authorization,error:authentication session not found"

Matt
  • 4,309
  • 7
  • 38
  • 52
  • Why do you need to use path `/prometheus`? keycloak-gatekeeper wasn't designated for that. – Jan Garaj Apr 04 '19 at 18:54
  • 1
    Because I want to protect multiple paths, but not all of them will use the same Keycloak Realm or Client. I'm looking for a solution to use keycloak to manage permissions. I mean, some users in a Realm should have access to only some path and other users located in a second Realm to other paths. – Matt Apr 05 '19 at 06:15
  • 1
    You really can't use gatekeeper to protect only path, without additional hacking (response and path rewriting). IMHO use gatekeeper to protect whole domain, whitelist public resources and define additional condition for selected resources, e.g. only users with prometheus group can access /prometheus resource. – Jan Garaj Apr 05 '19 at 06:39
  • 1
    Thanks for your comment @JanGaraj. But one thing, how should I do to protect multiple containers. Because for example my path /prometheus-prod target a container(pod) and /prometheus-dev target another container. So the idea is to set up a gatekeeper sidecar for each and deploys one which is able to answer one "/" ? I'm confused about how to do this setup. – Matt Apr 05 '19 at 07:06
  • That really depends on your setup. I guess you are using ingress resource, so https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/ – Jan Garaj Apr 05 '19 at 07:34

2 Answers2

2

In Gatekeeper version 7.0.0 you can use one of these options:

  • --oauth-uri
  • --base-uri

But currently if you use --base-uri, then a trailing / will be added to the callback url after baseUri (i.e. /baseUri//oauth/callback). But for me it works fine with oauth-uri=/baseUri/oauth.

Das_Geek
  • 2,775
  • 7
  • 20
  • 26
bruegth
  • 461
  • 5
  • 13
  • I tried this and my frontend gets redirected so many times that I receive the error "redirected you too many times." Any ideas what's happening? – asd123ea Aug 03 '20 at 18:09
0

It can be done if you rewrite the location header on the 307 responses to the browser. If you are behind an nginx ingress add these annotations.

nginx.ingress.kubernetes.io/proxy-redirect-from: /
nginx.ingress.kubernetes.io/proxy-redirect-to: /prometheus/
jokarls
  • 330
  • 2
  • 11