I'm using Keycloak (using Keycloak Operator 21.1.1) to enable authentication to the Apicurio Registry ui (apicurio/apicurio-registry-kafkasql:2.4.2.Final) inside my Kubernetes cluster. In addition to that, I'm using an nginx ingress to enable external access using https.
The problem is when I'm trying to access the Apicurio Registry UI at https://apicurio.example.com it redirects me to http://keycloak-service:8080, which is an internal address and therefore unreachable. I've tried to change the redirection using an nginx sub_filter, which doesn't work either, because then there is an issuer mismatch within Apicurio:
[...] rejected due to invalid claims or other invalid content. Additional details: [[12] Issuer (iss) claim value (https://keycloak.example.com/realms/registry) doesn't match expected value of http://keycloak-service:8080/realms/registry]
I've found some documentation that mentions KEYCLOAK_FRONTEND_URL. However, I can't figure out where to put it. Which component is actually required to know the external address?
Here's my code with some fields omitted:
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
spec:
template:
spec:
containers:
- name: apicurio-registry
image: apicurio/apicurio-registry-kafkasql:2.4.2.Final
env:
- name: AUTH_ENABLED
value: "true"
- name: KEYCLOAK_URL
value: http://keycloak-service:8080 # internal
- name: KEYCLOAK_REALM
value: registry
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: apicurio
spec:
rules:
- host: apicurio.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 8080
tls:
- hosts:
- apicurio.example.com
secretName: apicurio-tls-secret
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
spec:
rules:
- host: keycloak.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak-service
port:
number: 8080
tls:
- hosts:
- keycloak.example.com
secretName: keycloak-tls-secret
