[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

accessing another pod on the cluster over the public url


I ran into the same issue. I solved it with a 'workaround'. If this workaround works for you, depends on your setup. 
Problem is keycloak expects exactly the same url to be able to authorize the requests from the frontend and backend. 

I solved this by using the same url for internal and external access but with a different ip for both. On the (secure) keycloak service I defined an additional route with hostname of the external url. I added this hostname to the /etc/hosts files on the openshift nodes with the ip address of my openshift router host. In my regular DNS I added the external url with the external IP address. See the setup below including a reverse proxy we have in between. This proxies to the internal keycloak route, but with the external-url in the header referrer. On the keycloak pod an environmental variable proxy_address_forwarding=true is set. 
Not very nice and probably better solutions are possible (e.g. internal DNS or static routes) but this works for now. 

   | user browser           | 
   | react app                  |
   |  <keycloak-ext-url> |
|       reverse proxy             | 
|  <keycloak-internal-url> |
|     openshift-router     |
 -------------------------------------------------------         ----------------------------
|                   keycloak pod                              |      |         backend pod     | 
|  service: secure-keycloak                           |  <- |  <keycloak-ext-url > |  
|  route: <keycloak-internal-url>                 |        -----------------------------
|  route: <keycloak-ext-url>                          |
| env variable:                                                 |

External DNS: <keycloak-ext-url>  ->   <external-ip-address>
On the openshift (application) nodes /etc/hosts: <openshift-router-host-ip-address> <keycloak-ext-url>

Info on the keycloak proxy settings derived from: http://markus.co/howto/2017/07/27/keycloak-apache.html
with the addition of: 
RequestHeader edit Referer ^<keycloak-ext-url> <keycloak-internal-url>

Regards, Kees

Message: 1
Date: Wed, 26 Jun 2019 15:56:17 +0000
From: Alix ander <mysteriousmann hotmail com>
To: OpenShift Users List <users lists openshift redhat com>
Subject: accessing another pod on the cluster over the public url
	<AM7PR04MB6840B1166967B950C5AB2A0FC7E20 AM7PR04MB6840 eurprd04 prod outlook com>
Content-Type: text/plain; charset="utf-8"


I have a react app which interacts with Keycloak. The front-end forwards to Keycloak  for authentication and the backend checks if the url is correct. When i give the back-end the internal url of keycloak service "keycloak.project.svc" the back-end works find but it's another url than the one given for front-end "keycloak.domain.com". When i give the back-end the public url "keycloak.domain.com", i get connect: no route to host. The host in our case is the master where the tls certificates are located.

The pods inside the cluster can not reach other pods on the public url. I tried with curl on different pods, i got no route to host. Is that normal ?

I should also mention that we have two network interfaces on each node. One for internal connection (openshift_ip) and other one for external connection (openshift_public_hostname).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openshift.redhat.com/openshift-archives/users/attachments/20190626/8ab9904f/attachment.html>


users mailing list
users lists openshift redhat com

End of users Digest, Vol 83, Issue 28

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]