Configure Keycloak ingress

Incoming network traffic to the Keycloak service is usually routed via an ingress.

Currently, only NGINX ingress controller is supported and tested. Others may work as well, but you may need to customize some parameters on your own (or contribute back to the component).

See also the following manual on how to setup the Keycloak encryption:

First, choose where the TLS session to Keycloak is terminated.

Encryption mode: Re-encrypt

In re-encryption mode, the traffic is terminated at the NGINX ingress controller, and then re-encrypted when connecting to Keycloak pods. By default, this component will use Let’s Encrypt (cert-manager) so that NGINX terminates with valid certificates. The connection to Keycloak is using self-signed certificates since Keycloak doesn’t reload certificates when they have changed in the container.

Re-encryption is the default, so there’s not much to configure. Proceed with Setup a TLS certificate for Keycloak.

Encryption mode: Pass-through

In the pass-through mode, the controller won’t terminate the TLS session and instead directly forward the HTTPS traffic to Keycloak. The controller needs to support pass-through mode.

This mode requires that the NGINX Controller is configured to pass through the TLS traffic. This isn’t enabled by default. With component-ingress-nginx, you can enable it like following:

          enable-ssl-passthrough: true

When using certificates from Let’s Encrypt (cert-manager), ensure that you regularly restart Keycloak. Otherwise, you may end up serving expired certificates! The default Keycloak container image doesn’t reload the certificates when they have changed in the mounted filesystem.

  1. Terminate the TLS session directly in Keycloak

          termination: passthrough
  2. If you’re using CA issued certificates, change the provider:

          provider: vault

    See Setup a TLS certificate for Keycloak for how to store a certificate in vault.