Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues with gerrit + keycloak in compose or kubernetes deployments #167

Open
mhuin opened this issue Sep 8, 2022 · 4 comments
Open

Issues with gerrit + keycloak in compose or kubernetes deployments #167

mhuin opened this issue Sep 8, 2022 · 4 comments

Comments

@mhuin
Copy link

mhuin commented Sep 8, 2022

Hello,

The keycloak oauth plugin doesn't work properly when deploying gerrit and keycloak via a docker or podman compose. This is due to the fact that in a compose, services use an internal networking that may differ from external networking as seen from a user's web browser.

Consider the example compose below:

version: '2.3' services: keycloak: image: docker.io/jboss/keycloak environment: - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=kcadmin - DB_VENDOR=h2 - KEYCLOAK_IMPORT=/var/keycloak_import/zuul-demo-data.json - JAVA_OPTS_APPEND="-Djboss.socket.binding.port-offset=2" ports: - "8082:8082" gerrit: image: docker.io/gerritcodereview/gerrit ports: - "8080:8080" - "29418:29418" environment: - CANONICAL_WEB_URL=http://localhost:8080/

The keycloak service is available via localhost:8082 outside of the compose (for the end user to log in to). However the gerrit service can only reach the keycloak service as keycloak:8082. When setting the rootUrl parameter in the plugin's configuration, it is impossible to specify an alternative for internal networking, so either the login redirection or gerrit's token fetching will fail.

A possible workaround is to modify the end user /etc/hosts file to add an entry for keycloak. This is unacceptable for production deployments though.

This issue occurs in kubernetes deployments for the same reason. We also observe an issue with the hardcoded keycloak urls for the auth and token endpoints, as they assume that the URL will start with "/auth" - however the documented way to deploy keycloak in kubernetes is as a "virtual host", see: https://www.keycloak.org/getting-started/getting-started-kube

I would recommend adding two optional parameters: authEndpoint and tokenEndpoint so that deployers can specify what URLs to use.

@mhuin
Copy link
Author

mhuin commented Sep 9, 2022

For more context about the "/auth" issue, see these notes: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed

@morucci
Copy link

morucci commented Dec 19, 2022

Hi, any update on that issue ?

@davido
Copy link
Owner

davido commented Dec 19, 2022

Any contribution would be welcomed.

@davido
Copy link
Owner

davido commented Apr 30, 2023

@mhuin

For more context about the "/auth" issue, see these notes: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed

I added the fix for this problem here: [1].

[1] https://gerrit-review.googlesource.com/c/plugins/oauth/+/372194

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants