Skip to content

Generated SecurityPolicy uses wrong Keycloak port (8080) and missing /auth path prefix #136

Description

@khuyentran1401

Summary

Enabling auth on a NebariApp doesn't redirect users to the Keycloak login page; requests return HTTP 500 instead. The operator generates a SecurityPolicy with an unreachable Keycloak URL, so Envoy Gateway can't enforce the OIDC flow.

Steps to reproduce

These steps follow the operator's own quickstart, which is what surfaced the bug.

  1. Fresh dev cluster: cd dev && make setup
  2. Install operator: make docker-build IMG=... && kind load ... && make install && make deploy IMG=...
  3. Set up the Keycloak realm: ./dev/scripts/services/keycloak/setup.sh
  4. Create a namespace, deploy a sample Deployment + Service, then apply a NebariApp with auth enabled:
kubectl create namespace demo
kubectl label namespace demo nebari.dev/managed=true

kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-app
  namespace: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello
  template:
    metadata:
      labels:
        app: hello
    spec:
      containers:
      - name: hello
        image: hashicorp/http-echo
        args: ["-text=Hello"]
        ports:
        - containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
  name: hello-service
  namespace: demo
spec:
  selector:
    app: hello
  ports:
  - port: 80
    targetPort: 5678
---
apiVersion: reconcilers.nebari.dev/v1
kind: NebariApp
metadata:
  name: hello-app
  namespace: demo
spec:
  hostname: hello-app.nebari.local
  service:
    name: hello-service
    port: 80
  routing:
    tls:
      enabled: true
  auth:
    enabled: true
    provider: keycloak
    provisionClient: true
    scopes:
      - openid
      - profile
      - email
EOF
  1. Inspect the operator-generated SecurityPolicy:
kubectl describe securitypolicy hello-app-security -n demo

Expected

In the Status block at the bottom of the describe output, the Accepted condition should look like:

Status:
  Ancestors:
    Conditions:
      Status:  True
      Type:    Accepted

And requests to the app's hostname should redirect to the Keycloak login page (HTTP 302).

Actual

In the same Status block, the Accepted condition is stuck on False with an OIDC error:

Status:
  Ancestors:
    Conditions:
      Message:  OIDC: error fetching endpoints from issuer:
                  Get "http://keycloak-keycloakx-http.keycloak.svc.cluster.local:8080/realms/nebari/.well-known/openid-configuration":
                  dial tcp 10.96.71.87:8080: i/o timeout.
      Reason:   Invalid
      Status:   False
      Type:     Accepted

And requests to the app's hostname return HTTP 500 instead of redirecting:

curl -k -I https://hello-app.nebari.local

Output:

HTTP/2 500
date: ...

Root cause

The keycloakx Helm chart (the one dev/services-install uses) exposes Keycloak at:

  • Service port: 80 (not 8080)
  • Context path: /auth (not the root)

kubectl get svc -n keycloak:

NAME                      TYPE        PORT(S)
keycloak-keycloakx-http   ClusterIP   9000/TCP,80/TCP,8443/TCP

A quick reachability test from inside the cluster (e.g., kubectl run -i --rm test-curl --image=curlimages/curl -- curl -s -o /dev/null -w "%{http_code}\n" <URL>):

URL Result
http://keycloak-keycloakx-http.keycloak.svc.cluster.local:8080/realms/nebari/.well-known/openid-configuration timeout (no listener on 8080)
http://keycloak-keycloakx-http.keycloak.svc.cluster.local:80/realms/nebari/.well-known/openid-configuration 404
http://keycloak-keycloakx-http.keycloak.svc.cluster.local:80/auth/realms/nebari/.well-known/openid-configuration 200

The operator generates:

http://keycloak-keycloakx-http.keycloak.svc.cluster.local:8080/realms/nebari

The correct issuer for this dev install would be:

http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/nebari

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    Priority

    None yet

    Start date

    None yet

    Target date

    None yet

    Size

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions