Summary
Enabling auth on a NebariApp doesn't redirect users to the Keycloak login page; requests return HTTP 500 instead. The operator generates a SecurityPolicy with an unreachable Keycloak URL, so Envoy Gateway can't enforce the OIDC flow.
Steps to reproduce
These steps follow the operator's own quickstart, which is what surfaced the bug.
- Fresh dev cluster:
cd dev && make setup
- Install operator:
make docker-build IMG=... && kind load ... && make install && make deploy IMG=...
- Set up the Keycloak realm:
./dev/scripts/services/keycloak/setup.sh
- Create a namespace, deploy a sample Deployment + Service, then apply a
NebariApp with auth enabled:
kubectl create namespace demo
kubectl label namespace demo nebari.dev/managed=true
kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-app
namespace: demo
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
containers:
- name: hello
image: hashicorp/http-echo
args: ["-text=Hello"]
ports:
- containerPort: 5678
---
apiVersion: v1
kind: Service
metadata:
name: hello-service
namespace: demo
spec:
selector:
app: hello
ports:
- port: 80
targetPort: 5678
---
apiVersion: reconcilers.nebari.dev/v1
kind: NebariApp
metadata:
name: hello-app
namespace: demo
spec:
hostname: hello-app.nebari.local
service:
name: hello-service
port: 80
routing:
tls:
enabled: true
auth:
enabled: true
provider: keycloak
provisionClient: true
scopes:
- openid
- profile
- email
EOF
- Inspect the operator-generated
SecurityPolicy:
kubectl describe securitypolicy hello-app-security -n demo
Expected
In the Status block at the bottom of the describe output, the Accepted condition should look like:
Status:
Ancestors:
Conditions:
Status: True
Type: Accepted
And requests to the app's hostname should redirect to the Keycloak login page (HTTP 302).
Actual
In the same Status block, the Accepted condition is stuck on False with an OIDC error:
Status:
Ancestors:
Conditions:
Message: OIDC: error fetching endpoints from issuer:
Get "http://keycloak-keycloakx-http.keycloak.svc.cluster.local:8080/realms/nebari/.well-known/openid-configuration":
dial tcp 10.96.71.87:8080: i/o timeout.
Reason: Invalid
Status: False
Type: Accepted
And requests to the app's hostname return HTTP 500 instead of redirecting:
curl -k -I https://hello-app.nebari.local
Output:
Root cause
The keycloakx Helm chart (the one dev/services-install uses) exposes Keycloak at:
- Service port:
80 (not 8080)
- Context path:
/auth (not the root)
kubectl get svc -n keycloak:
NAME TYPE PORT(S)
keycloak-keycloakx-http ClusterIP 9000/TCP,80/TCP,8443/TCP
A quick reachability test from inside the cluster (e.g., kubectl run -i --rm test-curl --image=curlimages/curl -- curl -s -o /dev/null -w "%{http_code}\n" <URL>):
| URL |
Result |
http://keycloak-keycloakx-http.keycloak.svc.cluster.local:8080/realms/nebari/.well-known/openid-configuration |
timeout (no listener on 8080) |
http://keycloak-keycloakx-http.keycloak.svc.cluster.local:80/realms/nebari/.well-known/openid-configuration |
404 |
http://keycloak-keycloakx-http.keycloak.svc.cluster.local:80/auth/realms/nebari/.well-known/openid-configuration |
200 ✓ |
The operator generates:
http://keycloak-keycloakx-http.keycloak.svc.cluster.local:8080/realms/nebari
The correct issuer for this dev install would be:
http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/realms/nebari
Summary
Enabling auth on a
NebariAppdoesn't redirect users to the Keycloak login page; requests returnHTTP 500instead. The operator generates aSecurityPolicywith an unreachable Keycloak URL, so Envoy Gateway can't enforce the OIDC flow.Steps to reproduce
These steps follow the operator's own quickstart, which is what surfaced the bug.
cd dev && make setupmake docker-build IMG=... && kind load ... && make install && make deploy IMG=..../dev/scripts/services/keycloak/setup.shNebariAppwith auth enabled:SecurityPolicy:Expected
In the
Statusblock at the bottom of the describe output, theAcceptedcondition should look like:And requests to the app's hostname should redirect to the Keycloak login page (
HTTP 302).Actual
In the same
Statusblock, theAcceptedcondition is stuck onFalsewith an OIDC error:And requests to the app's hostname return
HTTP 500instead of redirecting:Output:
Root cause
The keycloakx Helm chart (the one
dev/services-installuses) exposes Keycloak at:80(not8080)/auth(not the root)kubectl get svc -n keycloak:A quick reachability test from inside the cluster (e.g.,
kubectl run -i --rm test-curl --image=curlimages/curl -- curl -s -o /dev/null -w "%{http_code}\n" <URL>):http://keycloak-keycloakx-http.keycloak.svc.cluster.local:8080/realms/nebari/.well-known/openid-configurationhttp://keycloak-keycloakx-http.keycloak.svc.cluster.local:80/realms/nebari/.well-known/openid-configuration404http://keycloak-keycloakx-http.keycloak.svc.cluster.local:80/auth/realms/nebari/.well-known/openid-configuration200✓The operator generates:
The correct issuer for this dev install would be: