gerrit-oauth-provider icon indicating copy to clipboard operation
gerrit-oauth-provider copied to clipboard

Published 20 hours ago verified publisher icon davido

Issues with gerrit + keycloak in compose or kubernetes deployments

Open mhuin opened this issue 3 years ago • 4 comments

Hello,

The keycloak oauth plugin doesn't work properly when deploying gerrit and keycloak via a docker or podman compose. This is due to the fact that in a compose, services use an internal networking that may differ from external networking as seen from a user's web browser.

Consider the example compose below:

version: '2.3' services: keycloak: image: docker.io/jboss/keycloak environment: - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=kcadmin - DB_VENDOR=h2 - KEYCLOAK_IMPORT=/var/keycloak_import/zuul-demo-data.json - JAVA_OPTS_APPEND="-Djboss.socket.binding.port-offset=2" ports: - "8082:8082" gerrit: image: docker.io/gerritcodereview/gerrit ports: - "8080:8080" - "29418:29418" environment: - CANONICAL_WEB_URL=http://localhost:8080/

The keycloak service is available via localhost:8082 outside of the compose (for the end user to log in to). However the gerrit service can only reach the keycloak service as keycloak:8082. When setting the rootUrl parameter in the plugin's configuration, it is impossible to specify an alternative for internal networking, so either the login redirection or gerrit's token fetching will fail.

A possible workaround is to modify the end user /etc/hosts file to add an entry for keycloak. This is unacceptable for production deployments though.

This issue occurs in kubernetes deployments for the same reason. We also observe an issue with the hardcoded keycloak urls for the auth and token endpoints, as they assume that the URL will start with "/auth" - however the documented way to deploy keycloak in kubernetes is as a "virtual host", see: https://www.keycloak.org/getting-started/getting-started-kube

I would recommend adding two optional parameters: authEndpoint and tokenEndpoint so that deployers can specify what URLs to use.

mhuin avatar Sep 08 '22 09:09 mhuin

For more context about the "/auth" issue, see these notes: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed

mhuin avatar Sep 09 '22 10:09 mhuin

Hi, any update on that issue ?

morucci avatar Dec 19 '22 16:12 morucci

Any contribution would be welcomed.

davido avatar Dec 19 '22 19:12 davido

@mhuin

For more context about the "/auth" issue, see these notes: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed

I added the fix for this problem here: [1].

[1] https://gerrit-review.googlesource.com/c/plugins/oauth/+/372194

davido avatar Apr 30 '23 09:04 davido