Sign in Subscribe
Concepts

Keycloak Kubernetes Ingress Configuration Guide

Andrios Robert

1 min read

Why Keycloak needs Kubernetes Ingress
Running Keycloak inside Kubernetes without ingress means you’re stuck exposing it through NodePorts or port-forwarding. That’s brittle and unsafe. An ingress lets you bind Keycloak to a proper hostname, manage TLS easily, and integrate with external identity consumers. It becomes part of your cluster’s network fabric.

Core steps to configure Keycloak Kubernetes Ingress

  1. Deploy Keycloak
    Use the official Keycloak container image or Helm chart. Make sure your deployment includes readiness and liveness probes.
  2. Create a Service
    The service should target Keycloak’s port 8080 (or 8443 if you configure it directly for HTTPS). ClusterIP is standard here.
  3. Ingress Controller
    Install a reliable ingress controller like NGINX, Traefik, or HAProxy. For cloud providers, you can choose their managed ingress solution.
  4. Ingress Resource
    Define an Ingress YAML that maps your public domain—auth.example.com—to the Keycloak service. Add TLS via cert-manager or your own certificates.
  5. Path and Rewrite Rules
    Keycloak often runs at /auth. Configure path rewrites so it serves correctly when behind ingress. NGINX annotations handle this cleanly.
  6. Secure Headers
    Add ingress settings to enforce HTTPS, set HSTS headers, and disable insecure protocols.

Troubleshooting common ingress issues

  • Infinite redirect loops: Ensure KEYCLOAK_FRONTEND_URL is set to the ingress hostname with HTTPS.
  • Broken static resources: Check rewrite rules and forward headers.
  • SSL errors: Confirm TLS secret names match ingress spec and namespace.

Performance and scaling considerations
When Keycloak sits behind Kubernetes ingress, you can scale replicas horizontally. The ingress distributes load across pods automatically. Combine this with session affinity or sticky sessions if your realm configuration depends on local caches.

Integrating with external services
Through ingress, Keycloak can serve requests from anywhere—your app’s front end, backend APIs, or third-party identity brokers. Fine-tune ingress rules to allow only the paths Keycloak needs.

Configure Keycloak Kubernetes Ingress once, and the cluster gives you security, reachability, and scaling without friction.

Ready to see this live in minutes? Spin it up now at hoop.dev and watch Keycloak running behind Kubernetes ingress without the usual setup grind.