Keycloak - SSL / SocketException on application startup in EKS

[mvassli]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running master-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I am attempting start Kafka UI in AWS EKS deployed with Helm Charts using KeyCloak for authentication. Kafka-Ui however fails on startup as it is unable to fetch KeyCloak realm openid-configuration. Error on startup
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://<redacted>/auth/realms/<redacted>/.well-known/openid-configuration": Connection reset at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:888) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:868) at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:714) at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:163) at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:216) ... 72 common frames omitted Caused by: java.net.SocketException: Connection reset

See detailed SSL logs with additional debugging below

Expected behavior

On local host with docker-compose application successfully starts and I am prompted for KeyCloak authentication on login http://localhost:8080/login

This is a subset of my compose which is working:

version: '3.5'
services:

  kafka-ui:
    container_name: kafka-ui
    image: provectuslabs/kafka-ui:v0.7.1
    network_mode: host
    ports:
      - 8080:8080
    environment:
      JAVA_OPTS: -Djavax.net.ssl.trustStore=/opt/app/credentials/truststore.jks -Djavax.net.ssl.trustStorePassword=Redacted
      AUTH_TYPE: OAUTH2
      AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENT_NAME: Kafka-UI
      AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENTID: Redacted
      AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENTSECRET: Redacted
      AUTH_OAUTH2_CLIENT_KEYCLOAK_SCOPE: openId
      AUTH_OAUTH2_CLIENT_KEYCLOAK_PROVIDER: keycloak
      AUTH_OAUTH2_CLIENT_KEYCLOAK_ISSUER_URI: https://<Redacted>/auth/realms/<Redacted>
      AUTH_OAUTH2_CLIENT_KEYCLOAK_JWK_SET_URI: https://<Redacted>/auth/realms/<Redacted>/protocol/openid-connect/certs
    volumes:
      - ./truststore.jks:/opt/app/credentials/truststore.jks

I am expecting same behaviour deploying on EKS

Your installation details

App version v0.7.1

Relevant Helm Charts configuration

spec:
  image: provectuslabs/kafka-ui:v0.7.1
  env:
    - name: JAVA_OPTS
      value: -Djavax.net.ssl.trustStore=/opt/app/credentials/truststore.jks -Djavax.net.ssl.trustStorePassword=Redacted -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager -Djava.security.debug=access:stack
    - name: AUTH_TYPE
      value: OAUTH2
    - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENT_NAME
      value: Kafka-UI
    - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENTID
      value: Redacted
    - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_CLIENTSECRET
      value: Redacted
    - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_SCOPE
      value: openId
    - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_PROVIDER
      value: keycloak
    - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_ISSUER_URI
      value: https://<Redacted>/auth/realms/<Redacted>
    - name: AUTH_OAUTH2_CLIENT_KEYCLOAK_JWK_SET_URI
      value: https://<Redacted>/auth/realms/<Redacted>protocol/openid-connect/certs
  volumeFrom:
    - volume:
        name: truststore-volume
        configMap:
          name: truststore-map
      volumeMount:
        mountPath: /opt/app/credentials
        name: truststore-volume

Configmap created from configMapGenerator

apiVersion: v1
binaryData:
  truststore.jks: <redacted b64>"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"truststore-map","namespace":"user-devns"}}
  creationTimestamp: "2023-09-19T20:08:45Z"
  name: truststore-map
  namespace: user-devns
  resourceVersion: "1715755701"
  uid: 705994fb-ef12-4e43-9b99-77f160d3add5

I have verified that the truststore is available from inside the pod.

keycloak service entry

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: keycloak
spec:
  exportTo:
    - "."
  hosts:
    - https://<Redacted>
  ports:
    - name: https
      number: 443
      protocol: TLS
  location: MESH_EXTERNAL
  resolution: DNS

However Kafka Ui fails on application startup. It is unclear to me why, but application in unable to communicate with https://<redacted>/auth/realms/<redacted>/.well-known/openid-configuration from inside the pod.

I am quite certain that the issue is not related to misconfigured service entry or problems resolving dns as nslookup of keycloak server from inside pod is successful. A few stackoverflow posts could indicate that this is an issue with TLS or cipher, but cause it not clear

Steps to reproduce

See above

Screenshots

No response

Logs

Detailed SSL debugging logs.txt

Additional context

No response

[mvassli]

Stupid User Error. The problem was infact incorrect ServiceEntry....
Hostname should obviously be without HTTPS protocol like this:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: keycloak
spec:
  exportTo:
    - "."
  hosts:
    - <Redacted>
  ports:
    - name: https
      number: 443
      protocol: TLS
  location: MESH_EXTERNAL
  resolution: DNS