I have a k3s cluster that is hosting a keycloak instance for an app. I'm implementing logging in using a user certificate. I can get Keycloak to log a user in correctly when using docker. But in a k3s deployment with traefik, the client cert is removed when it arrives at Keycloak.
To troubleshoot this, I opened a nodeport to Keycloak and login worked correctly. But when using the ingress route, Keycloak responds with the message "x509 client certificate is not available for mutual SSL".
I have tried adding the option tls.passthrough to true with the following TLSIngressRoute with no success.
I have also tried setting up a tlsOption also below.
I have been reading the documentation and trying out different ideas but haven't found anything useful. Does anyone know of a setting I'm missing that would remedy this?
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteTCP metadata: name: keycloak-passthrough namespace: dev spec: entryPoints: - websecure routes: - match: HostSNI(`*`) services: - name: keycloak namespace: dev port: 8443 tls: name: keycloak-no-strip-client-cert namespace: dev passthrough: true ~~~ apiVersion: traefik.containo.us/v1alpha1 kind: TLSOption metadata: name: keycloak-no-strip-client-cert namespace: dev spec: clientAuth: clientAuthType: NoClientCert