I have a k3s cluster that is hosting a keycloak instance for an app. I'm implementing logging in using a user certificate. I can get Keycloak to log a user in correctly when using docker. But in a k3s deployment with traefik, the client cert is removed when it arrives at Keycloak.
To troubleshoot this, I opened a nodeport to Keycloak and login worked correctly. But when using the ingress route, Keycloak responds with the message "x509 client certificate is not available for mutual SSL".
I have tried adding the option tls.passthrough to true with the following TLSIngressRoute with no success.
I have also tried setting up a tlsOption also below.
I have been reading the documentation and trying out different ideas but haven't found anything useful. Does anyone know of a setting I'm missing that would remedy this?
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: keycloak-passthrough
namespace: dev
spec:
entryPoints:
- websecure
routes:
- match: HostSNI(`*`)
services:
- name: keycloak
namespace: dev
port: 8443
tls:
name: keycloak-no-strip-client-cert
namespace: dev
passthrough: true
~~~
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: keycloak-no-strip-client-cert
namespace: dev
spec:
clientAuth:
clientAuthType: NoClientCert