Ok thanks, but my question is about the kibana searchguard plugin alone. Let me explain my use-case a bit to clarify the query 
- Keycloak, elasticsearch & kibana run as pods in kubernetes cluster. There are k8s services for each of these pods.
Within the k8s cluster, keycloak server is accessible at
http://keycloak.default.svc.cluster.local:8080 (‘keycloak’ is the k8s service name in default namespace).
That means - all pods in the cluster can reach the address
http://keycloak.default.svc.cluster.local:8080/auth/realms/master/.well-known/openid-configuration
-
Keycloak is a UI application, so users need to access it from their browsers (which would be external to the k8s cluster). For this external access, a load-balancer(nginx ingress) is used and access is provided on https. That means, a user can access keycloak admin console on their browser by accessing https://abc-xyz/auth.
-
Now, to enable openid-auth in elasticsearch & kibana, following configurations are made:
sg_config.yml (searchguard-elasticsearch)
openid_auth_domain:
enabled: true
order: 1
http_authenticator:
config:
openid_connect_url: http://keycloak.default.svc.cluster.local:8080/auth/realms/master/.well-known/openid-configuration
kibana.yml (searchguard-kibana)
searchguard.openid.connect_url: "http://keycloak.default.svc.cluster.local:8080/auth/realms/master/.well-known/openid-configuration"
Issue -
- Now, kibana server (pod) starts successfully. User tries to open kibana UI on the browser on https://abc-xyz/kibana. As this is the first attempt to login and user is not authenticated yet, Kibana would redirect to keycloak UI (using the keycloak address configured in kibana.yml) on the browser to open the authentication page. After entering the user creds, keycloak would authenticate the user and load kibana home pg.
But now, since my browser does not identify the internal k8s svc address keycloak.default.svc.cluster.local, the redirection to keycloak fails.
- If I want the browser redirection from kibana to keycloak (explained in prev point) to succeed, Kibana’s searchguard.openid.connect_url should be configured with a url that the browser can resolve and reach. That means, in this case, https://abc-xyz/auth.
With this new configuration, when kibana server (pod) starts, it tries to contact the keycloak openid metadata url on service startup itself. Since the address in searchguard.openid.connect_url ( https://abc-xyz/auth) is not reachable from a pod inside the k8s cluster, kibana server fails with the error -
Failed when trying to obtain the endpoints from your IdP
( Ref - https://docs.search-guard.com/latest/troubleshooting-openid)
So coming back to my query, kibana has two types of interations with keycloak server when openid is enabled:
i. Kibana server to keycloak openid metadata url on kibana server startup
ii. Kibana UI redirection to keycloak UI on browser when user attempts to access
For both these interactions, the same searchguard.openid.connect_url is used by searchguard-kibana plugin.
In my case as explained above, I do not have a single keycloak server url that is reachable for both these interactions.
How can I proceed? Is there a way to configure separate urls?