I deployed a Keycloak 11.x in a local test kubernetes cluster via Helm chart.
The keycloak pods/containers are available behind a service
dev-keycloak-http.dev-idp.svc.clusterdev.local
I can access the Admin UI using a kubectl port-forward to the service to a local port, e.g. 8088
http://localhost:8088/me-idp-01/auth
I can also retrieve a token.
ACCESS_TOKEN_ADMIN=`curl -d "client_id=admin-cli" -d "username=myuser" -d "password=mypassword" -d "grant_type=password" "http://localhost:8088/me-idp-01/auth/realms/master/protocol/openid-connect/token" | jq -r ".access_token"`
And create a user for a realm, e.g. tenant-01 I created before.
curl -H "Authorization: bearer $ACCESS_TOKEN_ADMIN" -H "Content-Type: application/json" -d '{"firstName":"Testy","lastName":"Testuser_01", "email":"[email protected]", "enabled":"true", "emailVerified":"true", "username":"testuser_01", "groups": ["tenant-admins"], "credentials":[{"type":"password","value":"testuser_01","temporary":false}]}' -X POST "http://localhost:8088/me-idp-01/auth/admin/realms/tenant-01/users"
BUT if I try this, using the kubernetes service url, I can retrieve a token
ACCESS_TOKEN_ADMIN=`curl -d "client_id=admin-cli" -d "username=myuser" -d "password=mypassword" -d "grant_type=password" "http://dev-keycloak-http.dev-idp.svc.clusterdev.local/me-idp-01/auth/realms/master/protocol/openid-connect/token" | jq -r ".access_token"`
(jwt.io reports that the signature is invalid)
and receive HTTP 401 if I try adding the user.
curl -H "Authorization: bearer $ACCESS_TOKEN_ADMIN" -H "Content-Type: application/json" -d '{"firstName":"Testy","lastName":"Testuser_01", "email":"[email protected]", "enabled":"true", "emailVerified":"true", "username":"testuser_01", "groups": ["tenant-admins"], "credentials":[{"type":"password","value":"testuser_01","temporary":false}]}' -X POST "http://dev-keycloak-http.dev-idp.svc.clusterdev.local/me-idp-01/auth/admin/realms/tenant-01/users"
Probably I have to configure the kubernetes service URL somewhere inside keycloak, because I expect that by default the token of client admin-cli is valid for localhost only, not for anything else like my kuebernetes service URL. But how and where? Would be ok if the admin-cli is usable from within the kubernetes cluster via the service URL only.