Conventions used below
<keep-host>
– public FQDN where users access Keep (e.g.keep.example.com
)<gitlab-host>
– URL of your GitLab instance (e.g.gitlab.example.com
)<registry-host>
– container registry that stores images (omit if you use the public images)- Kubernetes namespace
keep
– feel free to change it everywhere if you prefer another namespace.
What | Why |
---|---|
Kubernetes cluster & keep namespace | Where Keep, oauth2‑proxy and Services live |
ingress‑nginx (or compatible) | Provides the auth_request feature oauth2‑proxy uses |
GitLab 15 + at https://<gitlab-host> | OpenID‑Connect issuer |
Helm 3.x & offline charts/images (optional) | If your cluster has no Internet egress |
keep‑sso
https://<keep-host>/oauth2/callback
openid profile email
(+ read_api
if you plan to gate access by group/project)ssl-insecure-skip-verify: "true"
under extraArgs
.
https://<keep-host>
→ redirect to GitLab → sign in → return to Keep./api/auth/session
returns 200.Symptom | Common cause & remedy |
---|---|
TLS error x509: certificate signed by unknown authority | Mount your GitLab CA (provider-ca-file ) or set ssl-insecure-skip-verify=true (dev only). |
Ingress logs auth request unexpected status: 502 | auth-url is pointing at the external host – use the internal Service DNS (http://oauth2-proxy.keep.svc.cluster.local ). |
Browser loops at /signin?callbackUrl=… | ① set-xauthrequest not enabled, or ② auth-response-headers not set, or ③ backend receives calls through oauth2‑proxy (API_URL wrong). |
Redirect to 0.0.0.0:3000 or pod name | NEXTAUTH_URL missing at build time; rebuild UI or override env. |
401 from /oauth2/auth even with cookie | Cookie expired / clocks out of sync. Clear cookie and re‑login. |