New to this and spend a day to figured out, perhaps this will help some of you.
1. Prepare your k8s template yaml.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /<CUSTOM_CONTEXT_PATH>/auth/
name: keycloak-ingress
spec:
rules:
- host: myhost.com
http:
paths:
- path: /<CUSTOM_CONTEXT_PATH>/auth/
backend:
serviceName: keycloak-service
servicePort: 9000
tls:
- hosts:
- myhost.com
secretName: keycl-secret
2. Update web-context in <KEYCLOAK_HOME>/standalone/configuration/standalone.xml, standalone-ha.xml, or domain.xml depending on your operating mode.
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
...
<web-context><CUSTOM_CONTEXT_PATH>/auth/</web-context>
<providers>
<provider>classpath:${jboss.home.dir}/providers/*</provider>
</providers>
...
</subsystem
3. Add proxy-address-forwarding under http-listerner in <KEYCLOAK_HOME>/standalone/configuration/standalone.xml, standalone-ha.xml, or domain.xml depending on your operating mode.
<subsystem xmlns="urn:jboss:domain:undertow:6.0">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true"/>
...
</subsystem>
4. Update index.html in <KEYCLOAK_HOME>welcome-content/index.html
<head>
<meta http-equiv="refresh" content="0; url=/<CUSTOM_CONTEXT_PATH>/auth/" />
<meta name="robots" content="noindex, nofollow">
<script type="text/javascript">
window.location.href = "/<CUSTOM_CONTEXT_PATH>/auth/"
</script>
</head>
<body>
If you are not redirected automatically, follow this <a href='<CUSTOM_CONTEXT_PATH>/auth'>link</a>.
</body>
</html>
source: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy