helm-charts
helm-charts copied to clipboard
codecentric
Regrouping issue about the last helm keycloakx chart release
Hello
As I met almost all other issues specified here and contourned them wanted to regroupe all of them in one with fix / things to change.
---------------------- Things to fix from the maintainer ---------------------------
@hansehe I am tagging you as this come from your commit https://github.com/codecentric/helm-charts/commit/e1f5237dea3a16996fa6e7cf891fe97bd80c7261#diff-0d42a0bcf21efda1331b8bbd8b883ee80f6b5587a3e02d7820c187911174663cR106
This line: https://github.com/codecentric/helm-charts/commit/e1f5237dea3a16996fa6e7cf891fe97bd80c7261#diff-0d42a0bcf21efda1331b8bbd8b883ee80f6b5587a3e02d7820c187911174663cR106
Use a value Values.proxy.http.enabled that is not documented. Need to be changed to Values.proxy.enabled or to be documented in the readme
The Values.proxy.mode now is send to KC_PROXY_HEADERS instead of KC_PROXY. This is the correct behavior but the value are now forwarded or xforwarded and not edge, passthrough ... The defautl value need to be changed and the doc adapted
With the latest version (maybe a bug of keycloak directly but need to be set in doc) if using behind an ingress proxy the hostname option need to be set with the https scheme, if not the admin console will try to load https://my.keycloak.org/resources/master/admin/en in http instead of https
---------------------- Steps to do from the user -------------------------------------
First if you have issue with installing keycloak 25.0 be sure to be on the latest helm repo (version 2.4.2):
helm repo update codecentric
See (https://github.com/codecentric/helm-charts/issues/775)
Then you need to:
- remove "--hostname-strict-https=false" and "--http-enabled=true" options
See https://github.com/codecentric/helm-charts/issues/778
Then add the hostname:
"--hostname=https://my.keycloak.org"
The full config I use (you can add --optimized or --verbose if wanted):
command:
- "/opt/keycloak/bin/kc.sh"
- "start"
- "--hostname=https://my.keycloak.org
- "--http-port=8080"
- "--hostname-strict=false"
Finally change the proxy configuration like this:
proxy:
enabled: true
http:
enabled: true
mode: "forwarded"
This issue has been marked as stale because it has been open for 30 days with no activity. It will be automatically closed in 10 days if no further activity occurs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I really appreciated this update. It helped me get keycloak up and running on eks using an ingress/alb.
The catch for me was I needed to include /auth in the hostname before I was successful in accessing the administration console.
So my working config compared to above differed slightly.
command:
- "/opt/keycloak/bin/kc.sh"
- "start"
- "--hostname=https://my.keycloak.org/auth
- "--http-port=8080"
- "--hostname-strict=false"
I suppose I'm posting in part to keep the issue from going from stale to closed, and in part to ask for clarity from people who are more experienced if my addition of the /auth to the hostname will be catastrophic in some way that I'm not noticing at this early stage of my migrating to keycloak.
Below I've included the output of /auth/realms/master/hostname-debug for both running @AMontagu's config above and my hacky /auth edit incase that clarifies things.
| URL | Value |
|---|---|
| Request | https://my.keycloak.org/auth/realms/master/hostname-debug |
| Frontend | https://my.keycloak.org [FAILED] |
| Backend | https://my.keycloak.org [FAILED] |
| Admin | https://my.keycloak.org [FAILED] |
| Server mode | production [start] |
| Realm | master |
| Hostname SPI implementation | V2 |
| hostname | https://my.keycloak.org |
| hostname-backchannel-dynamic | false |
| hostname-strict | true |
| proxy-headers | forwarded |
| http-enabled | true |
| http-relative-path | /auth |
| http-port | 8080 |
| https-port | 8443 |
| Host | my.keycloak.org |
| X-Forwarded-For | 111.111.111.111 (obfuscated ip) |
| X-Forwarded-Port | 443 |
| X-Forwarded-Proto | https |
| URL | Value |
|---|---|
| Request | https://my.keycloak.org/auth/realms/master/hostname-debug |
| Frontend | https://my.keycloak.org/auth [OK] |
| Backend | https://my.keycloak.org/auth [OK] |
| Admin | https://my.keycloak.org/auth [OK] |
| -- | -- |
| Server mode | production [start] |
| Realm | master |
| Hostname SPI implementation | V2 |
| -- | -- |
| hostname | https://my.keycloak.org/auth |
| hostname-backchannel-dynamic | false |
| hostname-strict | true |
| proxy-headers | forwarded |
| http-enabled | true |
| http-relative-path | /auth |
| http-port | 8080 |
| https-port | 8443 |
| -- | -- |
| Host | my.keycloak.org |
| X-Forwarded-For | 111.111.111.111 (obfuscated ip) |
| X-Forwarded-Port | 443 |
| X-Forwarded-Proto | https |
@kylebisley You are using ENV KC_HTTP_RELATIVE_PATH=/auth . It's okay it allow to keep backward compatibilty from older keycloak version. But if you don't need it and you remove it then it will work without the /auth in the hostname
My hero @AMontagu. Sorry for hoping on your regroup issue with such a rookie question. I had missed that I needed to override the defaults.
For future readers I added
http:
relativePath: '/'
to my values file configuration and now its working for me.
hostname-debug after making the change
| URL | Value |
|---|---|
| Request | https://my.keycloak.org/realms/master/hostname-debug |
| Frontend | https://my.keycloak.org [OK] |
| Backend | https://my.keycloak.org [OK] |
| Admin | https://my.keycloak.org [OK] |
| Server mode | production [start] |
| Realm | master |
| Hostname SPI implementation | V2 |
| hostname | https://my.keycloak.org |
| hostname-backchannel-dynamic | false |
| hostname-strict | true |
| proxy-headers | forwarded |
| http-enabled | true |
| http-relative-path | / |
| http-port | 8080 |
| https-port | 8443 |
| Host | my.keycloak.org |
| X-Forwarded-For | 111.111.111.111 |
| X-Forwarded-Port | 443 |
| X-Forwarded-Proto | https |
| URL | Value |
|---|---|
| Request | https://my.keycloak.org/realms/master/hostname-debug |
| Frontend | https://my.keycloak.org/auth [FAILED] |
| Backend | https://my.keycloak.org/auth [FAILED] |
| Admin | https://my.keycloak.org/auth [FAILED] |
| Runtime | Value |
| Server mode | production [start] |
| Realm | master |
| Hostname SPI implementation | V2 |
| Configuration property | Value |
| hostname | https://my.keycloak.org/auth |
| hostname-backchannel-dynamic | false |
| hostname-strict | true |
| proxy-headers | forwarded |
| http-enabled | true |
| http-relative-path | / |
| http-port | 8080 |
| https-port | 8443 |
| Header | Value |
| Host | my.keycloak.org |
| X-Forwarded-For | 111.111.111.111 |
| X-Forwarded-Port | 443 |
| X-Forwarded-Proto | https |
This issue has been marked as stale because it has been open for 30 days with no activity. It will be automatically closed in 10 days if no further activity occurs.