charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/keycloak] Getting a redirect loop on the admin panel url

Open MurzNN opened this issue 1 year ago • 12 comments

Name and Version

bitnami/keycloak 17.3.6

What architecture are you using?

amd64

What steps will reproduce the bug?

  1. Deploy a bitnami/keycloak helm chart with enabled Ingress using these values:
ingress:
  enabled: true
  hostname: keycloak.mydomain.com
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
  tls: true
  1. Open the web UI URL: https://keycloak.mydomain.com/ - it will open correctly.
  2. Click on the "Administration Console" link - it will lead from the https to the http URL (http://keycloak.mydomain.com/admin/master/console/)
  3. Get the redirect loop error to http and back to https in the browser.
  4. Try to open it manually with https by url https://keycloak.mydomain.com/admin/master/console/ See the infinite spinner in the webpage "Loading the Admin UI" and errors in the Console:
Content-Security-Policy: The page’s settings blocked the loading of a resource at http://keycloak.mydomain.com/realms/master/protocol/openid-connect/3p-cookies/step1.html (“frame-src”).

Are you using any custom parameters or values?

ingress:
  enabled: true
  hostname: keycloak.mydomain.com
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
  tls: true

What is the expected behavior?

All should work well by default.

What do you see instead?

A redirect loop or an Content-Security-Policy error.

Additional information

No response

MurzNN avatar Dec 20 '23 06:12 MurzNN

I already tried to workaround this issue via these values:

extraEnvVars:
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"
    - name: KEYCLOAK_EXTRA_ARGS
      value: "-Dkeycloak.frontendUrl=https://keycloak.mydomain.com/"

But this doesn't help.

MurzNN avatar Dec 20 '23 06:12 MurzNN

@MurzNN did you find any workaround?

Guite avatar Jan 03 '24 09:01 Guite

My workaround is to run it in production mode and enable https explicitly via

production: true
proxy: reencrypt
extraEnvVars:
  - name: PROXY_ADDRESS_FORWARDING
    value: 'true'
  - name: KEYCLOAK_ENABLE_HTTPS
    value: 'true'

But it's better to make the chart works well with non-production mode too.

MurzNN avatar Jan 03 '24 09:01 MurzNN

Thanks, this brought me on the right track. Due to this change I had to define the proxy configuration setting.

Guite avatar Jan 03 '24 10:01 Guite

Hi @MurzNN,

I attempted to replicate the error you encountered, but was unsuccessful. Could you please provide the complete set of parameters you are using?

Thank you.

fevisera avatar Jan 17 '24 11:01 fevisera

Can confirm just trying to deploy chart with tls via the ingress yields the same issue as the original issue post.

danielloader avatar Jan 30 '24 13:01 danielloader

Are you using the latest chart version?

I ran the current version (18.3.4) locally and the "Administration Console" links to a "https" link and no error is found in the logs:

$ kubectl logs keycloak-0 | grep "Content-Security-Policy"
$

fevisera avatar Feb 05 '24 09:02 fevisera

Hi @fevisera

I have the same issue. I re-tested with your last chart version 18.3.4 And the issue still present.

My values to reproduce :

auth:
  adminPassword: password
ingress:
  enabled: true
  hostname: xyz-keycloak.local.xyz.internal
  tls: true
  selfSigned: true
tls:
  enabled: true
  autoGenerated: true

logging:
  level: INFO
postgresql:
  primary:
    persistence:
      enabled: false
  1. after deploy, go to https://xyz-keycloak.local.xyz.internal/
  2. (Accept certificate exception)
  3. Click on Administration Console link
  4. ... in Network console tab, you can found an infinite redirect loop between http and https

The workaround proposed by https://github.com/bitnami/charts/issues/21661#issuecomment-1875077358 works fine. Only proxy: reencrypt is necessary :

auth:
  adminPassword: password
ingress:
  enabled: true
  hostname: xyz-keycloak.local.xyz.internal
  tls: true
  selfSigned: true
tls:
  enabled: true
  autoGenerated: true

logging:
  level: INFO
postgresql:
  primary:
    persistence:
      enabled: false

proxy: reencrypt

Vinss26 avatar Feb 05 '24 13:02 Vinss26

Hi @Vinss26,

Sorry, but I'm still unable to reproduce the error. Here's the configuration I'm using:

auth:
  adminPassword: password
ingress:
  enabled: true
  hostname: keycloak.local
  tls: true
  selfSigned: true
tls:
  enabled: true
  autoGenerated: true

logging:
  level: INFO
postgresql:
  primary:
    persistence:
      enabled: false

When accessing the hostname, I notice the "https" link for the "Administration Console" in the lower-left corner: image

Which K8s cluster are you using? Does the issue persist if you execute the following:

export HTTP_SERVICE_PORT=$(kubectl get --namespace keycloak -o jsonpath="{.spec.ports[?(@.name=='https')].port}" services keycloak)
kubectl port-forward --namespace keycloak svc/keycloak ${HTTP_SERVICE_PORT}:${HTTP_SERVICE_PORT}

And then access through https://localhost?

Please, let me know if there is anything I might be overlooking.

Thank you.

fevisera avatar Feb 08 '24 09:02 fevisera

It is easily reproducible in default install if you add ingress in front of KeyCloak service or enable build-in Ingress. Just use helm install my-release oci://registry-1.docker.io/bitnamicharts/keycloak and then add an https ingress with your own domain. I've bisected chart versions, and it is started with chart version 16.0.0/KeyCloak 22.0.1. The reason behind this https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-22-0-0

Keycloak’s proxy configuration setting for mode passthrough no longer parses HTTP forwarding headers in the request, as when a proxy forwards an HTTPS connection in passthrough mode, a proxy is unable to add, remove or update HTTP headers.

Installations that want the HTTP headers in the client’s request to be parsed should use the edge or reencrypt setting.

See [Using a reverse proxy](https://www.keycloak.org/server/reverseproxy) for details.

Adding --set proxy=edge to install command fixes the issue. I see that it is mentioned in readme

If your ingress controller has the SSL Termination, you should set proxy to edge.

But it looks like this needs to be emphasized more, maybe even change the default to edge.

ValeriiVozniuk avatar Feb 14 '24 11:02 ValeriiVozniuk

If you want full install command, here is an example:

helm install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak \
--set ingress.enabled=true \
--set ingress.hostname=keycloak.test.com \
--set ingress.ingressClassName=nginx \
--set ingress.tls=true \
--set ingress.extraTls[0].hosts[0]=keycloak.test.com \
--set ingress.extraTls[0].secretName=test.com

ValeriiVozniuk avatar Feb 14 '24 12:02 ValeriiVozniuk

Thank you @ValeriiVozniuk for providing more details on this. As you pointed out, the issue lies not with the chart itself, but rather with the new method by which Keycloak handles the 'passthrough' value.

The allowed values are described in detail at https://www.keycloak.org/server/reverseproxy#_proxy_modes. It appears that using the 'edge' and 'reencrypt' proxy values may resolve these issues, although they must still be configured for each specific use case.

Please feel free to submit a PR if you believe there is a way to improve the readability of the README on this information.

Thank you!

fevisera avatar Feb 19 '24 11:02 fevisera

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar Mar 06 '24 01:03 github-actions[bot]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

github-actions[bot] avatar Mar 11 '24 01:03 github-actions[bot]