Charts: Keycloak Chart having Ingress issues?

Created on 8 Mar 2018  路  15Comments  路  Source: helm/charts

Is this a request for help?:

No

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

BUG REPORT

Version of Helm and Kubernetes:

K8 1.9 and helm 2.8.0

Which chart:

incubator/keycloak

What happened:

Created Ingress, but only produces "404 - Not Found". It isn't the Normal backend 404, so it's configuring to the /keycloak URL I set, but only 404. If I create a NodePort and hit directly, it comes up fine. Other services using the ingress controller are working fine under several other urls.

What you expected to happen:

Keycloak UI to display on the browser.

How to reproduce it (as minimally and precisely as possible):

helm install --name keycloak -f ./keycloak.values.yaml incubator/keycloak

keycloak:
image:
tag: 3.4.1.Final
username: ""
password: ""
replicas: 3
service:
type: "NodePort"
podAntiAffinity: "hard"
ingress:
enabled: true
path: "/keycloak"
hosts: []
rbac:
create: true
serviceAccount:
create: true
name: "keycloak"
postgresql:
postgresPassword: ""

Anything else we need to know:

No

picture joshskains

Most helpful comment

For future travelers: the solution to this (from #8355) it to set:

keycloak:
  extraEnv: |
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"

In your values.yaml

picture insertjokehere on 5 Nov 2018
👍3 👎1

All 15 comments

Why did you set the ingress path to /keycloak? This probably won't work. Leave it at the default, which is /.

unguiculus picture unguiculus on 9 Mar 2018

/assign

unguiculus picture unguiculus on 9 Mar 2018

Then why even have the option? It's a proxy server. I don't want it to root at the proxy server.

joshskains picture joshskains on 9 Mar 2018

To test though, we created a CNAME host to the ingress separate from the rest of the ingress services. But it still barfs at:

WE'RE SORRY ...
Invalid parameter: redirect_uri

joshskains picture joshskains on 9 Mar 2018

FYI it does work through a NodePort

joshskains picture joshskains on 9 Mar 2018

The chart uses the standard Keycloak Docker image which runs Keycloak at /. You can change this using JBoss CLI. You would then also have to adapt the ingress pass. Otherwise leave it at the default. I just tested it successfully with an Nginx ingress controller on a GKE cluster. Works as expected.

unguiculus picture unguiculus on 9 Mar 2018

Still getting:

WE'RE SORRY ...
Invalid parameter: redirect_uri

Fresh deploy with ingress set to true and a hostname.

joshskains picture joshskains on 9 Mar 2018

I found the issue. Your deploy has one scenario it doesn't seem to handle well. I have ingress at port 80, and instead terminate SSL at port 443 on my HAProxy server. Because port 80 is not open on the LB, it is having a fit about the HAProxy redirection.. After adding the HTTPS URI as a valid URL, it now seems to work, but it took opening a port 80 on my LB to even get to the admin console and make the change in the UI.. Is there any way to handle this or am I missing something? Thanks

joshskains picture joshskains on 12 Mar 2018
👍1

I'm not sure I fully understand your issue.

unguiculus picture unguiculus on 12 Mar 2018

The ingress server only operates on a non-SSL port in this configuration. The HAProxy LB is where the SSL terminates. Keycloak during the install, is given the http:// as an authorization, but the https:// is not. So it gives that "Invalid Parameter" response.... Anyways. Thanks.

joshskains picture joshskains on 12 Mar 2018

Anyways, I found a way around it. Thanks...

joshskains picture joshskains on 13 Mar 2018

I am seeing the exact same error with a very simple, non-replicated configuration using the most recent (4.0.0) chart. The same configuration using the previous (3.4.0) version of the chart works just fine. I'll log a fresh issue with the reproduction info (a simple description of which is in #8355 )

sfitts picture sfitts on 16 Oct 2018

@joshskains I have the same issue you had (using AWS NLB as the Load Balancer, to an nginx ingress-controller that handles tls termination for me). I have deployed keycloak temporarily with http (removed tls.hosts in my values yml for keycloak) to work around the issue. But I cannot figure out where to add https:// as an authorization in the UI as you mention above on Mar 12. Can you enlighten me on that?

Also, it seems to me that this type of setup up would be fairly common on Kubernetes so perhaps should be handled better, if at all possible, by this chart and perhaps this issue should be reopened for it.

(Note I'm running keycloak 4.5.0.Final with chart 4.0.1

bentatham picture bentatham on 25 Oct 2018

For future travelers: the solution to this (from #8355) it to set:

keycloak:
  extraEnv: |
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"

In your values.yaml

insertjokehere picture insertjokehere on 5 Nov 2018
👍3 👎1

Is it possible to change the ingress path to /keycloak?
Anyone know the NginX ingress annotations and keycloak env/settings I need to use to achieve this?

dkirrane picture dkirrane on 15 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

richardalberto picture richardalberto  路  3Comments
donkeyx picture donkeyx  路  3Comments
gajus picture gajus  路  3Comments
michas2 picture michas2  路  3Comments
mickengland picture mickengland  路  3Comments