Charts: [stable/keycloak] Admin console not working with Ingress + HTTPS

Created on 11 Sep 2018 · 10Comments · Source: helm/charts

Is this a request for help?:
Yes!

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT

Version of Helm and Kubernetes:
Helm: 2.10.0
Kubernetes: 1.8.6

Which chart:
stable/keycloak

What happened:
I'm unable to use the admin console behind an ingress. The admin console tries to call a token endpoint via HTTP and my browser (Chrome) rejects that content ("mixed content" error), because I access the admin console through HTTPS. Using kubectl port-forward, I can access the admin console via HTTP and it works as expected.

What you expected to happen:
Keycloak serving all content through HTTPS

How to reproduce it (as minimally and precisely as possible):
I am setting up Keycloak with the ingress enabled. Everything sets up correctly, I can access the admin console via my external (https-enabled) URL. However, once I log in using the admin credentials, keycloak.js tries to get a token using an HTTP URL. Calling https://keycloak.mydomain.com/auth/realms/master/.well-known/openid-configuration also only shows HTTP URLs. I believe the problem is that my traffic is encrypted from my browser to the ingress, but not from the ingress to the container. I had to set the Require SSL setting for my realm to none in order to be able to log in in the first place.

values.yml

keycloak:
  image:
    tag: 4.3.0.Final
  extraEnv: |
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"
  ingress:
    enabled: true
    annotations:
      nginx.ingress.kubernetes.io/rewrite-target: /
    path: ""
    hosts:
    - keycloak.mydomain.com
  service:
    type: LoadBalancer

Anything else we need to know:

The official Keycloak Docker image exposes an HTTPS port 8443 and supports an environment variable PROXY_ADDRESS_FORWARDING for use cases like this, but the helm chart's pod only exposes the HTTP port 8080.

Source

mlamina

👍3

Most helpful comment

I had the same issue. If you look at https://yourdomain.com/auth/realms/master/ , you will see:
"token-service": "http://yourdomain.com/auth/realms/master/protocol/openid-connect",
"account-service": "http://yourdomain.com/auth/realms/master/account",

All addresses above returned in http instead of https and for that reason you get redirect_url error.

Solution is here: issue-8355. Thanks to @weisjohn

In brief Enable proxy address forwarding by adding environment PROXY_ADDRESS_FORWARDING variable in your deployment file or helm chart values:

Look at the following sample deployment file :
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: keycloak namespace: micro-services labels: app: keycloak spec: replicas: 5 template: metadata: labels: app: keycloak spec: containers: - name: keycloak env: - name: PROXY_ADDRESS_FORWARDING value: "true" image: jboss/keycloak:4.5.0.Final ports: - name: http containerPort: 8080
if you are using docker you can enable it by running:
docker run -e _PROXY_ADDRESS_FORWARDING=true_ jboss/keycloak

SaeedAlbarhami on 29 Oct 2018

👍4 ❤3 🎉1

All 10 comments

I solved my problem (see StackOverflow). Regardless, I think it would be great if the helm chart would allow access to the container's exposed 8443 port. It would also be great to extend the README with instructions on how to set it up behind load balancers.

mlamina on 13 Sep 2018

Would you mind creating a PR for this?

unguiculus on 5 Oct 2018

I had the same or a similar problem, but I suspect a different reason.

The current chart with the official image 4.5.0.Final does not work behind a proxy for me, but older versions did work (in my setup).
I managed to get the new combination to work again by explicitly setting the configuration file, i.e. passing -c standalone.xml as part of my extraArgs.

The official Docker image changed the default configuration file to standalone-ha.xml here and I think this chart assumes the default to be standalone.xml, e.g. here and here, and the standalone-ha.xml does not seem to work with the keycloak.cli file generated under this assumption.

Is this correct?

mborst on 16 Oct 2018

wow @mborst thank you works with no ha, i'm using exactly same values with only exception

  extraArgs: "-c standalone.xml"

and now https://.... produces no redirect_url error when logging into admin section on a brand new instance of keycloak

so question is: What is so different between standalone.xml and standalone-ha.xml that prevents reverse-proxy from functioning properly? and we should probably add an https ingress test that actually attempts login?

styk-tv on 21 Oct 2018

I thinks it's not the difference between those files in itself, it's that the helm chart operates under the assumption that the default is standalone.xml and only makes the changes necessary for ha, i.e. standalone-ha.xml, when you set the number of replicas to > 1, while the Docker image from jboss uses the standalone-ha.xml by default, i.e. when you don't pass in a configuration file.

But the difference between those files is probably still a factor, e.g.

...
 <socket-binding name="proxy-https" port="443"/>
...

is contained in the non-ha file, but not the other. But since there is quite some stuff going wrong before-hand, I don't want to guess.

mborst on 22 Oct 2018

All addresses above returned in http instead of https and for that reason you get redirect_url error.

Solution is here: issue-8355. Thanks to @weisjohn

In brief Enable proxy address forwarding by adding environment PROXY_ADDRESS_FORWARDING variable in your deployment file or helm chart values:

SaeedAlbarhami on 29 Oct 2018

👍4 ❤3 🎉1

Where are you terminating your TLS connection? I am not sure the proposed solution would solve my problem after looking at the usage of PROXY_ADDRESS_FORWARDING here.
At least the helm chart does something different for enabling reverse proxy, see here.
In any way, I still think the current chart and the docker image for 4.5.0.Final are operating with different assumptions.

mborst on 29 Oct 2018

Where are you terminating your TLS connection? I am not the proposed solution would solve my problem after looking at the usage of PROXY_ADDRESS_FORWARDING here.
At least the helm chart does something different for enabling reverse proxy, see here.
In any way, I still think the current chart and the docker image for 4.5.0.Final are operating with different assumptions.

I am using ingress for ssl termination
````
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: micro-services-ingress
namespace: micro-services
spec:
tls:

hosts:
- youdomain.com
  
  secretName: k8ssecret-microservices
  
  rules:
host: sso.yourdomain.com
http:
paths:
- path: /auth
  
  backend:
  
  serviceName: keycloak
  
  servicePort: 80
  
````

SaeedAlbarhami on 29 Oct 2018

Also solved this by adding the environment variable PROXY_ADDRESS_FORWARDING to the StatefulSet but wish that the chart did this automatically when using Ingress or that there was a setting in the values file for it.

gs11 on 5 Nov 2018

replicas=1, add extraArgs: "-c standalone.xml"
replicas>1, default chart is fine.
Both rely on cli.reverseProxy to set corresponding xml.

https-> LB -http-> nginx ingress controller -http-> keycloak
x-forwarded-port is used by keycloak in the setup, but there is a issue in the nginx ingress controller:
https://github.com/kubernetes/ingress-nginx/issues/3192