search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
9.06k stars 9.24k forks source link

Setting keycloak proxy headers is broken #29533

Closed matthijswolters-rl closed 2 months ago

matthijswolters-rl commented 2 months ago

Name and Version

bitnami/keycloak 21.4.1

What architecture are you using?

amd64

What steps will reproduce the bug?

  1. Using a reverse proxy that sets the X-Forwarded-* headers (Traefik in our case)
  2. Set proxyHeaders to xforwarded
  3. notice that the header is not respected

Are you using any custom parameters or values?

ingress.enable: false because we use a custom ingress route for Traefik

What is the expected behavior?

The expected behaviour is that keycloak logs the client IP address by reading the X-Forwarded-For header set by our reverse proxy.

What do you see instead?

When setting proxyHeaders: xforwarded in values.yaml keycloak continues to log the internal IP of our reverse-proxy.

Additional information

I have dived into the chart I have found the issue. The env var set here: https://github.com/bitnami/charts/blob/ea6a6a963f9c8a01fc9425301263560b69b79c6d/bitnami/keycloak/templates/configmap-env-vars.yaml#L20 should be called KC_PROXY_HEADERS not KEYCLOAK_PROXY_HEADERS. If I manually set this env var then the header is respected in the keycloak logs. Unless something has changes between keycloak v24.0.5 (chart v21.4.1) and keycloak v25 (chart v on main) then you can ignore and close this issue.

carrodher commented 2 months ago

Thank you for bringing this issue to our attention. We appreciate your involvement! If you're interested in contributing a solution, we welcome you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Feel free to reach out if you have any questions or need assistance.

Kajot-dev commented 2 months ago

@carrodher Hi, author of this implementation here. KEYCLOAK_* prefix is intended and used by the scripts inside container. For more detailed info, see: https://github.com/bitnami/charts/pull/29573#issuecomment-2368979401

@matthijswolters-rl Can you please ssh into a container and check if keycloak.conf has proxy-headers config field?

TLDR; The current flow is KEYCLOAK_* variable is translated into the proxy-headers property in the keycloak config file.

matthijswolters-rl commented 2 months ago

Hey @Kajot-dev, thanks for your indepth reply. After reading through your PRs I can see that the intended method is indeed to set KEYCLOAK_* and pass that through scripts to the container. My confusion stemmed from the fact that the underlying env var is so close in name and when I set it explicitly it did work. I now see that the version of keycloak that I was deploying did not yet contain your fixes but I was reading a newer version of the docs. Having now deployed a newer version of keycloak and validated that it works I will close my issue and my PR.

Thanks again!