Open masalinas opened 6 days ago
Hi!
Did you check this issue? It also mentions about mixed content issues https://github.com/bitnami/charts/issues/6940
Also make sure to check the latest changes in keycloak 26 https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-0-0
Some topics about my User case to clarify:
1) I deploy Keycloak using the Bitnami Helm Chart in minikube in development mode, without TLS using only configuring these particular values. Also one important topic is the remote access to the cluster is throw my domain using TLS (this last topic is very important) to understand my User case
These are the unique env variables define in the chart to deploy keycloak in my cluster:
auth:
adminUser: <ADMIN>
adminPassword: <PASSWORD>
proxyHeaders: "xforwarded"
he list with all env variables generated by the chart is this one. Maybe can help to some one:
KUBERNETES_SERVICE_PORT_HTTPS=443
AVIB_KEYCLOAK_SERVICE_PORT_HTTP=80
KUBERNETES_SERVICE_PORT=443
KEYCLOAK_ADMIN_PASSWORD=password
NGINX_PORT_80_TCP_PROTO=tcp
AVIB_KEYCLOAK_POSTGRESQL_PORT_5432_TCP_ADDR=10.102.174.38
HOSTNAME=avib-keycloak-0
JAVA_HOME=/opt/bitnami/java
KEYCLOAK_DATABASE_HOST=avib-keycloak-postgresql
KC_SPI_ADMIN_REALM=master
NGINX_PORT_80_TCP=tcp://10.108.145.177:80
PWD=/
KEYCLOAK_ENABLE_STATISTICS=false
OS_FLAVOUR=debian-12
AVIB_KEYCLOAK_PORT_80_TCP_PORT=80
JAVA_OPTS_APPEND=-Djgroups.dns.query=avib-keycloak-headless.default.svc.cluster.local
KEYCLOAK_CACHE_STACK=kubernetes
HOME=/
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
AVIB_KEYCLOAK_POSTGRESQL_SERVICE_HOST=10.102.174.38
AVIB_KEYCLOAK_PORT_80_TCP=tcp://10.96.227.241:80
KUBERNETES_NAMESPACE=default
KEYCLOAK_PROXY_HEADERS=xforwarded
NGINX_PORT_80_TCP_ADDR=10.108.145.177
AVIB_KEYCLOAK_SERVICE_HOST=10.96.227.241
KEYCLOAK_ADMIN=admin
BITNAMI_DEBUG=false
NGINX_SERVICE_PORT=80
AVIB_KEYCLOAK_POSTGRESQL_PORT_5432_TCP_PROTO=tcp
NGINX_PORT_80_TCP_PORT=80
AVIB_KEYCLOAK_PORT=tcp://10.96.227.241:80
KEYCLOAK_LOG_OUTPUT=default
NGINX_SERVICE_HOST=10.108.145.177
AVIB_KEYCLOAK_SERVICE_PORT=80
TERM=xterm
AVIB_KEYCLOAK_POSTGRESQL_PORT_5432_TCP_PORT=5432
SHLVL=1
AVIB_KEYCLOAK_POSTGRESQL_SERVICE_PORT_TCP_POSTGRESQL=5432
KUBERNETES_PORT_443_TCP_PROTO=tcp
AVIB_KEYCLOAK_PORT_80_TCP_ADDR=10.96.227.241
KEYCLOAK_DATABASE_PASSWORD=rk2k8NOSlU
BITNAMI_APP_NAME=keycloak
AVIB_KEYCLOAK_PORT_80_TCP_PROTO=tcp
AVIB_KEYCLOAK_POSTGRESQL_PORT=tcp://10.102.174.38:5432
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
NGINX_PORT=tcp://10.108.145.177:80
KEYCLOAK_CACHE_TYPE=ispn
APP_VERSION=26.0.0
KEYCLOAK_LOG_LEVEL=INFO
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
KEYCLOAK_ENABLE_HTTPS=false
OS_NAME=linux
PATH=/opt/bitnami/common/bin:/opt/bitnami/java/bin:/opt/bitnami/keycloak/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KEYCLOAK_DATABASE_USER=bn_keycloak
AVIB_KEYCLOAK_POSTGRESQL_SERVICE_PORT=5432
KEYCLOAK_PRODUCTION=false
KEYCLOAK_DATABASE_NAME=bitnami_keycloak
KEYCLOAK_HTTP_RELATIVE_PATH=/
AVIB_KEYCLOAK_POSTGRESQL_PORT_5432_TCP=tcp://10.102.174.38:5432
KEYCLOAK_HTTP_PORT=8080
OS_ARCH=arm64
KEYCLOAK_DATABASE_PORT=5432
_=/usr/bin/env
2) My proxy is HAProxy redirect the trafic to minikube ingress with this rule
global
daemon
maxconn 256
defaults
mode http
# Any 80,443 port request from home router
frontend k8s-frontend
bind :80
bind :443 ssl crt /etc/ssl/certs/ssl.pem
http-request redirect scheme https code 301 unless { ssl_fc }
default_backend k8s-backend
# kubernetes ingress forwarding
backend k8s-backend
option forwarded proto host by by_port for
server k8s 192.168.49.2:80
3) Also my ingress rule to redirect traffic to Keycloak is this one:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
spec:
rules:
- host: k8s.oferto.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: avib-keycloak
port:
name: http
If I open the Admin Console from http works OK, but throw https NOT,
The problem is clear why the iframe inside the login page of Keycloak is sending requets using http protol as you see in the capture. This is the origin of the problem, my request is under https but the iframe inside login view try to send requests using http protocol so the Content-Security-Policy (src-frame) defined in the master realm where login view lives is broken
Some points to be review:
This is the classical error:
Finally works the problem was that I must active forwarded and not xforwarded proxy headers. Finally my values.yaml passed to bitnami chart is:
proxyHeaders: "forwarded"
extraEnvVars:
- name: KC_BOOTSTRAP_ADMIN_USERNAME
value: "admin"
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
value: "password"
Name and Version
bitnamicharts/keycloak
What architecture are you using?
amd64
What steps will reproduce the bug?
1) Install a fresh Ubuntu 24.04 arm64 LTS version. 2) Install a fresh Docker 27.3.1 version 3) Install minikube 1.34.0 version. 4) Deploy Keycloak using the last Keycloak Helm chart wit this values:
5) Add minikube public IP to minikube.io domain in /etc/hosts
6) Configure two ingress one to access Admin console and other to access to a Keycloak Angular PoC application
7) Access to Admin Console works ok throw:
https://minikube.io
Create a realm called avib, client called portal-ui, and a user called user correctly.8) Access to Angular Portal PoC thow:
https://minikube.io/morphingprojections-portal
not works with this error:Mixed Content: The page at 'https://minikube.io/morphingprojections-portal' was loaded over HTTPS, but requested an insecure frame 'http://minikube.io/realms/avib/protocol/openid-connect/3p-cookies/step1.html'. This request has been blocked; the content must be served over HTTPS.
Notes: the Angular PoC worls ok using a kubectl port-forward
Are you using any custom parameters or values?
No response
What is the expected behavior?
No response
What do you see instead?
Mixed Content: The page at 'https://minikube.io/morphingprojections-portal' was loaded over HTTPS, but requested an insecure frame 'http://minikube.io/realms/avib/protocol/openid-connect/3p-cookies/step1.html'. This request has been blocked; the content must be served over HTTPS.
Additional information
I checked the same User Case following the Keycloak Kubernetes Default sample in https://www.keycloak.org/getting-started/getting-started-kube and works ok, of course in thiscase they don't use any chart directly only one deployment and service. Something is not configured in the chart equals to keycloak sample