[bitnami/keycloak] Keycloak Helm Chart + kubernetes Ingress + Angula Keycloak PoC

masalinas commented 6 days ago

Name and Version

bitnamicharts/keycloak

What architecture are you using?

amd64

What steps will reproduce the bug?

1) Install a fresh Ubuntu 24.04 arm64 LTS version. 2) Install a fresh Docker 27.3.1 version 3) Install minikube 1.34.0 version. 4) Deploy Keycloak using the last Keycloak Helm chart wit this values:

auth:
  adminUser: admin
  adminPassword: password

proxyHeaders: xforwarded

5) Add minikube public IP to minikube.io domain in /etc/hosts

6) Configure two ingress one to access Admin console and other to access to a Keycloak Angular PoC application

Admin Console Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  name: keycloak-ingress
spec:
  rules:
  - host: minikube.io
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: gsdpi-keycloak
              port:
                name: http

Admin Angular Keycloak:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: portal-ingress
spec:
  rules:
  - host: minikube.io
    http:
      paths:
      - path: /morphingprojections-portal(/|$)(.*)
        pathType: ImplementationSpecific
        backend:
          service:
            name: uniovi-avib-morphingprojections-portal
            port: 
              name: http

7) Access to Admin Console works ok throw: https://minikube.io Create a realm called avib, client called portal-ui, and a user called user correctly.

8) Access to Angular Portal PoC thow: https://minikube.io/morphingprojections-portal not works with this error:

Mixed Content: The page at 'https://minikube.io/morphingprojections-portal' was loaded over HTTPS, but requested an insecure frame 'http://minikube.io/realms/avib/protocol/openid-connect/3p-cookies/step1.html'. This request has been blocked; the content must be served over HTTPS.

Notes: the Angular PoC worls ok using a kubectl port-forward

Are you using any custom parameters or values?

No response

What is the expected behavior?

No response

What do you see instead?

Mixed Content: The page at 'https://minikube.io/morphingprojections-portal' was loaded over HTTPS, but requested an insecure frame 'http://minikube.io/realms/avib/protocol/openid-connect/3p-cookies/step1.html'. This request has been blocked; the content must be served over HTTPS.

Additional information

I checked the same User Case following the Keycloak Kubernetes Default sample in https://www.keycloak.org/getting-started/getting-started-kube and works ok, of course in thiscase they don't use any chart directly only one deployment and service. Something is not configured in the chart equals to keycloak sample

javsalgar commented 5 days ago

Hi!

Did you check this issue? It also mentions about mixed content issues https://github.com/bitnami/charts/issues/6940

Also make sure to check the latest changes in keycloak 26 https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-0-0

masalinas commented 2 days ago

Some topics about my User case to clarify:

1) I deploy Keycloak using the Bitnami Helm Chart in minikube in development mode, without TLS using only configuring these particular values. Also one important topic is the remote access to the cluster is throw my domain using TLS (this last topic is very important) to understand my User case

These are the unique env variables define in the chart to deploy keycloak in my cluster:

auth:
  adminUser: <ADMIN>
  adminPassword: <PASSWORD>

proxyHeaders: "xforwarded"

he list with all env variables generated by the chart is this one. Maybe can help to some one:

KUBERNETES_SERVICE_PORT_HTTPS=443
AVIB_KEYCLOAK_SERVICE_PORT_HTTP=80
KUBERNETES_SERVICE_PORT=443
KEYCLOAK_ADMIN_PASSWORD=password
NGINX_PORT_80_TCP_PROTO=tcp
AVIB_KEYCLOAK_POSTGRESQL_PORT_5432_TCP_ADDR=10.102.174.38
HOSTNAME=avib-keycloak-0
JAVA_HOME=/opt/bitnami/java
KEYCLOAK_DATABASE_HOST=avib-keycloak-postgresql
KC_SPI_ADMIN_REALM=master
NGINX_PORT_80_TCP=tcp://10.108.145.177:80
PWD=/
KEYCLOAK_ENABLE_STATISTICS=false
OS_FLAVOUR=debian-12
AVIB_KEYCLOAK_PORT_80_TCP_PORT=80
JAVA_OPTS_APPEND=-Djgroups.dns.query=avib-keycloak-headless.default.svc.cluster.local
KEYCLOAK_CACHE_STACK=kubernetes
HOME=/
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
AVIB_KEYCLOAK_POSTGRESQL_SERVICE_HOST=10.102.174.38
AVIB_KEYCLOAK_PORT_80_TCP=tcp://10.96.227.241:80
KUBERNETES_NAMESPACE=default
KEYCLOAK_PROXY_HEADERS=xforwarded
NGINX_PORT_80_TCP_ADDR=10.108.145.177
AVIB_KEYCLOAK_SERVICE_HOST=10.96.227.241
KEYCLOAK_ADMIN=admin
BITNAMI_DEBUG=false
NGINX_SERVICE_PORT=80
AVIB_KEYCLOAK_POSTGRESQL_PORT_5432_TCP_PROTO=tcp
NGINX_PORT_80_TCP_PORT=80
AVIB_KEYCLOAK_PORT=tcp://10.96.227.241:80
KEYCLOAK_LOG_OUTPUT=default
NGINX_SERVICE_HOST=10.108.145.177
AVIB_KEYCLOAK_SERVICE_PORT=80
TERM=xterm
AVIB_KEYCLOAK_POSTGRESQL_PORT_5432_TCP_PORT=5432
SHLVL=1
AVIB_KEYCLOAK_POSTGRESQL_SERVICE_PORT_TCP_POSTGRESQL=5432
KUBERNETES_PORT_443_TCP_PROTO=tcp
AVIB_KEYCLOAK_PORT_80_TCP_ADDR=10.96.227.241
KEYCLOAK_DATABASE_PASSWORD=rk2k8NOSlU
BITNAMI_APP_NAME=keycloak
AVIB_KEYCLOAK_PORT_80_TCP_PROTO=tcp
AVIB_KEYCLOAK_POSTGRESQL_PORT=tcp://10.102.174.38:5432
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
NGINX_PORT=tcp://10.108.145.177:80
KEYCLOAK_CACHE_TYPE=ispn
APP_VERSION=26.0.0
KEYCLOAK_LOG_LEVEL=INFO
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
KEYCLOAK_ENABLE_HTTPS=false
OS_NAME=linux
PATH=/opt/bitnami/common/bin:/opt/bitnami/java/bin:/opt/bitnami/keycloak/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KEYCLOAK_DATABASE_USER=bn_keycloak
AVIB_KEYCLOAK_POSTGRESQL_SERVICE_PORT=5432
KEYCLOAK_PRODUCTION=false
KEYCLOAK_DATABASE_NAME=bitnami_keycloak
KEYCLOAK_HTTP_RELATIVE_PATH=/
AVIB_KEYCLOAK_POSTGRESQL_PORT_5432_TCP=tcp://10.102.174.38:5432
KEYCLOAK_HTTP_PORT=8080
OS_ARCH=arm64
KEYCLOAK_DATABASE_PORT=5432
_=/usr/bin/env

2) My proxy is HAProxy redirect the trafic to minikube ingress with this rule

global
    daemon
    maxconn 256

defaults
    mode http

# Any 80,443 port request from home router
frontend k8s-frontend
    bind :80
    bind :443 ssl crt /etc/ssl/certs/ssl.pem
    http-request redirect scheme https code 301 unless { ssl_fc }

    default_backend k8s-backend

# kubernetes ingress forwarding
backend k8s-backend
    option forwarded proto host by by_port for

    server k8s 192.168.49.2:80

3) Also my ingress rule to redirect traffic to Keycloak is this one:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak
spec:
  rules:
    - host: k8s.oferto.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: avib-keycloak
                port:
                  name: http

If I open the Admin Console from http works OK, but throw https NOT,

The problem is clear why the iframe inside the login page of Keycloak is sending requets using http protol as you see in the capture. This is the origin of the problem, my request is under https but the iframe inside login view try to send requests using http protocol so the Content-Security-Policy (src-frame) defined in the master realm where login view lives is broken

Some points to be review:

What are the parameters to defines in Keycloak to avoid this problem?,
Maybe some extra annotations in the ingress can resolve it?
Maybe the Keycloak must be deployes using TLS?
Other options?

This is the classical error:

Captura desde 2024-10-19 20-46-33

masalinas commented 23 hours ago

Finally works the problem was that I must active forwarded and not xforwarded proxy headers. Finally my values.yaml passed to bitnami chart is:

proxyHeaders: "forwarded"

extraEnvVars:
  - name: KC_BOOTSTRAP_ADMIN_USERNAME
    value: "admin"
  - name: KC_BOOTSTRAP_ADMIN_PASSWORD
    value: "password"

bitnami / charts