cannot enter admin console after new installation of keycloak chart v9.0.1

[YoshieraHuang]

I upgraded the chart to v9.0.1. I used chrome to enter the keycloak pages. However i cannot enter the admin console. Here is the error at browser console:

Mixed Content: The page at 'https://auth.pims.private/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure script 'http://auth.pims.private/auth/js/keycloak.js?version=bouyi'. This request has been blocked; the content must be served over HTTPS.

It seems that the secure page is forbidden to access insecure contents in chrome. Is this a bug of this charts or the keycloak application?

Here is my custom values for chart:

extraEnv: |
  - name: KEYCLOAK_USER
    value: pims_private
  - name: KEYCLOAK_PASSWORD
    value: XXXXXX
serviceAccount:
  create: true
ingress:
  enabled: true
  annotations:
    # cert-manager to sign certificate
    cert-manager.io/cluster-issuer: ca-cluster-issuer
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*.pims.private"
  rules:
  - host: auth.pims.private
    paths: [/]
  tls:
  - hosts:
    - auth.pims.private
    secretName: keycloak-cert

postgresql:
  postgresqlPassword: XXXXXXX
  persistence:
    storageClass: managed-nfs-storage
    enabled: true

[ifalex]

Encountering same issue.

[gallagth]

Same issue here

[CalamarBicefalo]

Looks like they removed the proxy forwarding option: https://github.com/codecentric/helm-charts/commit/8b8044aa4458ca4a71d5420a503bedb2444ed605#diff-f287956fb12d7d7c321c313e858d887aL102

Maybe we gotta set the env var instead? Just like they say we have to do with username/pass.

[CalamarBicefalo]

Try adding this @ifalex @gallagth @YoshieraHuang

extraEnv: |
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"

make sure your proxy or whatever is doing SSL termination is forwarding headers.

UPDATE I messed up keycloak instances... I actually cannot get to set PROXY_ADDRESS_FORWARD into the docker container which basically is what's making my KC instance to cause the exception reported above.

UPDATE Quoting the boolean seemed to set the env var.

[jonkerj]

I ran into this exact same issue. Running chart v9.0.1 on k8s using nginx-ingress chart v1.41.2. I have found a workaround that confirms PROXY_ADDRESS_FORWARDING=true will fix the issue:

$ kubectl edit statefulset -n keycloak keycloak
# add the following to .spec.template.spec.containers.0.env:
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"

And you are able to admin keycloak. When done through helm (.Values.extraEnv), you will run into a bug in [values.schema.json](/blob/master/charts/keycloak/values.schema.json), which states that extraEnv should be a string, not an array.

I have created a PR that fixes the latter, which formally could be considered a fix for the original issue. Personally, I would prefer some default settings that mimic the pre-9.x.x behaviour, in which this proxy address forwarding does not need manual setting.

[YoshieraHuang]

Hi guys, I do solve the problems according to solution @jonkerj. Solution of @CalamarBicefalo cannot work. An error will emit whenever you upgrade or install. It seems env values like true or false must be quoted in keycloak. After all, thank you very much !

[CalamarBicefalo]

To your point @YoshieraHuang @jonkerj quoting the bool works in the envars so you do not have to mingle with the stateful set. I updated the request, now it definitely works for me.

[jonkerj]

Sure, that will probably work, but adding the environment as a multiline "yaml-like" string instead of proper YAML feels very unusual to me. In this way, you cannot leverage the validation capabilities of Helm. I'd recommend my changes to the values spec instead :-)

[CalamarBicefalo]

I fully agree with you @jonkerj just saying that for a more "long term" approach, rather than editing the statefulset a viable workaround is configuring the var in the helm values that way.

[sct10876]

Thanks all, that fixed my issue as well. also the boolean value has to be quoted.

[palsch]

Hello all, I have the same issue and was able to fix that with your solution, thank you much.

Here is what I found while searching for the solution. (oh man, I lost a whole day with this issue)

The returned HTML from "https://keycloak.minikube/auth/admin/master/console/" contains some relative but also absolute paths with HTTP without SSL. This leads to the mentioned error, where the page tries to load insecured content from a secured context:

    <script type="text/javascript">
        var authServerUrl = 'http://keycloak.minikube/auth';
        var authUrl = 'http://keycloak.minikube/auth';
        var consoleBaseUrl = '/auth/admin/master/console/';
        var resourceUrl = '/auth/resources/evdwy/admin/keycloak';
        var masterRealm = 'master';
        var resourceVersion = 'evdwy';
    </script>
...
    <script src="http://keycloak.minikube/auth/js/keycloak.js?version=evdwy" type="text/javascript"></script>

See authServerUrl, authUrl and the keycloak.js.

It is not clear for me, why keycloak puts absolute paths here, but it works now.

Thanks and best regards, Paul

[unguiculus]

I'd like you to all read the section on upgrading. The chart no longer does anything special. Please refer to the documentation of the Keycloak docker image for configuration options. https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#from-chart-versions--900

[unguiculus]

Closing as solved.

[Xendar]

I'd like you to all read the section on upgrading. The chart no longer does anything special. Please refer to the documentation of the Keycloak docker image for configuration options. https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#from-chart-versions--900

Indeed, but for someone who didn't knew that something special was done in previous versions this is quite a complicated problem to analyze, and to find a fix for. And it may not be obvious that this is linked to a reverse proxy setup as explained here: https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#running-keycloak-behind-a-reverse-proxy I would say that some info in the upgrade section would be relevant?

[mootezbessifi]

Hi All I used to install keycloak using the k8s crd/operator, once done, i faced the issue issue related to Mixed Content: The page at 'https://MyDomain.com/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure script 'http://MyDomain.com/auth/js/keycloak.js?version=bouyi'. This request has been blocked; the content must be served over HTTPS. I figured out that the PROXY_ADDRESS_FORWARDING is already defined to True in the sts Env section.

For my setup i have an external nginx reverse proxy, behind it i have another nginx ingress controller, and behind it i have the famous keycloak.

In fact am configuring domains, TLS/SSL on the external nginx, after that the traffic is forwarded to the internal nginx ingress controller and at the end forwarded to the keycloak pods.

Could anyone helps here to resolve the issue !

[MohamedZ3kri]

I'm using keycloak image bitnami/keycloak:13.0.1-debian-10-r3 the env variable to set is:

  - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
    value: "true"

[jungrae-prestolabs]

if setting PROXY_ADDRESS_FORWARDING=true still not work, Just try KEYCLOAK_FRONTEND_URL=https://{{ URL }}/auth.

In my case, (On premise) Metal LB + nginx controller (helm) + keycloak with TLS secret (helm) was working with PROXY_ADDRESS_FORWARDING. But, (EKS) AWS NLB + custom nginx controller + keycloak (helm) need to be set KEYCLOAK_FRONTEND_URL.

fyi. keycloak version is 15.0.2 +You could make it work as changing nginx config, too.

[sturfee-petrl]

AWS EKS set up require

KEYCLOAK_FRONTEND_URL=https://{{ URL }}/auth

@tyg03485 Thank you! I spent 3 days on resolving it

[optionsgithubuser]

Thank you very much @tyg03485 works on Azure App Services adding it to the Configuration --> Application Settings

KEYCLOAK_FRONTEND_URL=https://{{ URL }}/auth

[kty1965]

if you are using bitnami container image cannot evaluate KEYCLOAK_FRONTEND_URL. so

... KEYCLOAK_EXTRA_ARGS="-Dkeycloak.frontendUrl=https://${{ url }}"

[sasax]

For on-promise installation with an apache2 reverse proxy helped me a lot this ExecStart=/bin/keycloak.x-15.0.2/bin/kc.sh --http-port=8008 --hostname-admin-url=https://sso.server.ch --hostname-frontend-url=https://sso.server.ch --proxy=edge

[rafaelbatistamarcilio]

Thanks @sasax "--proxy=edge" works!!!

In my case i was trying to dedploy on Heroku with a Docker image.

In the docs exists a mention to that problem: https://github.com/keycloak/keycloak-community/blob/main/design/keycloak.x/configuration.md

[ferdy-design]

Had the same issue running Bitnami Keycloak helm chart on AKS and Application Gateway (AGIC) in front - adding this in extraEnvVars (values.yaml) resolved the issue:

• name: KEYCLOAK_PROXY_ADDRESS_FORWARDING value: "true"

[solomon-cc]

If use Aliyun SLb as loadbanlancer, need check the lb are L4 or L7；if is L7 ，you need

• check in X-Forwarded-Proto
• modify the ingress configmap add use-forwarded-headers：True above the two action solve my problem

[ozbillwang]

Thanks, @jungrae-prestolabs , it works finally with your solution.

I set load balancer in front of the keycloak container via docker-compose (yes, not k8s yet)

version: "3.9"
services:
  postgres:
      ....
  keycloak:
    container_name: keycloak
    image: "jboss/keycloak:15.0.2"
    restart: always
    depends_on:
      - "postgres"
    environment:
      DB_VENDOR: postgres
      DB_ADDR: postgres
      DB_PORT: 5432
      DB_DATABASE: keycloak
      DB_USER: postgres
      DB_PASSWORD: <MASKED>
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: <MASKED>
      PROXY_ADDRESS_FORWARDING: "true"
      KEYCLOAK_FRONTEND_URL: https://{DOMAIN_NAME}/auth
    ports:
      - 8080:8080
      - 8443:8443
      - 8787:8787 # debug port

[cclloyd]

To add to what kty1965 said, I also had to set --proxy=edge as an additional arg in my config to get it to work with bitnami/keycloak:23.0.7

          env:
            - name: KEYCLOAK_EXTRA_ARGS
              value: '-Dkeycloak.frontendUrl=https://auth.example.com --proxy edge'