Closed YoshieraHuang closed 4 years ago
Encountering same issue.
Same issue here
Looks like they removed the proxy forwarding option: https://github.com/codecentric/helm-charts/commit/8b8044aa4458ca4a71d5420a503bedb2444ed605#diff-f287956fb12d7d7c321c313e858d887aL102
Maybe we gotta set the env var instead? Just like they say we have to do with username/pass.
Try adding this @ifalex @gallagth @YoshieraHuang
extraEnv: |
- name: PROXY_ADDRESS_FORWARDING
value: "true"
make sure your proxy or whatever is doing SSL termination is forwarding headers.
UPDATE I messed up keycloak instances... I actually cannot get to set PROXY_ADDRESS_FORWARD into the docker container which basically is what's making my KC instance to cause the exception reported above.
UPDATE Quoting the boolean seemed to set the env var.
I ran into this exact same issue. Running chart v9.0.1 on k8s using nginx-ingress chart v1.41.2. I have found a workaround that confirms PROXY_ADDRESS_FORWARDING=true
will fix the issue:
$ kubectl edit statefulset -n keycloak keycloak
# add the following to .spec.template.spec.containers.0.env:
- name: PROXY_ADDRESS_FORWARDING
value: "true"
And you are able to admin keycloak. When done through helm (.Values.extraEnv
), you will run into a bug in [values.schema.json]
(/blob/master/charts/keycloak/values.schema.json), which states that extraEnv
should be a string, not an array.
I have created a PR that fixes the latter, which formally could be considered a fix for the original issue. Personally, I would prefer some default settings that mimic the pre-9.x.x behaviour, in which this proxy address forwarding does not need manual setting.
Hi guys, I do solve the problems according to solution @jonkerj. Solution of @CalamarBicefalo cannot work. An error will emit whenever you upgrade or install. It seems env values like true
or false
must be quoted in keycloak. After all, thank you very much !
To your point @YoshieraHuang @jonkerj quoting the bool works in the envars so you do not have to mingle with the stateful set. I updated the request, now it definitely works for me.
Sure, that will probably work, but adding the environment as a multiline "yaml-like" string instead of proper YAML feels very unusual to me. In this way, you cannot leverage the validation capabilities of Helm. I'd recommend my changes to the values spec instead :-)
I fully agree with you @jonkerj just saying that for a more "long term" approach, rather than editing the statefulset a viable workaround is configuring the var in the helm values that way.
Thanks all, that fixed my issue as well. also the boolean value has to be quoted.
Hello all, I have the same issue and was able to fix that with your solution, thank you much.
Here is what I found while searching for the solution. (oh man, I lost a whole day with this issue)
The returned HTML from "https://keycloak.minikube/auth/admin/master/console/" contains some relative but also absolute paths with HTTP without SSL. This leads to the mentioned error, where the page tries to load insecured content from a secured context:
<script type="text/javascript">
var authServerUrl = 'http://keycloak.minikube/auth';
var authUrl = 'http://keycloak.minikube/auth';
var consoleBaseUrl = '/auth/admin/master/console/';
var resourceUrl = '/auth/resources/evdwy/admin/keycloak';
var masterRealm = 'master';
var resourceVersion = 'evdwy';
</script>
...
<script src="http://keycloak.minikube/auth/js/keycloak.js?version=evdwy" type="text/javascript"></script>
See authServerUrl
, authUrl
and the keycloak.js
.
It is not clear for me, why keycloak puts absolute paths here, but it works now.
Thanks and best regards, Paul
I'd like you to all read the section on upgrading. The chart no longer does anything special. Please refer to the documentation of the Keycloak docker image for configuration options. https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#from-chart-versions--900
Closing as solved.
I'd like you to all read the section on upgrading. The chart no longer does anything special. Please refer to the documentation of the Keycloak docker image for configuration options. https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#from-chart-versions--900
Indeed, but for someone who didn't knew that something special was done in previous versions this is quite a complicated problem to analyze, and to find a fix for. And it may not be obvious that this is linked to a reverse proxy setup as explained here: https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#running-keycloak-behind-a-reverse-proxy I would say that some info in the upgrade section would be relevant?
Hi All
I used to install keycloak using the k8s crd/operator, once done, i faced the issue issue related to
Mixed Content: The page at 'https://MyDomain.com/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure script 'http://MyDomain.com/auth/js/keycloak.js?version=bouyi'. This request has been blocked; the content must be served over HTTPS.
I figured out that the PROXY_ADDRESS_FORWARDING
is already defined to True
in the sts Env
section.
For my setup i have an external nginx reverse proxy, behind it i have another nginx ingress controller, and behind it i have the famous keycloak.
In fact am configuring domains, TLS/SSL on the external nginx, after that the traffic is forwarded to the internal nginx ingress controller and at the end forwarded to the keycloak pods.
Could anyone helps here to resolve the issue !
I'm using keycloak image bitnami/keycloak:13.0.1-debian-10-r3
the env variable to set is:
- name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
value: "true"
if setting PROXY_ADDRESS_FORWARDING=true
still not work, Just try KEYCLOAK_FRONTEND_URL=https://{{ URL }}/auth
.
In my case, (On premise) Metal LB + nginx controller (helm) + keycloak with TLS secret (helm) was working with PROXY_ADDRESS_FORWARDING
. But, (EKS) AWS NLB + custom nginx controller + keycloak (helm) need to be set KEYCLOAK_FRONTEND_URL
.
fyi. keycloak version is 15.0.2
+You could make it work as changing nginx config, too.
AWS EKS set up require
KEYCLOAK_FRONTEND_URL=https://{{ URL }}/auth
@tyg03485 Thank you! I spent 3 days on resolving it
Thank you very much @tyg03485 works on Azure App Services adding it to the Configuration --> Application Settings
KEYCLOAK_FRONTEND_URL=https://{{ URL }}/auth
if you are using bitnami container image cannot evaluate KEYCLOAK_FRONTEND_URL
.
so
... KEYCLOAK_EXTRA_ARGS="-Dkeycloak.frontendUrl=https://${{ url }}"
For on-promise installation with an apache2 reverse proxy helped me a lot this
ExecStart=/bin/keycloak.x-15.0.2/bin/kc.sh --http-port=8008 --hostname-admin-url=https://sso.server.ch --hostname-frontend-url=https://sso.server.ch --proxy=edge
Thanks @sasax "--proxy=edge" works!!!
In my case i was trying to dedploy on Heroku with a Docker image.
In the docs exists a mention to that problem: https://github.com/keycloak/keycloak-community/blob/main/design/keycloak.x/configuration.md
Had the same issue running Bitnami Keycloak helm chart on AKS and Application Gateway (AGIC) in front - adding this in extraEnvVars (values.yaml) resolved the issue:
If use Aliyun SLb as loadbanlancer, need check the lb are L4 or L7;if is L7 ,you need
Thanks, @jungrae-prestolabs , it works finally with your solution.
I set load balancer in front of the keycloak container via docker-compose (yes, not k8s yet)
version: "3.9"
services:
postgres:
....
keycloak:
container_name: keycloak
image: "jboss/keycloak:15.0.2"
restart: always
depends_on:
- "postgres"
environment:
DB_VENDOR: postgres
DB_ADDR: postgres
DB_PORT: 5432
DB_DATABASE: keycloak
DB_USER: postgres
DB_PASSWORD: <MASKED>
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: <MASKED>
PROXY_ADDRESS_FORWARDING: "true"
KEYCLOAK_FRONTEND_URL: https://{DOMAIN_NAME}/auth
ports:
- 8080:8080
- 8443:8443
- 8787:8787 # debug port
To add to what kty1965 said, I also had to set --proxy=edge
as an additional arg in my config to get it to work with bitnami/keycloak:23.0.7
env:
- name: KEYCLOAK_EXTRA_ARGS
value: '-Dkeycloak.frontendUrl=https://auth.example.com --proxy edge'
I upgraded the chart to v9.0.1. I used chrome to enter the keycloak pages. However i cannot enter the admin console. Here is the error at browser console:
It seems that the secure page is forbidden to access insecure contents in chrome. Is this a bug of this charts or the keycloak application?
Here is my custom values for chart: