Describe the bug
i have a problem with deployment KeycloakX 16.1.0 image to Kubernetes (Ingress NGINX - Service - KX Pods)
The problem is infinity redirections (with login & password correct) on realm after press login button. In version 14 we solve this by adding flag --http.proxy-address-forwarding=true on run Keycloak in pod.
Failed redirect URL: https://somesubdomaun.subdomain.domain.com/realms/master/login-actions/authenticate?client_id=security-admin-console&tab_id=cuGgub9ab0M
location: https://somesubdomaun.subdomain.domain.com/realms/master/login-actions/authenticate?client_id=security-admin-console&tab_id=6DlxKaSEP-Q
Now in 16th a lot of changes come to distribution configuration and we saw error: Unknown option: '--http.proxy-address-forwarding=true'
I have been tried start --auto-build --hostname-strict=false --hostname-strict-https=false --http-enabled=true --proxy=edge --db=postgres options but they don't solve problem
Also tried setup ingress with option:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
Does not help ether. Url to keycloak: https://somesubdomaun.subdomain.domain.com
But if i will do just port forwarding from pod to locahost with --hostname=localhost parameter set than everything working without issue
So what can be analog of parameter --http.proxy-address-forwarding=true for KeycloakX 16.1.0 image? How make it working correctly after ingress controller in k8s?
Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: namespace-depl
spec:
replicas: 2
selector:
matchLabels:
service: keycloak
template:
metadata:
labels:
layer: security
service: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak-x:16.1.0
args:
- 'start'
- '--auto-build'
- '--hostname-strict=false'
- '--hostname-strict-https=false'
- '--hostname-strict-backchannel=false'
- '--http-enabled=true'
- '--proxy=edge'
- '--cache=local'
- '--db-pool-max-size=5'
#- '--cluster-stack=kubernetes' ##not working flag in 16 ver
#- '--Djgroups.dns.query=keycloak-jgroups-ping.namespace.svc.cluster.local' ##not working flag in 16ver
- '--db=postgres'
- '--db-url=jdbc:postgresql://db-postgres/keycloak'
- '--db-username=user'
- '--db-password=password'
- '--metrics-enabled=true'
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 4444
protocol: TCP
- containerPort: 8888
protocol: TCP
env:
- name: KEYCLOAK_PROXY_ADDRESS_FORWARDING #not working in 16 ver?
value: "true"
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
value: admin
- name: PROXY_ADDRESS_FORWARDING #not working in 16 ver?
value: 'true'
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
schedulerName: default-scheduler
strategy:
type: Recreate
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: namespace-depl
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST, OPTIONS
nginx.ingress.kubernetes.io/cors-allow-origin: '*'
nginx.ingress.kubernetes.io/enable-cors: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: 1000m
# nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
# nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email"
spec:
rules:
- host: somesubdomaun.subdomain.domain.com
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: keycloak
port:
number: 8080
apiVersion: v1
kind: Service
metadata:
name: keycloak
namespace: namespace-depl
spec:
ports:
- name: http
protocol: TCP
port: 8080
targetPort: 8080
selector:
service: keycloak
type: ClusterIP
Version
KeycloakX 16.1.0
Expected behavior
Redirect succesful
Actual behavior
Too many redirects
How to Reproduce?
Deploy on some domain with subdomain address in ingress (not localhost, k8s + ingress) go to login page to Admin console, enter (admin,admin), redirect never stops until browser stop it
Anything else?
No response
Describe the bug
i have a problem with deployment KeycloakX 16.1.0 image to Kubernetes (Ingress NGINX - Service - KX Pods)
The problem is infinity redirections (with login & password correct) on realm after press login button. In version 14 we solve this by adding flag --http.proxy-address-forwarding=true on run Keycloak in pod.
Failed redirect URL: https://somesubdomaun.subdomain.domain.com/realms/master/login-actions/authenticate?client_id=security-admin-console&tab_id=cuGgub9ab0M
location: https://somesubdomaun.subdomain.domain.com/realms/master/login-actions/authenticate?client_id=security-admin-console&tab_id=6DlxKaSEP-Q
Now in 16th a lot of changes come to distribution configuration and we saw error: Unknown option: '--http.proxy-address-forwarding=true'
I have been tried start --auto-build --hostname-strict=false --hostname-strict-https=false --http-enabled=true --proxy=edge --db=postgres options but they don't solve problem
Also tried setup ingress with option:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
Does not help ether. Url to keycloak: https://somesubdomaun.subdomain.domain.com
But if i will do just port forwarding from pod to locahost with --hostname=localhost parameter set than everything working without issue
So what can be analog of parameter --http.proxy-address-forwarding=true for KeycloakX 16.1.0 image? How make it working correctly after ingress controller in k8s?
Deployment:
Version
KeycloakX 16.1.0
Expected behavior
Redirect succesful
Actual behavior
Too many redirects
How to Reproduce?
Deploy on some domain with subdomain address in ingress (not localhost, k8s + ingress) go to login page to Admin console, enter (admin,admin), redirect never stops until browser stop it
Anything else?
No response