che: Unable to config keycloak if use https

Description

If config https to run che by use nightly image, it can’t access keycloak by run /scripts/keycloak_config.sh in keycloak pod, Because there is no https config in keycloak_config.sh

I can access https://keycloak-domaim/auth on chrome.

Reproduction Steps

config keycloak by run job

apiVersion: batch/v1
kind: Job
metadata:
  name: keycloak-configure-job
spec:
  template:
    spec:
      initContainers:
      - name: wait-for-keycloak
        image: <my>/alphine:3.5
        command: ["sh", "-c", " adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for keycloak to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\"     https://kubernetes.default.svc/api/v1/namespaces/$POD_NAMESPACE/endpoints/keycloak`; adresses_length=`echo $endpoints | jq -r \".subsets[]?.addresses // [] | length\"`; done;"]
        env:
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
      containers:
      - name: keycloak-configure-job
        image: eclipse/che-keycloak:nightly
        command: ["/scripts/keycloak_config.sh"]
        env:
          - name: HTTP_PROTOCOL
            value: "https"
          - name: KC_HOST
            value: <domain>
          - name: CHE_KEYCLOAK_ADMIN_REQUIRE_UPDATE_PASSWORD
            value: "true"
          - name: CHE_HOST
            value: <domain>
      serviceAccountName: che-keycloak
      restartPolicy: Never
  #backoffLimit: 4

OS and version:

all image of che: nightly

Diagnostics:

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 20 (5 by maintainers)

Most upvoted comments

@mjshashank

In the -env section for the keycloak deployment add this: {{- if .Values.global.tls.enabled }} - name: PROXY_ADDRESS_FORWARDING value: “true” {{- end }}

+19
dbengtson on May 11, 2018

@eivantsov

Setting PROXY_ADDRESS_FORWARDING to true in the keycloak deployment fixed this issue for me in my GKE install.

+3
dbengtson on May 11, 2018

@mjshashank

In the -env section for the keycloak deployment add this: {{- if .Values.global.tls.enabled }}

  • name: PROXY_ADDRESS_FORWARDING value: “true” {{- end }}

This is the fix for overcoming the issue !!! (specially in a docker/kubernetes environment when you are using TLS in your ingress/route)

Thanks a lot @dbengtson !!!

+1
myasas on Nov 10, 2020

@eivantsov, the Keycloak ingress is configured correctly – it accepts https requests and forwards them to the Keycloak server. The issue is the generation of Keycloak Admin Console client resources. All links are generated using full path, including protocol and hostname.

The browser throws a mixed content error:

Mixed Content: The page at 'https://my-server.com/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure favicon 'http://my-server.com/auth/resources/3.3.0.cr2/admin/keycloak/img/favicon.ico'. This request has been blocked; the content must be served over HTTPS.
+1
perspectivus1 on May 7, 2018
Read more comments on GitHub
← che: Unable to clone with SSH: unprotected private key file
che: Unable to pull container images from the OpenShift internal registry →