3

I have installed keycloak using helm. A Traefik ingress is created to allow access from public

After the admin password is created from localhost:8080, i am able to login into admin console only when i am port forwarded and local access.

When i use the public url and click on admin console, it redirects to https://website/auth/admin/master/console/ and shows a blank page.

I found the problem but when i change the servicePort: https inside ingress, i get an internal server error status code 500.

when i use http port,i get these errors: Mixed Content: The page at 'https://url/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure script 'http://url/auth/js/keycloak.js?version=mxda6'. This request has been blocked; the content must be served over HTTPS.

Mixed Content: The page at 'https://url.ca/auth/admin/master/console/' was loaded over HTTPS, but requested an insecure script 'http://url/auth/js/keycloak.js?version=mxda6'. This request has been blocked; the content must be served over HTTPS.

i looked through traefik logs:

level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs"

chocokoala
  • 191
  • 4
  • 15

2 Answers2

2

I found a fix but it still doesn't answer my question why when ingress points to https, it doesnt work. Is there an answer?

So the fix is to add this under ENV in the statefulset keycloak deployment. In the ingress, the service port is http

            - name: PROXY_ADDRESS_FORWARDING
              value: "true"

i found it at https://github.com/eclipse/che/issues/9429

chocokoala
  • 191
  • 4
  • 15
2

I had the same issue. The white screen isn't helpful, but the browser console is. It is blocking mixed content, namely the script http://url/auth/js/keycloak.js?version=mxda6.

The documentation on Docker Hub says:

Specify frontend base URL

To set a fixed base URL for frontend requests use the following environment value (this is highly recommended in production):

  • KEYCLOAK_FRONTEND_URL: Specify base URL for Keycloak (optional, default is retrieved from request)

I provided the external url with https scheme in my manifest and the script in question is now appearing in the index.html as https url.

- name: KEYCLOAK_FRONTEND_URL
  value: "https://url/auth"

Since it is "highly recommended" I suppose there are more slight problems without this variable set, like other links being generated wrong, e.g. in emails though I didn't check that yet.

Marc Wittke
  • 2,991
  • 2
  • 30
  • 45