Regrouping issue about the last helm keycloakx chart release

[AMontagu]

Hello

As I met almost all other issues specified here and contourned them wanted to regroupe all of them in one with fix / things to change.

---------------------- Things to fix from the maintainer ---------------------------

@hansehe I am tagging you as this come from your commit e1f5237#diff-0d42a0bcf21efda1331b8bbd8b883ee80f6b5587a3e02d7820c187911174663cR106

This line: e1f5237#diff-0d42a0bcf21efda1331b8bbd8b883ee80f6b5587a3e02d7820c187911174663cR106

Use a value Values.proxy.http.enabled that is not documented. Need to be changed to Values.proxy.enabled or to be documented in the readme

The Values.proxy.mode now is send to KC_PROXY_HEADERS instead of KC_PROXY. This is the correct behavior but the value are now forwarded or xforwarded and not edge, passthrough ...
The defautl value need to be changed and the doc adapted

With the latest version (maybe a bug of keycloak directly but need to be set in doc) if using behind an ingress proxy the hostname option need to be set with the https scheme, if not the admin console will try to load https://my.keycloak.org/resources/master/admin/en in http instead of https

---------------------- Steps to do from the user -------------------------------------

First if you have issue with installing keycloak 25.0 be sure to be on the latest helm repo (version 2.4.2):

helm repo update codecentric

See (#775)

Then you need to:

• remove "--hostname-strict-https=false" and "--http-enabled=true" options

See #778

Then add the hostname:

"--hostname=https://my.keycloak.org"

The full config I use (you can add --optimized or --verbose if wanted):

command:
  - "/opt/keycloak/bin/kc.sh"
  - "start"
  - "--hostname=https://my.keycloak.org
  - "--http-port=8080"
  - "--hostname-strict=false"

Finally change the proxy configuration like this:

proxy:
  enabled: true
  http:
    enabled: true
  mode: "forwarded"

[github-actions]

This issue has been marked as stale because it has been open for 30 days with no activity. It will be automatically closed in 10 days if no further activity occurs.

[kylebisley]

I really appreciated this update. It helped me get keycloak up and running on eks using an ingress/alb.

The catch for me was I needed to include /auth in the hostname before I was successful in accessing the administration console.

So my working config compared to above differed slightly.

command:
  - "/opt/keycloak/bin/kc.sh"
  - "start"
  - "--hostname=https://my.keycloak.org/auth
  - "--http-port=8080"
  - "--hostname-strict=false"

I suppose I'm posting in part to keep the issue from going from stale to closed, and in part to ask for clarity from people who are more experienced if my addition of the /auth to the hostname will be catastrophic in some way that I'm not noticing at this early stage of my migrating to keycloak.

Below I've included the output of /auth/realms/master/hostname-debug for both running @AMontagu's config above and my hacky /auth edit incase that clarifies things.

URL	Value
Request	https://my.keycloak.org/auth/realms/master/hostname-debug
Frontend	https://my.keycloak.org [FAILED]
Backend	https://my.keycloak.org [FAILED]
Admin	https://my.keycloak.org [FAILED]
Server mode	production [start]
Realm	master
Hostname SPI implementation	V2
hostname	https://my.keycloak.org
hostname-backchannel-dynamic	false
hostname-strict	true
proxy-headers	forwarded
http-enabled	true
http-relative-path	/auth
http-port	8080
https-port	8443
Host	my.keycloak.org
X-Forwarded-For	111.111.111.111 (obfuscated ip)
X-Forwarded-Port	443
X-Forwarded-Proto	https

URL	Value
Request	https://my.keycloak.org/auth/realms/master/hostname-debug
Frontend	https://my.keycloak.org/auth [OK]
Backend	https://my.keycloak.org/auth [OK]
Admin	https://my.keycloak.org/auth [OK]
--	--
Server mode	production [start]
Realm	master
Hostname SPI implementation	V2
--	--
hostname	https://my.keycloak.org/auth
hostname-backchannel-dynamic	false
hostname-strict	true
proxy-headers	forwarded
http-enabled	true
http-relative-path	/auth
http-port	8080
https-port	8443
--	--
Host	my.keycloak.org
X-Forwarded-For	111.111.111.111 (obfuscated ip)
X-Forwarded-Port	443
X-Forwarded-Proto	https

[AMontagu]

@kylebisley You are using ENV KC_HTTP_RELATIVE_PATH=/auth . It's okay it allow to keep backward compatibilty from older keycloak version. But if you don't need it and you remove it then it will work without the /auth in the hostname

[kylebisley]

My hero @AMontagu. Sorry for hoping on your regroup issue with such a rookie question. I had missed that I needed to override the defaults.

For future readers I added

http:
  relativePath: '/'

to my values file configuration and now its working for me.

hostname-debug after making the change

URL	Value
Request	https://my.keycloak.org/realms/master/hostname-debug
Frontend	https://my.keycloak.org [OK]
Backend	https://my.keycloak.org [OK]
Admin	https://my.keycloak.org [OK]
Server mode	production [start]
Realm	master
Hostname SPI implementation	V2
hostname	https://my.keycloak.org
hostname-backchannel-dynamic	false
hostname-strict	true
proxy-headers	forwarded
http-enabled	true
http-relative-path	/
http-port	8080
https-port	8443
Host	my.keycloak.org
X-Forwarded-For	111.111.111.111
X-Forwarded-Port	443
X-Forwarded-Proto	https

URL	Value
Request	https://my.keycloak.org/realms/master/hostname-debug
Frontend	https://my.keycloak.org/auth [FAILED]
Backend	https://my.keycloak.org/auth [FAILED]
Admin	https://my.keycloak.org/auth [FAILED]
Runtime	Value
Server mode	production [start]
Realm	master
Hostname SPI implementation	V2
Configuration property	Value
hostname	https://my.keycloak.org/auth
hostname-backchannel-dynamic	false
hostname-strict	true
proxy-headers	forwarded
http-enabled	true
http-relative-path	/
http-port	8080
https-port	8443
Header	Value
Host	my.keycloak.org
X-Forwarded-For	111.111.111.111
X-Forwarded-Port	443
X-Forwarded-Proto	https