Keycloak 24 exception http/500 on OpenShift with re-encrypt Route on ROSA

[pgodowski]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

With Keycloak 24, deployed on ROSA (OpenShift on AWS), via RHBK operator 24.0.8-opr.1, when Keycloak is exposed via manually created re-encrypt Route, every incoming http request fails with http/500 with stack trace:

2024-10-16 09:50:18,620 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-18) Uncaught server error: java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "io.vertx.core.http.HttpServerRequest.authority()" is null
	at org.jboss.resteasy.reactive.server.vertx.VertxResteasyReactiveRequestContext.getRequestHost(VertxResteasyReactiveRequestContext.java:194)
	at org.jboss.resteasy.reactive.server.core.ResteasyReactiveRequestContext.getAuthority(ResteasyReactiveRequestContext.java:481)
	at org.jboss.resteasy.reactive.server.jaxrs.UriInfoImpl.getBaseUri(UriInfoImpl.java:131)
	at org.keycloak.urls.HostnameProvider.getContextPath(HostnameProvider.java:115)
	at org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider.fromFrontEndUrl(DefaultHostnameProvider.java:181)
	at org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider.getContextPath(DefaultHostnameProvider.java:126)
	at org.keycloak.models.KeycloakUriInfo.<init>(KeycloakUriInfo.java:54)
	at org.keycloak.services.DefaultKeycloakContext.getUri(DefaultKeycloakContext.java:78)
	at org.keycloak.services.DefaultKeycloakContext.getUri(DefaultKeycloakContext.java:85)
	at org.keycloak.services.resources.WelcomeResource.getWelcomePage(WelcomeResource.java:88)
	at org.keycloak.services.resources.WelcomeResource$quarkusrestinvoker$getWelcomePage_3d46f4348f9016709ff9c5ca428ac29847ab83d6.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)

2024-10-16 09:50:18,621 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-18) Failed to create error page: java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "io.vertx.core.http.HttpServerRequest.authority()" is null
	at org.jboss.resteasy.reactive.server.vertx.VertxResteasyReactiveRequestContext.getRequestHost(VertxResteasyReactiveRequestContext.java:194)
	at org.jboss.resteasy.reactive.server.core.ResteasyReactiveRequestContext.getAuthority(ResteasyReactiveRequestContext.java:481)
	at org.jboss.resteasy.reactive.server.jaxrs.UriInfoImpl.getBaseUri(UriInfoImpl.java:131)
	at org.keycloak.urls.HostnameProvider.getContextPath(HostnameProvider.java:115)
	at org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider.fromFrontEndUrl(DefaultHostnameProvider.java:181)
	at org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider.getContextPath(DefaultHostnameProvider.java:126)
	at org.keycloak.models.KeycloakUriInfo.<init>(KeycloakUriInfo.java:54)
	at org.keycloak.services.DefaultKeycloakContext.getUri(DefaultKeycloakContext.java:78)
	at org.keycloak.services.DefaultKeycloakContext.getUri(DefaultKeycloakContext.java:85)
	at org.keycloak.services.error.KeycloakErrorHandler.resolveRealm(KeycloakErrorHandler.java:152)
	at org.keycloak.services.error.KeycloakErrorHandler.getResponse(KeycloakErrorHandler.java:97)
	at org.keycloak.services.error.KeycloakErrorHandler.toResponse(KeycloakErrorHandler.java:67)
	at org.jboss.resteasy.reactive.server.core.RuntimeExceptionMapper.mapException(RuntimeExceptionMapper.java:100)
	at org.jboss.resteasy.reactive.server.core.ResteasyReactiveRequestContext.mapExceptionIfPresent(ResteasyReactiveRequestContext.java:346)
	at org.jboss.resteasy.reactive.server.handlers.ExceptionHandler.handle(ExceptionHandler.java:15)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:150)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)

2024-10-16 09:50:18,621 ERROR [io.quarkus.vertx.http.runtime.QuarkusErrorHandler] (executor-thread-18) HTTP Request to / failed, error id: 80b8e190-cd1a-4fae-a82e-6133366a1e72-3: java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "io.vertx.core.http.HttpServerRequest.authority()" is null
	at org.jboss.resteasy.reactive.server.vertx.VertxResteasyReactiveRequestContext.getRequestHost(VertxResteasyReactiveRequestContext.java:194)
	at org.jboss.resteasy.reactive.server.core.ResteasyReactiveRequestContext.getAuthority(ResteasyReactiveRequestContext.java:481)
	at org.jboss.resteasy.reactive.server.jaxrs.UriInfoImpl.getBaseUri(UriInfoImpl.java:131)
	at org.keycloak.urls.HostnameProvider.getContextPath(HostnameProvider.java:115)
	at org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider.fromFrontEndUrl(DefaultHostnameProvider.java:181)
	at org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider.getContextPath(DefaultHostnameProvider.java:126)
	at org.keycloak.models.KeycloakUriInfo.<init>(KeycloakUriInfo.java:54)
	at org.keycloak.services.DefaultKeycloakContext.getUri(DefaultKeycloakContext.java:78)
	at org.keycloak.services.DefaultKeycloakContext.getUri(DefaultKeycloakContext.java:85)
	at org.keycloak.headers.DefaultSecurityHeadersProvider.addHeaders(DefaultSecurityHeadersProvider.java:74)
	at org.keycloak.services.filters.KeycloakSecurityHeadersFilter.filter(KeycloakSecurityHeadersFilter.java:43)
	at org.jboss.resteasy.reactive.server.handlers.ResourceResponseFilterHandler.handle(ResourceResponseFilterHandler.java:25)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:150)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)

Keycloak CR

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  annotations:
    operator.ibm.com/operand-depoyment-lifecycle-manager.hashedData: 0c6f9bd46ae402
  resourceVersion: '589061'
  name: cs-keycloak
  uid: 7364be24-e35c-4a46-8d67-2e0f5aead793
  creationTimestamp: '2024-10-15T20:40:43Z'
  generation: 4
  namespace: cs-data
  labels:
    operator.ibm.com/opreq-control: 'true'
spec:
  db:
    host: keycloak-edb-cluster-rw
    passwordSecret:
      key: password
      name: keycloak-edb-cluster-app
    usernameSecret:
      key: username
      name: keycloak-edb-cluster-app
    vendor: postgres
  features:
    enabled:
      - token-exchange
  hostname:
    hostname: keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com
  http:
    tlsSecret: cs-keycloak-tls-secret
  ingress:
    enabled: false
  instances: 1
  resources:
    limits:
      cpu: 1000m
      ephemeral-storage: 512Mi
      memory: 1Gi
    requests:
      cpu: 1000m
      ephemeral-storage: 256Mi
      memory: 1Gi
  unsupported:
    podTemplate:
      metadata:
        annotations:
          cloudpakThemesVersion: styles467.css
      spec:
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
                - matchExpressions:
                    - key: kubernetes.io/arch
                      operator: In
                      values:
                        - amd64
                        - ppc64le
                        - s390x
        containers:
          - command:
              - /bin/sh
              - /mnt/startup/cs-keycloak-entrypoint.sh
            volumeMounts:
              - mountPath: /mnt/truststore
                name: truststore-volume
              - mountPath: /mnt/startup
                name: startup-volume
              - mountPath: /mnt/trust-ca
                name: trust-ca-volume
              - mountPath: /opt/keycloak/providers
                name: cs-keycloak-theme
              - mountPath: /mnt/user-profile
                name: user-profile-volume
        volumes:
          - emptyDir:
              sizeLimit: 2Mi
            name: truststore-volume
          - configMap:
              name: cs-keycloak-entrypoint
            name: startup-volume
          - configMap:
              name: cs-keycloak-ca-certs
              optional: true
            name: trust-ca-volume
          - configMap:
              items:
                - key: cloudpak-theme.jar
                  path: cloudpak-theme.jar
              name: cs-keycloak-theme
            name: cs-keycloak-theme
          - configMap:
              name: cs-keycloak-user-profile
            name: user-profile-volume
status:
  conditions:
    - lastTransitionTime: '2024-10-16T08:50:53.988801494Z'
      message: ''
      observedGeneration: 4
      status: 'True'
      type: Ready
    - lastTransitionTime: '2024-10-16T08:22:11.894312876Z'
      message: ''
      observedGeneration: 4
      status: 'False'
      type: HasErrors
    - lastTransitionTime: '2024-10-16T08:50:53.988801494Z'
      message: ''
      observedGeneration: 4
      status: 'False'
      type: RollingUpdate
  instances: 1
  observedGeneration: 4
  selector: 'app=keycloak,app.kubernetes.io/managed-by=keycloak-operator,app.kubernetes.io/instance=cs-keycloak'

Keycloak Service

kind: Service
apiVersion: v1
metadata:
  name: cpfs-opcon-cs-keycloak-service
  namespace: cs-data
  uid: 3cbae9f2-8ab9-4256-9e38-caf4894d01d4
  resourceVersion: '89529'
  creationTimestamp: '2024-10-15T20:39:48Z'
  labels:
    app: keycloak
    app.kubernetes.io/instance: cs-keycloak
    app.kubernetes.io/managed-by: keycloak-operator
    operator.ibm.com/opreq-control: 'true'
    operator.ibm.com/referenced-by-odlm-resource: OperandConfig.cs-data.common-service
    operator.ibm.com/watched-by-odlm: 'true'
  annotations:
    operator.ibm.com/operand-depoyment-lifecycle-manager.hashedData: 3499c3d6075216
    service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1729020873
    service.beta.openshift.io/serving-cert-secret-name: cpfs-opcon-cs-keycloak-tls-secret
    service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1729020873
spec:
  clusterIP: 172.30.13.118
  ipFamilies:
    - IPv4
  ports:
    - name: https
      protocol: TCP
      port: 8443
      targetPort: 8443
  internalTrafficPolicy: Cluster
  clusterIPs:
    - 172.30.13.118
  type: ClusterIP
  ipFamilyPolicy: SingleStack
  sessionAffinity: None
  selector:
    app: keycloak
    app.kubernetes.io/instance: cs-keycloak
    app.kubernetes.io/managed-by: keycloak-operator
status:
  loadBalancer: {}

re-encrypt Route

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: keycloak
  namespace: cs-data
  uid: a6e945ec-582f-468f-be61-b52db0472db4
  resourceVersion: '589548'
  creationTimestamp: '2024-10-15T20:40:04Z'
  labels:
    operator.ibm.com/opreq-control: 'true'
    operator.ibm.com/referenced-by-odlm-resource: OperandConfig.cs-data.common-service
    operator.ibm.com/watched-by-odlm: 'true'
  annotations:
    openshift.io/host.generated: 'true'
    operator.ibm.com/odlm.route.hashedData: ''
    operator.ibm.com/operand-depoyment-lifecycle-manager.hashedData: 89c1f04973cc62
spec:
  host: keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com
  to:
    kind: Service
    name: cpfs-opcon-cs-keycloak-service
    weight: 100
  port:
    targetPort: 8443
  tls:
    termination: reencrypt
    destinationCACertificate: |
      -----BEGIN CERTIFICATE-----
      MIIDUTCCAjmgAwIBAgIIUbIZ17MDB94wDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
      Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTcyOTAyMDg3MzAe
      Fw0yNDEwMTUxOTM0MzJaFw0yNjEyMTQxOTM0MzNaMDYxNDAyBgNVBAMMK29wZW5z
      aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3MjkwMjA4NzMwggEiMA0GCSqG
      SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7/nixI+jxF3HZCV3oNhd+tiSLGfPmYbqF
      Odnhojr+mOLmMJIm3SLaIvw026q86b1OT0U1FeHLHS54qDRXPTh/i2ah7Ib5w6W5
      538o1y1hyAvbG+BdsyPiaBPfzh6kJxo67WJEf7ul6LwaughY0VYlm/+b2JWvW+5k
      xlsOPqOJe4Td6xKAeNxA6vU2kfb47MPfIKGJ1Hi9ATnXnggQvQsZmwu31w56lhkr
      aCJTWXzwsvnI3iPs7BIKRUtWZagURZvnrFnfvYOydPPWbBt+PwL+JLaAxhV7+RkK
      R8bpFxhNd991wm8SeZdf4kXtdZL2qOXmaTOTuCN4103ksYRap0pDAgMBAAGjYzBh
      MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBREsaoW
      ePpjTMpEZ8bopejRpSoeITAfBgNVHSMEGDAWgBREsaoWePpjTMpEZ8bopejRpSoe
      ITANBgkqhkiG9w0BAQsFAAOCAQEASouFleyxaJi2pHQ7ZtrGfUSfHz/umlZGQQtS
      v3ysGGGgr7WwBWtctFkcvefINJcP6T4qoKPazM4bpnMgDpPEbvNi17A2N7+pcQD8
      UY2Bs7Ba2nbhFB42Kaj5Z3ZX0JeXpWFAo0NM9qJxHG5I+Ayc5Ps4jRPu3t6gCuK0
      ymlO48K4U2GaVA6x1wyesYvl2gefrJPASm4M4xU21O2rkDLB3zXqVPSlAhDeUxBY
      7xj9rNIWOCkPdFBPL0DOYd8MQZq3nDSplLWUa6L7rywvmaWsOAFMDGRseM2KDF+a
      XsSy8m2tiUp2Et5AF7QsfvGRZVMdv2jOQFLPlaZf9OSsC5AGmw==
      -----END CERTIFICATE-----
  wildcardPolicy: None
status:
  ingress:
    - host: keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com
      routerName: default
      conditions:
        - type: Admitted
          status: 'True'
          lastTransitionTime: '2024-10-16T09:50:03Z'
      wildcardPolicy: None
      routerCanonicalHostname: router-default.apps.sert-14650-rosa.n45d.p1.openshiftapps.com

It's similar to #28677, but actually in access logs, when enabled verbose access logs, we see that Host header is set:

Enabled verbose access logs by setting up below env variables in Keycloak stateflset:

            - name: QUARKUS_HTTP_ACCESS_LOG_ENABLED
              value: "true"
            - name: QUARKUS_HTTP_ACCESS_LOG_PATTERN
              value: "long"

2024-10-16 09:50:18,621 ERROR [io.quarkus.vertx.http.runtime.QuarkusErrorHandler] (executor-thread-18) HTTP Request to / failed, error id: 80b8e190-cd1a-4fae-a82e-6133366a1e72-3: java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "io.vertx.core.http.HttpServerRequest.authority()" is null
	at org.jboss.resteasy.reactive.server.vertx.VertxResteasyReactiveRequestContext.getRequestHost(VertxResteasyReactiveRequestContext.java:194)
	at org.jboss.resteasy.reactive.server.core.ResteasyReactiveRequestContext.getAuthority(ResteasyReactiveRequestContext.java:481)
	at org.jboss.resteasy.reactive.server.jaxrs.UriInfoImpl.getBaseUri(UriInfoImpl.java:131)
	at org.keycloak.urls.HostnameProvider.getContextPath(HostnameProvider.java:115)
	at org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider.fromFrontEndUrl(DefaultHostnameProvider.java:181)
	at org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider.getContextPath(DefaultHostnameProvider.java:126)
	at org.keycloak.models.KeycloakUriInfo.<init>(KeycloakUriInfo.java:54)
	at org.keycloak.services.DefaultKeycloakContext.getUri(DefaultKeycloakContext.java:78)
	at org.keycloak.services.DefaultKeycloakContext.getUri(DefaultKeycloakContext.java:85)
	at org.keycloak.headers.DefaultSecurityHeadersProvider.addHeaders(DefaultSecurityHeadersProvider.java:74)
	at org.keycloak.services.filters.KeycloakSecurityHeadersFilter.filter(KeycloakSecurityHeadersFilter.java:43)
	at org.jboss.resteasy.reactive.server.handlers.ResourceResponseFilterHandler.handle(ResourceResponseFilterHandler.java:25)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:150)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:840)

2024-10-16 09:50:18,621 INFO  [io.quarkus.http.access-log] (executor-thread-18) 
GET / HTTP/2
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br, zstd
dnt: 1
sec-gpc: 1
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
priority: u=0, i
host: keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com
x-forwarded-host: keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com
x-forwarded-port: 443
x-forwarded-proto: https
forwarded: for=129.41.47.2;host=keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com;proto=https
x-forwarded-for: 129.41.47.2
2024-10-16 09:50:18,839 INFO  [io.quarkus.http.access-log] (vert.x-eventloop-thread-0) 
GET /favicon.ico HTTP/2
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
accept: image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br, zstd
dnt: 1
sec-gpc: 1
referer: https://keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com/
sec-fetch-dest: image
sec-fetch-mode: no-cors
sec-fetch-site: same-origin
priority: u=6
host: keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com
x-forwarded-host: keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com
x-forwarded-port: 443
x-forwarded-proto: https
forwarded: for=129.41.47.2;host=keycloak-cs-data.apps.sert-14650-rosa.n45d.p1.openshiftapps.com;proto=https
x-forwarded-for: 129.41.47.2

Version

Keycloak 24

Regression

• The issue is a regression

Expected behavior

Keycloak responds successfully when using reencrypt Route

Actual behavior

Keyclak http requests are failing, despite http Host header being set correctly

How to Reproduce?

In summary included Keycloak CR, Service and Route specificiation

Anything else?

No response

[pgodowski]

@vmuzikar not sure it's within your area, can you please help here?

[pgodowski]

The same issue happens even is reencrypt Route is put in front of the Keycloak Service created by Keycloak operator, i.e. cs-keycloak-service in this example.

[pgodowski]

Found a way of having Keycloak 24 on ROSA working with re-encrypt Route on ROSA, but still not sure why it's failing on ROSA only:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: cs-keycloak
spec:
...
  proxy:
    headers: xforwarded   <--- HERE
...

[keycloak-github-bot]

Thanks for reporting this issue, but as this is reported against an older and unsupported release we are not able to evaluate the issue. Please verify with the nightly build or the latest release.

If the issue can be reproduced in the nightly build or latest release add a comment with additional information, otherwise this issue will be automatically closed within 14 days.

[pgodowski]

I deployed into the same env upstream Keycloak v26.0.0 and I do not observe the same behavior - i.e. reencrypt Route works just fine, without myself need to specifing .spec.proxy.headers: xforwarded in the Keycloak CR.

Can anyone explain what happened that v22 and v26 works fine, but v24 is not?

[sschu]

The way proxy headers are configured changed after KC22 but apparently there was a bug that made your scenario not work that is now fixed in KC26.

[jonkoops]

Closing this issue since it is fixed in the latest stable.