-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/keycloak] Add support for proxy-headers #67957
Conversation
Signed-off-by: Jakub Jaruszewski <jjaruszewski@outlook.com>
Hi @Kajot-dev This isn't simply adding support for I'm assuming you're not setting any proxy-header by default given it's the equivalent to the "passthrough" proxy mode, am I right? |
@juan131 Yes, that's correct! If you wish, I may try to implement backwards compatibility by introducing KEYCLOAK_LEGACY_PROXY which defaulta to the value of KEYCLOAK_PROXY (and is only a helper variable) before it's assigned the default "passthrough" value. That way the intentions of the user would be clear. Then if KEYCLOAK_LEGACY_PROXY is empty, we can use proxy-headers, else use proxy setting like before. Let me know what you think? |
I don't think that's necessary, it's overcomplicated. We should add some mechanism though in the associated chart. For instance, we could mark the
+## @param proxyHeaders Set Keycloak proxy headers
+##
+proxyHeaders: ""
## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none
+## DEPRECATED: use proxyHeaders instead
## ref: https://www.keycloak.org/server/reverseproxy
##
-proxy: passthrough
+proxy: ""
+ {{- if and .Values.proxy (empty .Values.proxyHeaders }}
- KEYCLOAK_PROXY: {{ .Values.proxy | quote }}
+ KEYCLOAK_PROXY_HEADERS: {{ ternary "" "forwarded|xforwarded" (eq .Values.proxy "passthrough") }}
+ {{- else }}
+ KEYCLOAK_PROXY_HEADERS: {{ .Values.proxyHeaders | quote }}
+ {{- end }} |
I will make counterpart PR for helm chart and link it here |
According to the docs, the |
I don't think so, because of: In bitnami containers In other words helm chart can just disable/disallow enabling https together with deprecated proxy in edge mode |
@juan131 Please see: bitnami/charts#27890 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Hi @Kajot-dev We released a new container image version (see Thanks for your contribution |
Description of the change
Added support for
proxy-headers
viaKEYCLOAK_PROXY_HEADERS
. This also removes support forKEYCLOAK_PROXY
Implementing both this and KEYCLOAK_PROXY when the current default for KEYCLOAK_PROXY is
passthorugh
(and not empty) would be a mess since we won't really know if user meant to set "passthrough" or just did not specify this at all (unless we would change the default, but this would be a breaking change anyway) and creating to many possible combinations.Benefits
Not using deprecated options
Possible drawbacks
Lack of
KEYCLOAK_PROXY
must be accounted for in helm charts etc.Applicable issues