[bitnami/keycloak] initial 'user' login results in looping reload of page, never logging in

[lknite]

Name and Version

bitnami/keycloak:21.1.3

What architecture are you using?

amd64

What steps will reproduce the bug?

Standard helm deployment using values.yaml below.

Note:

• I can use port-forwarding to the keycloak service and everything works. This issue is occurring when I try to access via FQDN using the ingress.

Are you using any custom parameters or values?

keycloak:

  image:
    debug: true  # use to increase logging

  global:
    storageClass: tkg-storage-policy

  auth:
    adminPassword: "something"

  production: false

  # enable use of reverse proxy
  proxy: edge

  ingress:
    enabled: true
    ingressClassName: avi-lb
    hostname: keycloak.k.home.net
    pathType: Prefix
    tls: true
    annotations:
      cert-manager.io/cluster-issuer: "vault-issuer"

  postgresql:
    enabled: true
    auth:
      password: 8e917492-1111-2222-3333-7643d204b9b2

What is the expected behavior?

Would expect to be able to login as 'user'.

What do you see instead?

After a clean deployment I have the opportunity to login as 'user'. I can see it is checking the password because if I log in with the wrong password it asks me to login again. It accepts the correct password but then continually reloads the page only showing the spinning console icon. I can see in the logs:

2024-05-08 20:53:59,616 WARN  [org.keycloak.events] (executor-thread-1) type="REFRESH_TOKEN_ERROR", realmId="c1919950-95aa-48db-a5e8-7a6e78226b96", clientId="security-admin-console", userId="null", ipAddress="10.224.250.31", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
2024-05-08 20:54:05,037 WARN  [org.keycloak.events] (executor-thread-3) type="REFRESH_TOKEN_ERROR", realmId="c1919950-95aa-48db-a5e8-7a6e78226b96", clientId="security-admin-console", userId="null", ipAddress="10.224.250.31", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
2024-05-08 20:54:09,744 WARN  [org.keycloak.events] (executor-thread-4) type="REFRESH_TOKEN_ERROR", realmId="c1919950-95aa-48db-a5e8-7a6e78226b96", clientId="security-admin-console", userId="null", ipAddress="10.224.250.31", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"

Additional information

$ kubectl version
Client Version: v1.28.4
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.10+vmware.1-fips.1

[lknite]

I switched from using ingressClassName "avi-lb" to "nginx" and everything started working.

I'm looking into why "avi-lb" is experiencing an issue but "nginx" does not.

[dgomezleon]

Hi @lknite

Thanks for sharing this info with the community.

I'm unfamiliar with Avi IngressClass object, so keeping it open so you can share any advance with this.

[dgilsonAfelio]

I got the same error with avi-lb

[lknite]

Someone from avi collected a packet trace from my client system with keycloak working using nginx, and a packet trace via avi using avi-lb. Will report back once they've had a chance to look. (maybe? https://avinetworks.com/docs/latest/x-forwarded-for-header-insertion/)

[dgilsonAfelio]

Yes the non-existence of x-forwarded-for is my privilaged track too

[dgilsonAfelio]

For me the issue was that "HTTP-Only Cookies" was checked
https://avinetworks.com/docs/latest/x-forwarded-for-header-insertion/img/application-profile-1.png

[lknite]

Unchecking 'HTTP-Only Cookies' also fixed it for me.

[lknite]

@dgilsonAfelio do you happen to also know about gateway-api? I was trying to get gateway-api to work while I simultaneously worked to get the avi-lb ingress to work. I thought maybe unchecking "HTTP-Only Cookies" might also cause gateway-api to work but so far no luck.

[LilaBeck29]

@dgilsonAfelio same here!