fix: removes the operator's usage of the v1 proxy option

closes: #30945

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
This commit is contained in:
Steve Hawkins 2024-07-03 14:18:16 -04:00 committed by Peter Zaoral
parent 0410653e71
commit 9247029ca3
4 changed files with 5 additions and 41 deletions

View file

@ -9,6 +9,10 @@ Consequently, all caches are cleared when upgrading to this version.
To prevent losing user sessions upgrade to Keycloak 25 first and enable the persistent sessions feature as outlined in the migration guide for {project_name} 25.
= Operator no longer defaults to proxy=passthrough
The Operator will no longer default to the hostname v1 setting of proxy=passthrough. This allows deployments using hostname v2 for a fixed edge hostname to work as desired without additional options.
= New method in `ClusterProvider` API
The following method was added to `org.keycloak.cluster.ClusterProvider`:

View file

@ -46,8 +46,7 @@ public final class Constants {
public static final List<ValueOrSecret> DEFAULT_DIST_CONFIG_LIST = List.of(
new ValueOrSecret("health-enabled", "true"),
new ValueOrSecret("cache", "ispn"),
new ValueOrSecret("cache-stack", "kubernetes"),
new ValueOrSecret("proxy", "passthrough")
new ValueOrSecret("cache-stack", "kubernetes")
);

View file

@ -421,13 +421,6 @@ public class KeycloakDeploymentDependentResource extends CRUDKubernetesDependent
// include the kube CA if the user is not controlling KC_TRUSTSTORE_PATHS via the unsupported or the additional
varMap.putIfAbsent(KC_TRUSTSTORE_PATHS, new EnvVarBuilder().withName(KC_TRUSTSTORE_PATHS).withValue(truststores).build());
// TODO remove this once the --proxy option is finally removed from Keycloak
// not strictly necessary as --proxy-headers take precedence over --proxy but at least removes the warning
// about deprecated --proxy option in use
if (varMap.containsKey(getKeycloakOptionEnvVarName("proxy-headers"))) {
varMap.remove(getKeycloakOptionEnvVarName("proxy"));
}
var envVars = new ArrayList<>(varMap.values());
baseDeployment.getSpec().getTemplate().getSpec().getContainers().get(0).setEnv(envVars);

View file

@ -104,38 +104,6 @@ public class KeycloakIngressTest extends BaseOperatorTest {
.anyMatch(e -> "KC_PROXY_HEADERS".equals(e.getName()) && "xforwarded".equals(e.getValue()));
}
// TODO remove this test once the --proxy option is finally removed from Keycloak
@Test
public void testFallbackToDefaultProxySettings() {
var kc = getTestKeycloakDeployment(false);
var hostnameSpecBuilder = new HostnameSpecBuilder()
.withStrict(false)
.withStrictBackchannel(false);
if (isOpenShift) {
kc.getSpec().setIngressSpec(new IngressSpecBuilder().withIngressClassName(KeycloakController.OPENSHIFT_DEFAULT).build());
}
kc.getSpec().setHostnameSpec(hostnameSpecBuilder.build());
kc.getSpec().setProxySpec(null);
K8sUtils.deployKeycloak(k8sclient, kc, true);
String testHostname;
if (isOpenShift) {
testHostname = k8sclient.resource(kc).get().getSpec().getHostnameSpec().getHostname();
} else {
testHostname = kubernetesIp;
}
testIngressURLs("https://" + testHostname + ":443");
// just check we really have proxy set correctly
var envVars = k8sclient.apps().statefulSets().withName(kc.getMetadata().getName()).get().getSpec()
.getTemplate().getSpec().getContainers().get(0).getEnv();
assertThat(envVars)
.anyMatch(e -> "KC_PROXY".equals(e.getName()) && "passthrough".equals(e.getValue()))
.noneMatch(e -> "KC_PROXY_HEADERS".equals(e.getName()));
}
private void testIngressURLs(String baseUrl) {
Awaitility.await()
.ignoreExceptions()