Keycloak temporarily unavailable

[vdwijngaert]

API Platform version(s) affected: v4.2.1

Description
Seems like Keycloak is not available on the demo environment. Visiting /admin will redirect you to the oidc demo realm, but that shows a 503 error.

How to reproduce

• Visit https://demo.api-platform.com/admin/
• See a 503 Service Temporarily Unavailable error.

Possible Solution
Seems like the OIDC_UPSTREAM env var didn't make it into the php container anymore at one point. Adding it back in spec.template.spec.containers[0].env in helm/api-platform/templates/deployment.yaml should fix that.

Additional Context
While troubleshooting, I also saw that Keycloak 26 has changes to how it supports reverse proxies, see https://www.keycloak.org/server/reverseproxy#_configure_the_reverse_proxy_headers. We might also need to set KC_PROXY_HEADERS or KEYCLOAK_PROXY_HEADERS (this confused me, as the helm chart seems to use KEYCLOAK_ instead of KC_, so maybe it does some translation in its bitnami magic). Its value should be xforwarded, as Caddy uses X-Forwarded- headers iirc.

Not sure it's currently needed for things to function correctly, but I added it when trying to get it to run on my own cluster, and didn't test it yet without these vars.

[vdwijngaert]

Hmm, just spotted the ingress.hosts[0].oidcpaths, so in k8s, the oidc is directly proxied by the ingress, not Caddy. So.. not sure why the 503 is happening then 🤔

Maybe it is the KC_PROXY_HEADERS env var after all.

Edit: Hmm, tried without those env vars, and it still worked. Seems like I can't help here... Sorry!