You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The keycloak oauth plugin doesn't work properly when deploying gerrit and keycloak via a docker or podman compose. This is due to the fact that in a compose, services use an internal networking that may differ from external networking as seen from a user's web browser.
The keycloak service is available via localhost:8082 outside of the compose (for the end user to log in to). However the gerrit service can only reach the keycloak service as keycloak:8082. When setting the rootUrl parameter in the plugin's configuration, it is impossible to specify an alternative for internal networking, so either the login redirection or gerrit's token fetching will fail.
A possible workaround is to modify the end user /etc/hosts file to add an entry for keycloak. This is unacceptable for production deployments though.
This issue occurs in kubernetes deployments for the same reason. We also observe an issue with the hardcoded keycloak urls for the auth and token endpoints, as they assume that the URL will start with "/auth" - however the documented way to deploy keycloak in kubernetes is as a "virtual host", see: https://www.keycloak.org/getting-started/getting-started-kube
I would recommend adding two optional parameters: authEndpoint and tokenEndpoint so that deployers can specify what URLs to use.
The text was updated successfully, but these errors were encountered:
Hello,
The keycloak oauth plugin doesn't work properly when deploying gerrit and keycloak via a docker or podman compose. This is due to the fact that in a compose, services use an internal networking that may differ from external networking as seen from a user's web browser.
Consider the example compose below:
version: '2.3' services: keycloak: image: docker.io/jboss/keycloak environment: - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=kcadmin - DB_VENDOR=h2 - KEYCLOAK_IMPORT=/var/keycloak_import/zuul-demo-data.json - JAVA_OPTS_APPEND="-Djboss.socket.binding.port-offset=2" ports: - "8082:8082" gerrit: image: docker.io/gerritcodereview/gerrit ports: - "8080:8080" - "29418:29418" environment: - CANONICAL_WEB_URL=http://localhost:8080/
The keycloak service is available via localhost:8082 outside of the compose (for the end user to log in to). However the gerrit service can only reach the keycloak service as keycloak:8082. When setting the rootUrl parameter in the plugin's configuration, it is impossible to specify an alternative for internal networking, so either the login redirection or gerrit's token fetching will fail.
A possible workaround is to modify the end user /etc/hosts file to add an entry for keycloak. This is unacceptable for production deployments though.
This issue occurs in kubernetes deployments for the same reason. We also observe an issue with the hardcoded keycloak urls for the auth and token endpoints, as they assume that the URL will start with "/auth" - however the documented way to deploy keycloak in kubernetes is as a "virtual host", see: https://www.keycloak.org/getting-started/getting-started-kube
I would recommend adding two optional parameters: authEndpoint and tokenEndpoint so that deployers can specify what URLs to use.
The text was updated successfully, but these errors were encountered: