keycloak · Pepo48 · Jul 11, 2024 · Jul 3, 2024
@@ -9,6 +9,10 @@ Consequently, all caches are cleared when upgrading to this version.
 
 To prevent losing user sessions upgrade to Keycloak 25 first and enable the persistent sessions feature as outlined in the migration guide for {project_name} 25.
 
+= Operator no longer defaults to proxy=passthrough
+
+The Operator will no longer default to the hostname v1 setting of proxy=passthrough. This allows deployments using hostname v2 for a fixed edge hostname to work as desired without additional options.
+
 = New method in `ClusterProvider` API
 
 The following method was added to `org.keycloak.cluster.ClusterProvider`:

@@ -46,8 +46,7 @@ public final class Constants {
     public static final List<ValueOrSecret> DEFAULT_DIST_CONFIG_LIST = List.of(
             new ValueOrSecret("health-enabled", "true"),
             new ValueOrSecret("cache", "ispn"),
-            new ValueOrSecret("cache-stack", "kubernetes"),
-            new ValueOrSecret("proxy", "passthrough")
+            new ValueOrSecret("cache-stack", "kubernetes")
     );
 
 

@@ -378,13 +378,6 @@ private void addEnvVars(StatefulSet baseDeployment, Keycloak keycloakCR, TreeSet
         // include the kube CA if the user is not controlling KC_TRUSTSTORE_PATHS via the unsupported or the additional
         varMap.putIfAbsent(KC_TRUSTSTORE_PATHS, new EnvVarBuilder().withName(KC_TRUSTSTORE_PATHS).withValue(truststores).build());
 
-        // TODO remove this once the --proxy option is finally removed from Keycloak
-        // not strictly necessary as --proxy-headers take precedence over --proxy but at least removes the warning
-        // about deprecated --proxy option in use
-        if (varMap.containsKey(getKeycloakOptionEnvVarName("proxy-headers"))) {
-            varMap.remove(getKeycloakOptionEnvVarName("proxy"));
-        }
-
         var envVars = new ArrayList<>(varMap.values());
         baseDeployment.getSpec().getTemplate().getSpec().getContainers().get(0).setEnv(envVars);
 

@@ -104,38 +104,6 @@ public void testIngressOnHTTPSAndProxySettings() {
                 .anyMatch(e -> "KC_PROXY_HEADERS".equals(e.getName()) && "xforwarded".equals(e.getValue()));
     }
 
-    // TODO remove this test once the --proxy option is finally removed from Keycloak
-    @Test
-    public void testFallbackToDefaultProxySettings() {
-        var kc = getTestKeycloakDeployment(false);
-        var hostnameSpecBuilder = new HostnameSpecBuilder()
-                .withStrict(false)
-                .withStrictBackchannel(false);
-        if (isOpenShift) {
-            kc.getSpec().setIngressSpec(new IngressSpecBuilder().withIngressClassName(KeycloakController.OPENSHIFT_DEFAULT).build());
-        }
-        kc.getSpec().setHostnameSpec(hostnameSpecBuilder.build());
-        kc.getSpec().setProxySpec(null);
-
-        K8sUtils.deployKeycloak(k8sclient, kc, true);
-
-        String testHostname;
-        if (isOpenShift) {
-            testHostname = k8sclient.resource(kc).get().getSpec().getHostnameSpec().getHostname();
-        } else {
-            testHostname = kubernetesIp;
-        }
-
-        testIngressURLs("https://" + testHostname + ":443");
-
-        // just check we really have proxy set correctly
-        var envVars = k8sclient.apps().statefulSets().withName(kc.getMetadata().getName()).get().getSpec()
-                .getTemplate().getSpec().getContainers().get(0).getEnv();
-        assertThat(envVars)
-                .anyMatch(e -> "KC_PROXY".equals(e.getName()) && "passthrough".equals(e.getValue()))
-                .noneMatch(e -> "KC_PROXY_HEADERS".equals(e.getName()));
-    }
-
     private void testIngressURLs(String baseUrl) {
         Awaitility.await()
                 .ignoreExceptions()