Description
Description
Registry Version: 2.5.11.Final, 2.6.2.Final
Persistence type: kafkasql
Keycloak version: 25.0.0, 25.0.4
Environment
Kubernetes v1.27
Pod environment variables:
AUTH_ENABLED : true
CLIENT_CREDENTIALS_BASIC_AUTH_ENABLED : true
CORS_ALLOWED_ORIGINS : http://kafka-04.apicurio-registry,https://kafka-04.apicurio-registry,https://sso.e-kama.com
KAFKA_BOOTSTRAP_SERVERS : rc1a-o0i23tfpor5mbrse.mdb.yandexcloud.net:9091
KEYCLOAK_API_CLIENT_ID : kafka-04-ar-api-dev-default
KEYCLOAK_REALM : e-kama
KEYCLOAK_UI_CLIENT_ID : kafka-04-ar-ui-dev-default
KEYCLOAK_URL : https://sso.e-kama.com
QUARKUS_PROFILE : prod
REGISTRY_AUTH_ANONYMOUS_READ_ACCESS_ENABLED : true
REGISTRY_KAFKASQL_SCRAM_PASSWORD : secret(kafka-04)[password]
REGISTRY_KAFKASQL_SCRAM_USER : apicurio-registry
REGISTRY_KAFKA_COMMON_SASL_JAAS_CONFIG : org.apache.kafka.common.security.scram.ScramLoginModule required username='$(REGISTRY_KAFKASQL_SCRAM_USER)' password='$(REGISTRY_KAFKASQL_SCRAM_PASSWORD)';
REGISTRY_KAFKA_COMMON_SASL_MECHANISM : SCRAM-SHA-512
REGISTRY_KAFKA_COMMON_SECURITY_PROTOCOL : SASL_SSL
REGISTRY_KAFKA_COMMON_SSL_TRUSTSTORE_LOCATION : /etc/registry-kafkasql-scram-truststore/ca.p12
REGISTRY_KAFKA_COMMON_SSL_TRUSTSTORE_PASSWORD : secret(yandex-ca-truststore)[ca.password]
REGISTRY_KAFKA_COMMON_SSL_TRUSTSTORE_TYPE : PKCS12
REGISTRY_PROPERTIES_PREFIX : REGISTRY_
REGISTRY_UI_FEATURES_READONLY : true
Steps to Reproduce
- Go to external URL (in our case): https://kafka-04-registry.dev-default.int.e-kama.com/
- Login via Keycloak
- Cyclic redirect: keycloak -> apicurio -> keycloak -> apicurio -> ... (see .har file)
Expected vs Actual Behaviour
Expected successful login to UI (worked on Keycloak 22) with same config
KC client for UI: kafka-04-ar-ui-dev-default.json
KC client for API: kafka-04-ar-api-dev-default.json
Logs
HAR file: kafka-04-registry.dev-default.int.e-kama.com_Archive [24-08-27 14-05-32].zip
PS
Authentication to API works fine