ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Bug: Keycloak logs "Non-secure context detected" — cookies not secured behind Tailscale TLS #276

New issue
Open
opened 2026-04-08 21:32:32 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-04-08 21:32:32 +00:00
Contributor
Copy link

Type

Bug

Lineage

Discovered during Keycloak SMTP validation on 2026-04-08. Observed in pod logs.

Repo

forgejo_admin/pal-e-platform

What Broke

Keycloak logs: Non-secure context detected; cookies are not secured, and will not be available in cross-origin POST requests. This means Keycloak thinks it's running on HTTP, not HTTPS. Tailscale funnel terminates TLS before the request reaches the pod, so Keycloak sees plain HTTP internally.

This can cause:

  • Cookies not being set with Secure flag
  • Cross-origin POST requests failing (affects OAuth flows)
  • Auth issues in some browsers

Repro Steps

  1. Check Keycloak pod logs: kubectl logs -n keycloak keycloak-7d796fc76c-prqxh
  2. Observe: Non-secure context detected; cookies are not secured

Expected Behavior

Keycloak should be configured to trust the proxy (Tailscale funnel) and treat requests as HTTPS.

Environment

  • Cluster/namespace: prod / keycloak
  • Keycloak pod: keycloak-7d796fc76c-prqxh

Acceptance Criteria

  • Keycloak configured with KC_PROXY_HEADERS=xforwarded or KC_PROXY=edge env var
  • Warning no longer appears in logs
  • Cookies are set with Secure flag

File Targets

  • terraform/modules/keycloak/main.tf — add proxy env var to Keycloak Helm values

Related

  • pal-e-platform — Keycloak infrastructure
  • May explain intermittent auth issues if any have been reported
### Type Bug ### Lineage Discovered during Keycloak SMTP validation on 2026-04-08. Observed in pod logs. ### Repo `forgejo_admin/pal-e-platform` ### What Broke Keycloak logs: `Non-secure context detected; cookies are not secured, and will not be available in cross-origin POST requests`. This means Keycloak thinks it's running on HTTP, not HTTPS. Tailscale funnel terminates TLS before the request reaches the pod, so Keycloak sees plain HTTP internally. This can cause: - Cookies not being set with `Secure` flag - Cross-origin POST requests failing (affects OAuth flows) - Auth issues in some browsers ### Repro Steps 1. Check Keycloak pod logs: `kubectl logs -n keycloak keycloak-7d796fc76c-prqxh` 2. Observe: `Non-secure context detected; cookies are not secured` ### Expected Behavior Keycloak should be configured to trust the proxy (Tailscale funnel) and treat requests as HTTPS. ### Environment - Cluster/namespace: prod / keycloak - Keycloak pod: `keycloak-7d796fc76c-prqxh` ### Acceptance Criteria - [ ] Keycloak configured with `KC_PROXY_HEADERS=xforwarded` or `KC_PROXY=edge` env var - [ ] Warning no longer appears in logs - [ ] Cookies are set with `Secure` flag ### File Targets - `terraform/modules/keycloak/main.tf` — add proxy env var to Keycloak Helm values ### Related - `pal-e-platform` — Keycloak infrastructure - May explain intermittent auth issues if any have been reported
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-gem-bin-path
netpol-westside-ror
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
spec-board-centric-renderer
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#276
No description provided.