I'm struggling with a Non-secure context detected; cookies are not secured and will not be available in cross-origin POST requests warning from the org.keycloak.cookie.DefaultCookieProvider class when requests are sent inside the Kubernetes network.
The most important thing is that everything works for me. Users log in, etc. I'm just afraid I might have a misconfiguration and be exposed to some threats.

All public communication seems okay because I've set

headers:
  request:
    set:
      X-Forwarded-Proto: "https"

in an Istio VirtualService. But when an app in pod A sends requests to the Keycloak pods through the Kubernetes service, for example, POST http://keycloak-service.default.svc.cluster.local/realms/aaa/protocol/openid-connect/token, I get the above log.

I did some tests. I got into another pod, let's say pod B, and sent sample requests to the token endpoint with the X-Forwarded-Proto: https header. With the header, everything was fine, but without the header, the log appeared.

My configuration:

• Kubernetes with Istio
• Keycloak-Operator 26.0.5

• http:
    httpEnabled: true
    httpPort: 8180
  hostname:
    hostname: "https://keycloak.example.com"
    strict: false
    backchannelDynamic: true
  ingress:
    enabled: false
  proxy:
      headers: xforwarded
  

I've tried to set hostanme-strict: true, proxy-headers: forwarded, but nothing has worked. I can modify pod A to send requests with appropriate headers, but I don't think that is the case. I also think that the communication between Keycloak's pods produces the same output, but I haven't confirmed this yet. I will try to test communication without the istio-proxy.

Below is a log from the istio-proxy which helped me understand that the problem is with internal traffic, not public.

{"authority":"keycloak-service.default.svc.cluster.local", "bytes_received":100, "bytes_sent":999, "connection_termination_details":null, "downstream_local_address":"100.112.18.217:8180", "downstream_remote_address":"100.112.17.82:51558", "duration":14, "method":"POST", "path":"/realms/aaa/protocol/openid-connect/token", "protocol":"HTTP/1.1", "request_id":"0b7b229a-65a1-4279-bc5e-b82792993997", "requested_server_name":"outbound_.80_._.keycloak-service.default.svc.cluster.local", "response_code":200, "response_code_details":"via_upstream", "response_flags":"-", "route_name":"default", "start_time":"2024-11-20T13:46:33.266Z", "upstream_cluster":"inbound|8180||", "upstream_host":"100.112.18.217:8180", "upstream_local_address":"127.0.0.6:37001", "upstream_service_time":"14", "upstream_transport_failure_reason":null, "user_agent":null, "x_forwarded_for":null}

Is my configuration correct in this case? Is this just the behavior of Keycloak?