Background
#711 made the Laminar Keycloak redirect host configurable: the realm template now uses $LAMINAR_WEB_HOST (sourced from laminar.frontend.ingress.hostname, falling back to laminar.<ingress.host>) instead of a hardcoded laminar.$WEB_HOST. That fixed the redirect URI resetting on every Laminar/pod restart for custom Laminar domains (#710).
On Replicated/KOTS installs, Laminar is not served at laminar.<app-host> — it is served at the analytics host:
- derive hostname mode →
analytics.app.<BASE_DOMAIN>
- custom hostname mode → the configured
analytics_hostname
So the Replicated wiring should set LAMINAR_WEB_HOST to the analytics host, so the Keycloak redirect URI points to where Laminar actually runs.
Proposal
In replicated/openhands.yaml, set the (now-configurable) LAMINAR_WEB_HOST for the openhands app to the analytics host:
LAMINAR_WEB_HOST = {{ if hostname_mode == "derive" }}analytics.app.<BASE_DOMAIN>{{ else }}<analytics_hostname>{{ end }}
Equivalently, ensure laminar.frontend.ingress.hostname resolves to the analytics host so the chart derives the same value. (Laminar's frontend ingress is already exposed on the analytics host in the Replicated config, so this keeps the redirect host and the actual Laminar host in sync.)
Why
- The Keycloak
allhands client redirect URI for Laminar will point to the analytics domain, which is where Laminar is actually served on Replicated — not the unused laminar.<app-host>.
- The realm is re-rendered by the
keycloak-config step on every openhands pod restart, so setting this ensures the correct redirect URI is written each time and does not regress.
Acceptance criteria
Related: #710, #711
Background
#711 made the Laminar Keycloak redirect host configurable: the realm template now uses
$LAMINAR_WEB_HOST(sourced fromlaminar.frontend.ingress.hostname, falling back tolaminar.<ingress.host>) instead of a hardcodedlaminar.$WEB_HOST. That fixed the redirect URI resetting on every Laminar/pod restart for custom Laminar domains (#710).On Replicated/KOTS installs, Laminar is not served at
laminar.<app-host>— it is served at the analytics host:analytics.app.<BASE_DOMAIN>analytics_hostnameSo the Replicated wiring should set
LAMINAR_WEB_HOSTto the analytics host, so the Keycloak redirect URI points to where Laminar actually runs.Proposal
In
replicated/openhands.yaml, set the (now-configurable)LAMINAR_WEB_HOSTfor the openhands app to the analytics host:Equivalently, ensure
laminar.frontend.ingress.hostnameresolves to the analytics host so the chart derives the same value. (Laminar's frontend ingress is already exposed on the analytics host in the Replicated config, so this keeps the redirect host and the actual Laminar host in sync.)Why
allhandsclient redirect URI for Laminar will point to the analytics domain, which is where Laminar is actually served on Replicated — not the unusedlaminar.<app-host>.keycloak-configstep on every openhands pod restart, so setting this ensures the correct redirect URI is written each time and does not regress.Acceptance criteria
LAMINAR_WEB_HOST=analytics.app.<BASE_DOMAIN>(derive) /<analytics_hostname>(custom).allhandsclientredirectUriscontainshttps://<that host>/api/auth/callback/keycloak(andwebOrigins), with nolaminar.<app-host>entry.Related: #710, #711