OIDC-Guard + KeyCloak Not Working

[cfis]

I am running a minikube kubernetes cluster that includes ingress-nginx, keycloak and oidc-guard. My oidc-guard settings are pasted at the bottom.

My problem is oidc-guard always returns a 401 error. From the log:

info: Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware[1]
      Request:
      Protocol: HTTP/1.1
      Method: GET
      Scheme: http
      PathBase:
      Path: /auth
      Accept: application/json, text/plain, */*
      Connection: close
      Host: oidc-guard.ops.svc.cluster.local
      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
      Accept-Language: en-US,en;q=0.9
      Authorization: [Redacted]
      Origin: https://terrascope.orbitalinsight.internal
      Referer: https://terrascope.orbitalinsight.internal/
      X-Request-ID: 71fb9238eb365e3b47feff1a97e94264
      X-Original-URL: https://datasources.orbitalinsight.internal/collections
      X-Original-Method: GET
      X-Sent-From: nginx-ingress-controller
      X-Real-IP: 10.244.0.1
      X-Forwarded-For: 10.244.0.1
      X-Auth-Request-Redirect: /collections
      priority: [Redacted]
      sec-ch-ua: [Redacted]
      sec-ch-ua-mobile: [Redacted]
      sec-ch-ua-platform: [Redacted]
      sec-fetch-dest: [Redacted]
      sec-fetch-mode: [Redacted]
      sec-fetch-site: [Redacted]
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
      Failed to validate the token.
      Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
      Bearer was not authenticated. Failure message: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]
      Executing endpoint 'HTTP: GET /auth'
info: Microsoft.AspNetCore.Http.Result.UnauthorizedResult[1]
      Setting HTTP status code 401.
info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
      Executed endpoint 'HTTP: GET /auth'
info: Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware[2]
      Response:
      StatusCode: 401
      WWW-Authenticate: Bearer error="invalid_token"
      X-Request-ID: 71fb9238eb365e3b47feff1a97e94264
      X-Original-Url: https://datasources.orbitalinsight.internal/collections

It seems the error is No security keys were provided to validate the signature. I have validated that the JWKSUrls is correct and works from the oidc-guard pod. Similarly the openIdProviderConfigurationUrl also works. I also know the token I am using is valid. There is no information about these urls in the log (either positive or negative).

So not sure what I am doing wrong or how to debug? Does the jwks call have to be over https (the http keycloak endpoint is enabled, the https is not. It could be enabled but I'm using a self-signed cert. I know how to configure keycloak to use it but not how to configure oidc-guard to use it?)

My values.yaml file for the Helm chart are:

settings:
  logLevel: Debug
  openIdProviderConfigurationUrl: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/realms/elements/.well-known/openid-configuration
  JWT:
    enable: true
    enableAccessTokenInQueryParameter: true
    JWKSUrls:
      - http://keycloak-keycloakx-http.keycloak.svc.cluster.local/realms/elements/protocol/openid-connect/certs
    validIssuers:
      - https://keycloak.orbitalinsight.internal/realms/elements
  cookie:
    enable: false

ingress:
  enabled: true
  className: nginx
  hosts:
    - host: oidc-guard.orbitalinsight.internal
      paths:
        - path: /auth
          pathType: Exact
        - path: /signin
          pathType: Exact
        - path: /signin-oidc
          pathType: Exact
        - path: /signout
          pathType: Exact
        - path: /userinfo
          pathType: Exact
        - path: /robots.txt
          pathType: Exact  

Thanks!

[cfis]

Ok, to answer my own question there is a undocumented setting you can pass in the values.yaml file to allow http:

settings:
  requireHttpsMetadata: false

If I wanted to enable https inside the kubernetes cluster, how would I tell oidc-guard to trust the root certificate authority (which is a self-signed certificate generated by cert-manager)?