From 3b347ca76a192aee6d811e2ab4ae9c11fabf2a31 Mon Sep 17 00:00:00 2001
From: Gabriel Mainberger <gabriel.mainberger@vshn.net>
Date: Wed, 9 Nov 2022 11:42:36 +0100
Subject: [PATCH] Turn of Keycloak HTTP and make the Keycloak HTTPS only

This is the default for Keycloak.
HTTP is insecure.
---
 class/defaults.yml                            | 24 ++++++++++++++++++-
 .../keycloakx/templates/statefulset.yaml      | 10 ++++----
 .../keycloakx/templates/statefulset.yaml      | 10 ++++----
 .../keycloakx/templates/statefulset.yaml      | 10 ++++----
 .../keycloakx/templates/statefulset.yaml      | 10 ++++----
 5 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/class/defaults.yml b/class/defaults.yml
index ed52726a..54a3a4be 100644
--- a/class/defaults.yml
+++ b/class/defaults.yml
@@ -172,7 +172,6 @@ parameters:
       args:
         - start
         - --auto-build
-        - --http-enabled=true # Helm chart requires it currently
 
       # extraEnv *MUST* be a string, as it's fed through a templating
       # function.
@@ -253,6 +252,29 @@ parameters:
         # Workaround until https://github.com/codecentric/helm-charts/pull/432 is solved
         httpPort: 8080
         labels: ${keycloak:labels}
+      livenessProbe: |
+        httpGet:
+          path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/live'
+          port: https
+          scheme: HTTPS
+        initialDelaySeconds: 0
+        timeoutSeconds: 5
+      readinessProbe: |
+        httpGet:
+          path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/ready'
+          port: https
+          scheme: HTTPS
+        initialDelaySeconds: 10
+        timeoutSeconds: 1
+      startupProbe: |
+        httpGet:
+          path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health'
+          port: https
+          scheme: HTTPS
+        initialDelaySeconds: 15
+        timeoutSeconds: 1
+        failureThreshold: 60
+        periodSeconds: 5
       serviceMonitor:
         enabled: ${keycloak:monitoring:enabled}
         labels: ${keycloak:labels}
diff --git a/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
index 5973623e..66d07bd9 100644
--- a/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
+++ b/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
@@ -57,7 +57,6 @@ spec:
       - args:
         - start
         - --auto-build
-        - --http-enabled=true
         env:
         - name: FOO
           value: bar
@@ -104,7 +103,8 @@ spec:
         livenessProbe:
           httpGet:
             path: /auth/health/live
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 0
           timeoutSeconds: 5
         name: keycloak
@@ -118,7 +118,8 @@ spec:
         readinessProbe:
           httpGet:
             path: /auth/health/ready
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 10
           timeoutSeconds: 1
         resources:
@@ -135,7 +136,8 @@ spec:
           failureThreshold: 60
           httpGet:
             path: /auth/health
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 15
           periodSeconds: 5
           timeoutSeconds: 1
diff --git a/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
index 9b2e3f1a..cd14d372 100644
--- a/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
+++ b/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
@@ -57,7 +57,6 @@ spec:
       - args:
         - start
         - --auto-build
-        - --http-enabled=true
         env:
         - name: JAVA_OPTS
           value: -XX:+UseContainerSupport -XX:MaxRAMPercentage=50.0 -Djava.net.preferIPv4Stack=true
@@ -102,7 +101,8 @@ spec:
         livenessProbe:
           httpGet:
             path: /auth/health/live
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 0
           timeoutSeconds: 5
         name: keycloak
@@ -116,7 +116,8 @@ spec:
         readinessProbe:
           httpGet:
             path: /auth/health/ready
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 10
           timeoutSeconds: 1
         resources:
@@ -133,7 +134,8 @@ spec:
           failureThreshold: 60
           httpGet:
             path: /auth/health
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 15
           periodSeconds: 5
           timeoutSeconds: 1
diff --git a/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
index 587f8d6c..a1e771e6 100644
--- a/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
+++ b/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
@@ -57,7 +57,6 @@ spec:
       - args:
         - start
         - --auto-build
-        - --http-enabled=true
         env:
         - name: JAVA_OPTS
           value: -XX:+UseContainerSupport -XX:MaxRAMPercentage=50.0 -Djava.net.preferIPv4Stack=true
@@ -102,7 +101,8 @@ spec:
         livenessProbe:
           httpGet:
             path: /auth/health/live
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 0
           timeoutSeconds: 5
         name: keycloak
@@ -116,7 +116,8 @@ spec:
         readinessProbe:
           httpGet:
             path: /auth/health/ready
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 10
           timeoutSeconds: 1
         resources:
@@ -133,7 +134,8 @@ spec:
           failureThreshold: 60
           httpGet:
             path: /auth/health
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 15
           periodSeconds: 5
           timeoutSeconds: 1
diff --git a/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
index d01434eb..cfbc453f 100644
--- a/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
+++ b/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
@@ -57,7 +57,6 @@ spec:
       - args:
         - start
         - --auto-build
-        - --http-enabled=true
         env:
         - name: JAVA_OPTS
           value: -XX:+UseContainerSupport -XX:MaxRAMPercentage=50.0 -Djava.net.preferIPv4Stack=true
@@ -102,7 +101,8 @@ spec:
         livenessProbe:
           httpGet:
             path: /auth/health/live
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 0
           timeoutSeconds: 5
         name: keycloak
@@ -116,7 +116,8 @@ spec:
         readinessProbe:
           httpGet:
             path: /auth/health/ready
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 10
           timeoutSeconds: 1
         resources:
@@ -131,7 +132,8 @@ spec:
           failureThreshold: 60
           httpGet:
             path: /auth/health
-            port: http
+            port: https
+            scheme: HTTPS
           initialDelaySeconds: 15
           periodSeconds: 5
           timeoutSeconds: 1