From 981f61fd814e88bd6f9cde8e14c495813a9610c6 Mon Sep 17 00:00:00 2001 From: Gabriel Mainberger Date: Wed, 9 Nov 2022 11:42:36 +0100 Subject: [PATCH] Turn off Keycloak HTTP and make the Keycloak HTTPS only This is the default for Keycloak. HTTP is insecure. --- class/defaults.yml | 23 +++++++++++++++++++ .../keycloakx/templates/statefulset.yaml | 9 +++++--- .../keycloakx/templates/statefulset.yaml | 9 +++++--- .../keycloakx/templates/statefulset.yaml | 9 +++++--- .../keycloakx/templates/statefulset.yaml | 9 +++++--- 5 files changed, 47 insertions(+), 12 deletions(-) diff --git a/class/defaults.yml b/class/defaults.yml index 2c669379..5338ffa1 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -272,6 +272,29 @@ parameters: annotations: ${keycloak:_service_annotations:${keycloak:tls:provider}} httpPort: 8080 labels: ${keycloak:labels} + livenessProbe: | + httpGet: + path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/live' + port: https + scheme: HTTPS + initialDelaySeconds: 0 + timeoutSeconds: 5 + readinessProbe: | + httpGet: + path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/ready' + port: https + scheme: HTTPS + initialDelaySeconds: 10 + timeoutSeconds: 1 + startupProbe: | + httpGet: + path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health' + port: https + scheme: HTTPS + initialDelaySeconds: 15 + timeoutSeconds: 1 + failureThreshold: 60 + periodSeconds: 5 serviceMonitor: enabled: ${keycloak:monitoring:enabled} labels: ${keycloak:labels} diff --git a/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml index e551008f..05c5746d 100644 --- a/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml +++ b/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml @@ -103,7 +103,8 @@ spec: livenessProbe: httpGet: path: /auth/health/live - port: http + port: https + scheme: HTTPS initialDelaySeconds: 0 timeoutSeconds: 5 name: keycloak @@ -117,7 +118,8 @@ spec: readinessProbe: httpGet: path: /auth/health/ready - port: http + port: https + scheme: HTTPS initialDelaySeconds: 10 timeoutSeconds: 1 resources: @@ -134,7 +136,8 @@ spec: failureThreshold: 60 httpGet: path: /auth/health - port: http + port: https + scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 5 timeoutSeconds: 1 diff --git a/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml index e133d028..75a6f290 100644 --- a/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml +++ b/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml @@ -101,7 +101,8 @@ spec: livenessProbe: httpGet: path: /auth/health/live - port: http + port: https + scheme: HTTPS initialDelaySeconds: 0 timeoutSeconds: 5 name: keycloak @@ -115,7 +116,8 @@ spec: readinessProbe: httpGet: path: /auth/health/ready - port: http + port: https + scheme: HTTPS initialDelaySeconds: 10 timeoutSeconds: 1 resources: @@ -132,7 +134,8 @@ spec: failureThreshold: 60 httpGet: path: /auth/health - port: http + port: https + scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 5 timeoutSeconds: 1 diff --git a/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml index 1df4c023..8dc62ab0 100644 --- a/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml +++ b/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml @@ -101,7 +101,8 @@ spec: livenessProbe: httpGet: path: /auth/health/live - port: http + port: https + scheme: HTTPS initialDelaySeconds: 0 timeoutSeconds: 5 name: keycloak @@ -115,7 +116,8 @@ spec: readinessProbe: httpGet: path: /auth/health/ready - port: http + port: https + scheme: HTTPS initialDelaySeconds: 10 timeoutSeconds: 1 resources: @@ -132,7 +134,8 @@ spec: failureThreshold: 60 httpGet: path: /auth/health - port: http + port: https + scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 5 timeoutSeconds: 1 diff --git a/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml index b32627ef..805c5039 100644 --- a/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml +++ b/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml @@ -101,7 +101,8 @@ spec: livenessProbe: httpGet: path: /auth/health/live - port: http + port: https + scheme: HTTPS initialDelaySeconds: 0 timeoutSeconds: 5 name: keycloak @@ -115,7 +116,8 @@ spec: readinessProbe: httpGet: path: /auth/health/ready - port: http + port: https + scheme: HTTPS initialDelaySeconds: 10 timeoutSeconds: 1 resources: @@ -130,7 +132,8 @@ spec: failureThreshold: 60 httpGet: path: /auth/health - port: http + port: https + scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 5 timeoutSeconds: 1