From 30cb39e7547a48a4116914af4e044dca9eb3778c Mon Sep 17 00:00:00 2001 From: Nicolas Bigler Date: Tue, 30 Jul 2024 11:09:43 +0200 Subject: [PATCH] feature: Set scheme for probes and serviceMonitor The new health endpoints used by the three probes (liveness, readiness and startup) as well as the metrics endpoint are now served on a dedicated interface with its own port. The scheme of the interface only servers HTTP or HTTPS. If the main keycloak interface serves HTTPS, the internal management interface will also serve HTTPS, regardless if the main keycloak interface servers plain HTTP or not. It's therefore impossible for the probes or the serviceMonitor to work with a plain HTTP scheme, if keycloak has HTTPS enabled. We therefore need a way to specify the scheme of the internalPort via helm values to be able to set a custom scheme for the probes and the serviceMonitor Signed-off-by: Nicolas Bigler --- charts/keycloakx/README.md | 2 ++ charts/keycloakx/templates/servicemonitor.yaml | 1 + charts/keycloakx/values.schema.json | 4 +++- charts/keycloakx/values.yaml | 4 ++++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/charts/keycloakx/README.md b/charts/keycloakx/README.md index 5f1f546b..2a8032d9 100644 --- a/charts/keycloakx/README.md +++ b/charts/keycloakx/README.md @@ -174,6 +174,8 @@ The following table lists the configurable parameters of the Keycloak-X chart an | `proxy.enabled` | If `true`, the `KC_PROXY` env variable will be set to the configured mode | `true` | | `proxy.mode` | The configured proxy mode | `edge` | | `http.relativePath` | The relative http path (context-path) | `/auth` | +| `http.internalPort` | The port of the internal management interface | `http-internal` | +| `http.internalScheme` | The scheme of the internal management interface | `HTTP` | | `metrics.enabled` | If `true` then the metrics endpoint is exposed | `true` | | `health.enabled` | If `true` then the health endpoint is exposed. If the `readinessProbe` is is needed `metrics.enable` must be `true`. | `true` | | `serviceMonitor.enabled` | If `true`, a ServiceMonitor resource for the prometheus-operator is created | `false` | diff --git a/charts/keycloakx/templates/servicemonitor.yaml b/charts/keycloakx/templates/servicemonitor.yaml index 79f80937..fb3a2c89 100644 --- a/charts/keycloakx/templates/servicemonitor.yaml +++ b/charts/keycloakx/templates/servicemonitor.yaml @@ -34,6 +34,7 @@ spec: endpoints: - port: {{ .port }} path: {{ tpl .path $ | quote }} + scheme: {{ .Values.http.internalScheme | lower }} interval: {{ .interval }} scrapeTimeout: {{ .scrapeTimeout }} {{- end }} diff --git a/charts/keycloakx/values.schema.json b/charts/keycloakx/values.schema.json index c3cf60ff..8b355b64 100644 --- a/charts/keycloakx/values.schema.json +++ b/charts/keycloakx/values.schema.json @@ -83,7 +83,9 @@ "type": "array" }, "http": { - "relativePath": "string" + "relativePath": "string", + "internalPort": "string", + "internalScheme": "string" }, "image": { "$ref": "#/definitions/image" diff --git a/charts/keycloakx/values.yaml b/charts/keycloakx/values.yaml index 4f704ced..125eb248 100644 --- a/charts/keycloakx/values.yaml +++ b/charts/keycloakx/values.yaml @@ -167,6 +167,7 @@ livenessProbe: | httpGet: path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/live' port: '{{ .Values.http.internalPort }}' + scheme: '{{ .Values.http.internalScheme }}' initialDelaySeconds: 0 timeoutSeconds: 5 @@ -175,6 +176,7 @@ readinessProbe: | httpGet: path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/ready' port: '{{ .Values.http.internalPort }}' + scheme: '{{ .Values.http.internalScheme }}' initialDelaySeconds: 10 timeoutSeconds: 1 @@ -183,6 +185,7 @@ startupProbe: | httpGet: path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health' port: '{{ .Values.http.internalPort }}' + scheme: '{{ .Values.http.internalScheme }}' initialDelaySeconds: 15 timeoutSeconds: 1 failureThreshold: 60 @@ -420,6 +423,7 @@ http: # For backwards compatibility reasons we set this to the value used by previous Keycloak versions. relativePath: "/auth" internalPort: http-internal + internalScheme: HTTP serviceMonitor: # If `true`, a ServiceMonitor resource for the prometheus-operator is created