From 0a888512a858e574b9e9bf3a3ae0d6dc50870695 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Barto=C5=A1?= Date: Wed, 26 Jun 2024 17:46:48 +0200 Subject: [PATCH] New operator failing on health checks (#30709) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #30355 Signed-off-by: Martin Bartoš Co-authored-by: Václav Muzikář --- docs/guides/operator/advanced-configuration.adoc | 12 ++++++++---- docs/guides/operator/customizing-keycloak.adoc | 8 ++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/docs/guides/operator/advanced-configuration.adoc b/docs/guides/operator/advanced-configuration.adoc index e0572e5ef0..aa6769eb0e 100644 --- a/docs/guides/operator/advanced-configuration.adoc +++ b/docs/guides/operator/advanced-configuration.adoc @@ -118,7 +118,7 @@ The `unsupported` field of the CR contains highly experimental configuration opt ==== Pod Template The Pod Template is a raw API representation that is used for the Deployment Template. -This field is a temporary workaround in case no supported field exists at the top level of the CR for your use case. +This field is a temporary workaround in case no supported field exists at the top level of the CR for your use case. The Operator merges the fields of the provided template with the values generated by the Operator for the specific Deployment. With this feature, you have access to a high level of customizations. However, no guarantee exists that the Deployment will work as expected. @@ -204,7 +204,7 @@ It is achieved by providing certain JVM options. For more details, see <@links.server id="containers" />. -== Management Interface +=== Management Interface To change the port of the management interface, use the first-class citizen field `httpManagement.port` in the Keycloak CR. To change the properties of the management interface, you can do it by providing `additionalOptions` field. @@ -225,6 +225,10 @@ spec: value: /management ---- +NOTE: If you are using a custom image, the Operator is *unaware* of any configuration options that might've been specified there. +For instance, it may cause that the management interface uses the `https` schema, but the Operator accesses it via `http` when the TLS settings is specified in the custom image. +To ensure proper TLS configuration, use the `tlsSecret` and `truststores` fields in the Keycloak CR so that the Operator can reflect that. + === Truststores If you need to provide trusted certificates, the Keycloak CR provides a top level feature for configuring the server's truststore as discussed in <@links.server id="keycloak-truststore"/>. @@ -259,7 +263,7 @@ stringData: ... ------ -When running on a Kubernetes or OpenShift environment well-known locations of trusted certificates are included automatically. -This includes /var/run/secrets/kubernetes.io/serviceaccount/ca.crt and the /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt when present. +When running on a Kubernetes or OpenShift environment well-known locations of trusted certificates are included automatically. +This includes `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` and the `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt` when present. diff --git a/docs/guides/operator/customizing-keycloak.adoc b/docs/guides/operator/customizing-keycloak.adoc index d773b66bab..3f12b45b04 100644 --- a/docs/guides/operator/customizing-keycloak.adoc +++ b/docs/guides/operator/customizing-keycloak.adoc @@ -43,10 +43,10 @@ spec: hostname: test.keycloak.org ---- -[NOTE] -==== -With custom images, every build time option passed either through a dedicated field or the `additionalOptions` is ignored. -==== +NOTE: With custom images, every build time option passed either through a dedicated field or the `additionalOptions` is ignored. + +NOTE: The Operator is *unaware* of any configuration options that are specified in a custom image. +Use the Keycloak CR for any configuration that requires Operator awareness, namely the TLS and HTTP(S) settings reflected when configuring services and probes. === Non-optimized custom image