diff --git a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakIngress.java b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakIngress.java index 4f0807d374..31b394dde5 100644 --- a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakIngress.java +++ b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakIngress.java @@ -65,13 +65,14 @@ public class KeycloakIngress extends OperatorManagedResource implements StatusUp private Ingress newIngress() { var port = KeycloakService.getServicePort(keycloak); var backendProtocol = (!isTlsConfigured(keycloak)) ? "HTTP" : "HTTPS"; + var tlsTermination = "HTTP".equals(backendProtocol) ? "edge" : "passthrough"; Ingress ingress = new IngressBuilder() .withNewMetadata() .withName(getName()) .withNamespace(getNamespace()) .addToAnnotations("nginx.ingress.kubernetes.io/backend-protocol", backendProtocol) - .addToAnnotations("route.openshift.io/termination", "passthrough") + .addToAnnotations("route.openshift.io/termination", tlsTermination) .endMetadata() .withNewSpec() .withNewDefaultBackend() diff --git a/operator/src/test/java/org/keycloak/operator/testsuite/unit/IngressLogicTest.java b/operator/src/test/java/org/keycloak/operator/testsuite/unit/IngressLogicTest.java index 5155b6a89f..6bf473a0b6 100644 --- a/operator/src/test/java/org/keycloak/operator/testsuite/unit/IngressLogicTest.java +++ b/operator/src/test/java/org/keycloak/operator/testsuite/unit/IngressLogicTest.java @@ -17,14 +17,19 @@ package org.keycloak.operator.testsuite.unit; -import io.fabric8.kubernetes.api.model.networking.v1.Ingress; -import io.fabric8.kubernetes.api.model.networking.v1.IngressBuilder; +import java.util.Optional; + import org.junit.jupiter.api.Test; import org.keycloak.operator.controllers.KeycloakIngress; -import org.keycloak.operator.crds.v2alpha1.deployment.spec.IngressSpec; import org.keycloak.operator.crds.v2alpha1.deployment.Keycloak; +import org.keycloak.operator.crds.v2alpha1.deployment.spec.IngressSpec; import org.keycloak.operator.testsuite.utils.K8sUtils; +import io.fabric8.kubernetes.api.model.HasMetadata; +import io.fabric8.kubernetes.api.model.networking.v1.Ingress; +import io.fabric8.kubernetes.api.model.networking.v1.IngressBuilder; + +import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -32,24 +37,36 @@ public class IngressLogicTest { static class MockKeycloakIngress extends KeycloakIngress { - private static Keycloak getKeycloak(Boolean defaultIngressEnabled, boolean ingressSpecDefined) { + private static Keycloak getKeycloak(Boolean defaultIngressEnabled, boolean ingressSpecDefined, boolean tlsConfigured) { var kc = K8sUtils.getDefaultKeycloakDeployment(); if (ingressSpecDefined) { kc.getSpec().setIngressSpec(new IngressSpec()); if (defaultIngressEnabled != null) kc.getSpec().getIngressSpec().setIngressEnabled(defaultIngressEnabled); } + if (!tlsConfigured) { + kc.getSpec().getHttpSpec().setTlsSecret(null); + } return kc; } public static MockKeycloakIngress build(Boolean defaultIngressEnabled, boolean ingressExists, boolean ingressSpecDefined) { + return build(defaultIngressEnabled, ingressExists, ingressSpecDefined, true); + } + + public static MockKeycloakIngress build(Boolean defaultIngressEnabled, boolean ingressExists, boolean ingressSpecDefined, boolean tlsConfigured) { MockKeycloakIngress.ingressExists = ingressExists; - return new MockKeycloakIngress(defaultIngressEnabled, ingressSpecDefined); + return new MockKeycloakIngress(defaultIngressEnabled, ingressSpecDefined, tlsConfigured); } public static boolean ingressExists = false; private boolean deleted = false; - public MockKeycloakIngress(Boolean defaultIngressEnabled, boolean ingressSpecDefined) { - super(null, getKeycloak(defaultIngressEnabled, ingressSpecDefined)); + public MockKeycloakIngress(Boolean defaultIngressEnabled, boolean ingressSpecDefined, boolean tlsConfigured) { + super(null, getKeycloak(defaultIngressEnabled, ingressSpecDefined, tlsConfigured)); + } + + @Override + public Optional getReconciledResource() { + return super.getReconciledResource(); } public boolean reconciled() { @@ -116,4 +133,24 @@ public class IngressLogicTest { assertTrue(kc.reconciled()); assertFalse(kc.deleted()); } + + @Test + public void testHttpSpecWithTlsSecret() { + var kc = MockKeycloakIngress.build(null, false, true, true); + Optional reconciled = kc.getReconciledResource(); + assertTrue(reconciled.isPresent()); + assertFalse(kc.deleted()); + assertEquals("HTTPS", reconciled.get().getMetadata().getAnnotations().get("nginx.ingress.kubernetes.io/backend-protocol")); + assertEquals("passthrough", reconciled.get().getMetadata().getAnnotations().get("route.openshift.io/termination")); + } + + @Test + public void testHttpSpecWithoutTlsSecret() { + var kc = MockKeycloakIngress.build(null, false, true, false); + Optional reconciled = kc.getReconciledResource(); + assertTrue(reconciled.isPresent()); + assertFalse(kc.deleted()); + assertEquals("HTTP", reconciled.get().getMetadata().getAnnotations().get("nginx.ingress.kubernetes.io/backend-protocol")); + assertEquals("edge", reconciled.get().getMetadata().getAnnotations().get("route.openshift.io/termination")); + } }