diff --git a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakDeployment.java b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakDeployment.java index b014e067ef..b71e633437 100644 --- a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakDeployment.java +++ b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakDeployment.java @@ -232,7 +232,7 @@ public class KeycloakDeployment extends OperatorManagedResource { // probes var tlsConfigured = isTlsConfigured(keycloakCR); var protocol = !tlsConfigured ? "HTTP" : "HTTPS"; - var kcPort = KeycloakServiceDependentResource.getServicePort(keycloakCR); + var kcPort = KeycloakServiceDependentResource.getServicePort(tlsConfigured, keycloakCR); // Relative path ends with '/' var kcRelativePath = Optional.ofNullable(readConfigurationValue(Constants.KEYCLOAK_HTTP_RELATIVE_PATH_KEY)) diff --git a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakIngress.java b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakIngress.java index e0c38d0def..5a8fd26d37 100644 --- a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakIngress.java +++ b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakIngress.java @@ -55,11 +55,12 @@ public class KeycloakIngress extends OperatorManagedResource { } private Ingress newIngress() { - var port = KeycloakServiceDependentResource.getServicePort(keycloak); - var annotations = new HashMap(); - // set default annotations - if (isTlsConfigured(keycloak)) { + var annotations = new HashMap(); + boolean tlsConfigured = isTlsConfigured(keycloak); + var port = KeycloakServiceDependentResource.getServicePort(tlsConfigured, keycloak); + + if (tlsConfigured) { annotations.put("nginx.ingress.kubernetes.io/backend-protocol", "HTTPS"); annotations.put("route.openshift.io/termination", "passthrough"); } else { diff --git a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakServiceDependentResource.java b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakServiceDependentResource.java index 2182d1dfe1..0cde3b9ee2 100644 --- a/operator/src/main/java/org/keycloak/operator/controllers/KeycloakServiceDependentResource.java +++ b/operator/src/main/java/org/keycloak/operator/controllers/KeycloakServiceDependentResource.java @@ -59,15 +59,20 @@ public class KeycloakServiceDependentResource extends CRUDKubernetesDependentRes } private ServiceSpec getServiceSpec(Keycloak keycloak) { - String name = isTlsConfigured(keycloak) ? Constants.KEYCLOAK_HTTPS_PORT_NAME : Constants.KEYCLOAK_HTTP_PORT_NAME; - return new ServiceSpecBuilder() - .addNewPort() - .withPort(getServicePort(keycloak)) - .withName(name) - .withProtocol(Constants.KEYCLOAK_SERVICE_PROTOCOL) - .endPort() - .withSelector(OperatorManagedResource.allInstanceLabels(keycloak)) - .build(); + var builder = new ServiceSpecBuilder().withSelector(OperatorManagedResource.allInstanceLabels(keycloak)); + + boolean tlsConfigured = isTlsConfigured(keycloak); + Optional httpSpec = Optional.ofNullable(keycloak.getSpec().getHttpSpec()); + boolean httpEnabled = httpSpec.map(HttpSpec::getHttpEnabled).orElse(false); + if (!tlsConfigured || httpEnabled) { + builder.addNewPort().withPort(getServicePort(false, keycloak)).withName(Constants.KEYCLOAK_HTTP_PORT_NAME) + .withProtocol(Constants.KEYCLOAK_SERVICE_PROTOCOL).endPort(); + } + if (tlsConfigured) { + builder.addNewPort().withPort(getServicePort(true, keycloak)).withName(Constants.KEYCLOAK_HTTPS_PORT_NAME) + .withProtocol(Constants.KEYCLOAK_SERVICE_PROTOCOL).endPort(); + } + return builder.build(); } @Override @@ -87,12 +92,11 @@ public class KeycloakServiceDependentResource extends CRUDKubernetesDependentRes return keycloak.getMetadata().getName() + Constants.KEYCLOAK_SERVICE_SUFFIX; } - public static int getServicePort(Keycloak keycloak) { - // we assume HTTP when TLS is not configured - if (!isTlsConfigured(keycloak)) { - return Optional.ofNullable(keycloak.getSpec().getHttpSpec()).map(HttpSpec::getHttpPort).orElse(Constants.KEYCLOAK_HTTP_PORT); - } else { - return Optional.ofNullable(keycloak.getSpec().getHttpSpec()).map(HttpSpec::getHttpsPort).orElse(Constants.KEYCLOAK_HTTPS_PORT); + public static int getServicePort(boolean tls, Keycloak keycloak) { + Optional httpSpec = Optional.ofNullable(keycloak.getSpec().getHttpSpec()); + if (tls) { + return httpSpec.map(HttpSpec::getHttpsPort).orElse(Constants.KEYCLOAK_HTTPS_PORT); } + return httpSpec.map(HttpSpec::getHttpPort).orElse(Constants.KEYCLOAK_HTTP_PORT); } } diff --git a/operator/src/test/java/org/keycloak/operator/testsuite/integration/KeycloakDeploymentTest.java b/operator/src/test/java/org/keycloak/operator/testsuite/integration/KeycloakDeploymentTest.java index 340f02d98e..0a3cdb960c 100644 --- a/operator/src/test/java/org/keycloak/operator/testsuite/integration/KeycloakDeploymentTest.java +++ b/operator/src/test/java/org/keycloak/operator/testsuite/integration/KeycloakDeploymentTest.java @@ -277,6 +277,15 @@ public class KeycloakDeploymentTest extends BaseOperatorTest { assertKeycloakAccessibleViaService(kc, false, Constants.KEYCLOAK_HTTP_PORT); } + @Test + public void testHttpEnabledWithTls() { + var kc = getTestKeycloakDeployment(true); + kc.getSpec().getHttpSpec().setHttpEnabled(true); + deployKeycloak(k8sclient, kc, true); + + assertKeycloakAccessibleViaService(kc, false, Constants.KEYCLOAK_HTTP_PORT); + } + @Test public void testHostnameStrict() { var kc = getTestKeycloakDeployment(true);