From a30f02e3782ded18b4fe3e9b1aa66ca141b68003 Mon Sep 17 00:00:00 2001
From: Gabriel Mainberger <gabriel.mainberger@vshn.net>
Date: Wed, 9 Nov 2022 11:42:36 +0100
Subject: [PATCH] Turn off Keycloak HTTP and make the Keycloak HTTPS only

This is the default for Keycloak.
HTTP is insecure.
---
 class/defaults.yml                            | 23 +++++++++++++++++++
 .../keycloakx/templates/statefulset.yaml      |  9 +++++---
 .../keycloakx/templates/statefulset.yaml      |  9 +++++---
 .../keycloakx/templates/statefulset.yaml      |  9 +++++---
 .../keycloakx/templates/statefulset.yaml      |  9 +++++---
 5 files changed, 47 insertions(+), 12 deletions(-)

diff --git a/class/defaults.yml b/class/defaults.yml
index fdc78cb9..52bf7ad9 100644
--- a/class/defaults.yml
+++ b/class/defaults.yml
@@ -272,6 +272,29 @@ parameters:
         annotations: ${keycloak:_service_annotations:${keycloak:tls:provider}}
         httpPort: 8080
         labels: ${keycloak:labels}
+      livenessProbe: |
+        httpGet:
+          path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/live'
+          port: https
+          scheme: HTTPS
+        initialDelaySeconds: 0
+        timeoutSeconds: 5
+      readinessProbe: |
+        httpGet:
+          path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health/ready'
+          port: https
+          scheme: HTTPS
+        initialDelaySeconds: 10
+        timeoutSeconds: 1
+      startupProbe: |
+        httpGet:
+          path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/health'
+          port: https
+          scheme: HTTPS
+        initialDelaySeconds: 15
+        timeoutSeconds: 1
+        failureThreshold: 60
+        periodSeconds: 5
       serviceMonitor:
         enabled: ${keycloak:monitoring:enabled}
         labels: ${keycloak:labels}
diff --git a/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
index 29ef91d9..b6dddb34 100644
--- a/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
+++ b/tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
@@ -103,7 +103,8 @@ spec:
           livenessProbe:
             httpGet:
               path: /auth/health/live
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 0
             timeoutSeconds: 5
           name: keycloak
@@ -117,7 +118,8 @@ spec:
           readinessProbe:
             httpGet:
               path: /auth/health/ready
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 10
             timeoutSeconds: 1
           resources:
@@ -134,7 +136,8 @@ spec:
             failureThreshold: 60
             httpGet:
               path: /auth/health
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 15
             periodSeconds: 5
             timeoutSeconds: 1
diff --git a/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
index fca4b993..5140692d 100644
--- a/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
+++ b/tests/golden/external/external/external/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
@@ -101,7 +101,8 @@ spec:
           livenessProbe:
             httpGet:
               path: /auth/health/live
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 0
             timeoutSeconds: 5
           name: keycloak
@@ -115,7 +116,8 @@ spec:
           readinessProbe:
             httpGet:
               path: /auth/health/ready
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 10
             timeoutSeconds: 1
           resources:
@@ -132,7 +134,8 @@ spec:
             failureThreshold: 60
             httpGet:
               path: /auth/health
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 15
             periodSeconds: 5
             timeoutSeconds: 1
diff --git a/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
index 8e702387..cf7270d1 100644
--- a/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
+++ b/tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
@@ -101,7 +101,8 @@ spec:
           livenessProbe:
             httpGet:
               path: /auth/health/live
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 0
             timeoutSeconds: 5
           name: keycloak
@@ -115,7 +116,8 @@ spec:
           readinessProbe:
             httpGet:
               path: /auth/health/ready
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 10
             timeoutSeconds: 1
           resources:
@@ -132,7 +134,8 @@ spec:
             failureThreshold: 60
             httpGet:
               path: /auth/health
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 15
             periodSeconds: 5
             timeoutSeconds: 1
diff --git a/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml b/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
index 134173a7..61e3a0f6 100644
--- a/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
+++ b/tests/golden/openshift/openshift/openshift/01_keycloak_helmchart/keycloakx/templates/statefulset.yaml
@@ -101,7 +101,8 @@ spec:
           livenessProbe:
             httpGet:
               path: /auth/health/live
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 0
             timeoutSeconds: 5
           name: keycloak
@@ -115,7 +116,8 @@ spec:
           readinessProbe:
             httpGet:
               path: /auth/health/ready
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 10
             timeoutSeconds: 1
           resources:
@@ -130,7 +132,8 @@ spec:
             failureThreshold: 60
             httpGet:
               path: /auth/health
-              port: http
+              port: https
+              scheme: HTTPS
             initialDelaySeconds: 15
             periodSeconds: 5
             timeoutSeconds: 1