Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Allow overriding the backend name and port in keycloakx chart #808

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feature: Allow overriding the backend name and port in keycloakx chart #808

wants to merge 1 commit into from

Conversation

hpdvanwyk
Copy link

This is useful for overriding the backend of certain paths to not go to Keycloak.
One use case is when using Keycloak with the https://github.com/aerogear/keycloak-metrics-spi plugin along with aws-load-balancer-controller. This allow using the "alb.ingress.kubernetes.io/actions.${action-name}" annotation to make in-realm metrics endpoints 404 instead of exposing them on the public internet. This would otherwise be annoying to achieve since this plugin puts metrics on <base url>/realms/<realm>/metrics.

For example this allows creating the following ingress object which will 404 on all /realms//metrics paths while allowing everything else under /realms/:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: release-name-keycloakx
  namespace: default
  annotations:
    alb.ingress.kubernetes.io/actions.response-metrics: "{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"statusCode\":\"404\"}}\n"
spec:
  ingressClassName: alb
  tls:
    - hosts:
        - "${host}"
  rules:
    - host: "${host}"
      http:
        paths:
          - path: "/auth/realms/*/metrics"
            pathType: ImplementationSpecific
            backend:
              service:
                name: response-metrics
                port:
                  name: use-annotation
          - path: "/auth/realms/*"
            pathType: ImplementationSpecific
            backend:
              service:
                name: release-name-keycloakx-http
                port:
                  name: http

with the values.yaml snippet:

  rules:
    - host: "${host}"
      paths:
        - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/realms/*/metrics'
          pathType: ImplementationSpecific
          backendOverride:
            name: response-metrics
            port: use-annotation
        - path: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/realms/*'
          pathType: ImplementationSpecific

@hpdvanwyk
feature: Allow overriding the backend name and port in keycloakx chart
d38f22f 
This is useful for overriding the backend of certain paths to not go to Keycloak.
One use case is when using aws-load-balancer-controller this can be used along
with the "alb.ingress.kubernetes.io/actions.${action-name}" annotation to make
in-realm metrics endpoints 404 instead of exposing them on the public internet.

Signed-off-by: Hendrik van Wyk <[email protected]>
@hpdvanwyk hpdvanwyk requested a review from a team as a code owner December 4, 2024 13:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
KeycloakX
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@hpdvanwyk