[bitnami/keycloak] Support ingress for Keycloak admin area

[dalbani]

Name and Version

bitnami/keycloak

What is the problem this feature will solve?

My deployment of Keycloak on AWS consists of 2 "interfaces":

• a public one, accessible via https://keycloak.public.company.com, and serving only /realms/my-public-realm/*
  • relies on "Internet facing" ALB
• a private one, accessible via https://keycloak.private.company.com, and serving all the endpoints, including /admin
  • relies on a "private" ALB

Combined with the use of KC_HOSTNAME=keycloak.public.company.com, KC_HOSTNAME_ADMIN=keycloak.private.company.com, and setting frontendUrl=https://keycloak.private.company.com on the master realm, I can keep the separation between the public part and private part of my Keycloak deployment.

The problem is that the Bitnami chart supports only a single ingress.
So I had to add a new ingress-2.yaml in my own deployment pipeline, which is more or less a copy of ingress.yaml.
Which is obviously far from ideal in terms of maintenance, code duplication, etc.

What is the feature you are proposing to solve the problem?

I propose to add support for a so-called "admin ingress" to the chart, in addition to the existing one.
In terms of functionality, the admin ingress would be identical to the regular ingress but configurable via values under adminIngress.
What do you think?

In terms of implementation, we could copy ingress.yaml into admin-ingress.yaml, and add the necessary changes in values.yaml.
Or, instead of duplicating ingress.yaml, we could introduce a template that could generate both ingress and adminIngress resources.

[carrodher]

Did you try using the extraDeploy parameter? Maybe that makes the trick for you, see https://github.com/bitnami/charts/tree/main/bitnami/keycloak#deploy-extra-resources

[dalbani]

Thanks for the suggestion, I wasn't aware of this extraDeploy functionality.
I use ArgoCD for the deployment, so adding an additional resource is not really an issue.
It's more that having this (almost identical) copy of ingress.yaml in my codebase is not really optimal.

And I suppose that the dual public/private ingress is not unique to my deployment, isn't it?

[carrodher]

I don't recall seeing this issue in the past, if you think it's a common scenario, feel free to submit a PR adding the admin-ingress.yaml

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[dalbani]

Not stale.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[dalbani]

Not stale.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[dalbani]

Unstale.

[busyboy77]

I don't think everyone is going to deploy Keycloak using AWS only.

We have been running bitnami/keycloak for last 4 years for on-prem based solutions where only 1 single domain is required.

Now using 2 FQDNS for identity and admin area are strong NOT feasible for our deployment requirements,

[dalbani]

I'm not sure I understand what your point was, @busyboy77.
For the record, you don't have to use the adminIngress, it's just an option offered by the chart.