KEYCLOAK-12307 TLS Termination configuration

[slaskawi]

JIRA ID

KEYCLOAK-14095
KEYCLOAK-12307

Additional Information

This Pull Request changes the TLS configuration from Passthrough to Re-encrypt. In addition to that, it introduces a new tlsTermination parameter (in the Keycloak CR) that can be set to passthrough and fall back to previous behavior.

This change improves user experience and sacrifices a bit of security. As we agreed with @stianst, the safest way of running Keycloak is a Passthrough Route that sends all encrypted traffic to Keycloak. However, this option is quite hard to configure as the Signing Operator would need to create a valid, publicly accepted certificate to Keycloak. Much easier option is to configure this on an Ingress or Route. Moreover, OpenShift Installer has an option to install OpenShift with Let's Encrypt support out of the box. However, it's worth to mention, that OpenShift Router (HAProxy) will be performing re-encryption and if some malicious code gets there, all secret codes might be dumped somewhere. This is a security concern every administrator needs to consider.

Finally, this Pull Request doesn't touch Ingress. Ingress Controller uses, so called backside re-encryption (basically, it is configured to use HTTPS Backend) (see link1 link2). The Frontend TLS configuration is up to the user. The Operator doesn't reconcile it.

Verification Steps

Checklist:

• Verified by team member
• Comments where necessary
• Automated Tests
• Documentation changes if necessary

Additional Notes

[slaskawi]

@andymunro @pb82 @davidffrench You might be interested in this PR.

[coveralls]

Coverage increased (+1.5%) to 42.181% when pulling fbcea8c on slaskawi:KEYCLOAK-12307-TLS-configuration-for-external-access into 3ed671b on keycloak:master.

[davidffrench]

Thanks @slaskawi . @pb82 this means we should be able to remove our additional route for keycloak in the integreatly-operator 🥳

cc @philbrookes

[slaskawi]

@davidffrench Yes, it took @stianst and myself a loooong time to decide on this.

[pb82]

@slaskawi @davidffrench looks like it only can be passthrough or reencrypt: https://github.com/keycloak/keycloak-operator/pull/186/files#diff-5ddfce748972d078ca691ae71e4d08ffR56

We currently create a custom edge route.

[slaskawi]

@pb82 Why do you use an edge-terminated route? If that's the Let's Encrypt case, the re-encrypt should do the job and it's much safer (as the traffic between HAProxy and the Pod is encrypted).

[pb82]

@slaskawi I was wrong, we actually use re-encrypt. So this should be fine.

[slaskawi]

I was wrong, we actually use re-encrypt. So this should be fine.

@pb82 Ok, that's great! Thanks Peter!

[slaskawi]

@stianst Comments addressed and re-pushed.

[mhajas]

After fixing the issue @stianst mentioned, this looks good to me. I was able to test it with both passthrough and re-encrypt and both worked as expected.

[slaskawi]

@mhajas Should be fine now.

[mhajas]

LGTM. Thanks, @slaskawi.