[bitnami/keycloak] Do not expose https port if tls is not enabled (#11095)

* [bitnami/keycloak] Do not expose https port if tls is not enabled

Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Chart version bump

Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com>

* Use portname in NOTES

Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com>

Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>

bitnami/keycloak/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 11.6.12
+  version: 11.6.15
 - name: common
   repository: https://charts.bitnami.com/bitnami
   version: 1.16.0
-digest: sha256:91916d4eb64003630eeda6ac05ce20e0863b0dffcf95026812c7edf87f90a105
-generated: "2022-07-01T17:21:38.046733596Z"
+digest: sha256:ae6ac7f3953fd148f00f62d42ea37ac9ad7248ea918e3d29326f70629daa822f
+generated: "2022-07-08T16:56:30.411935+02:00"

bitnami/keycloak/Chart.yaml

@@ -26,4 +26,4 @@ name: keycloak
 sources:
   - https://github.com/bitnami/bitnami-docker-keycloak
   - https://github.com/keycloak/keycloak
-version: 9.4.0
+version: 9.4.1

bitnami/keycloak/README.md

@@ -94,7 +94,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `auth.managementPassword`        | Wildfly management password                                                                                                  | `""`                  |
 | `auth.existingSecret`            | An already existing secret containing auth info                                                                              | `""`                  |
 | `auth.existingSecretPerPassword` | Override `existingSecret` and other secret values                                                                            | `{}`                  |
-| `auth.tls.enabled`               | Enable TLS encryption                                                                                                        | `false`               |
+| `auth.tls.enabled`               | Enable TLS encryption. Required for HTTPs traffic.                                                                           | `false`               |
 | `auth.tls.autoGenerated`         | Generate automatically self-signed TLS certificates. Currently only supports PEM certificates                                | `false`               |
 | `auth.tls.existingSecret`        | Existing secret containing the TLS certificates per Keycloak replica                                                         | `""`                  |
 | `auth.tls.usePem`                | Use PEM certificates as input instead of PKS12/JKS stores                                                                    | `false`               |

bitnami/keycloak/templates/NOTES.txt

@@ -24,24 +24,45 @@ To access Keycloak from outside the cluster execute the following commands:
 
 {{- if contains "NodePort" .Values.service.type }}
 
-    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }})
+    export HTTP_NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[?(@.name=='http')].nodePort}" services {{ include "common.names.fullname" . }})
+    {{- if .Values.auth.tls.enabled }}
+    export HTTPS_NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[?(@.name=='https')].nodePort}" services {{ include "common.names.fullname" . }})
+    {{- end }}
     export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-    echo "http://${NODE_IP}:${NODE_PORT}/"
+
+    echo "http://${NODE_IP}:${HTTP_NODE_PORT}/"
+    {{- if .Values.auth.tls.enabled }}
+    echo "https://${NODE_IP}:${HTTPS_NODE_PORT}/"
+    {{- end }}
 
 {{- else if contains "LoadBalancer" .Values.service.type }}
 
   NOTE: It may take a few minutes for the LoadBalancer IP to be available.
         You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "common.names.fullname" . }}'
 
-    export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }})
+    export HTTP_SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[?(@.name=='http')].port}" services {{ include "common.names.fullname" . }})
+    {{- if .Values.auth.tls.enabled }}
+    export HTTPS_SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[?(@.name=='https')].port}" services {{ include "common.names.fullname" . }})
+    {{- end }}
     export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-    echo "http://${SERVICE_IP}:${SERVICE_PORT}/"
+
+    echo "http://${SERVICE_IP}:${HTTP_SERVICE_PORT}/"
+    {{- if .Values.auth.tls.enabled }}
+    echo "https://${SERVICE_IP}:${HTTPS_SERVICE_PORT}/"
+    {{- end }}
 
 {{- else if contains "ClusterIP" .Values.service.type }}
 
-    export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }})
-    kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} ${SERVICE_PORT}:${SERVICE_PORT} &
-    echo "http://127.0.0.1:${SERVICE_PORT}/"
+    export HTTP_SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[?(@.name=='http')].port}" services {{ include "common.names.fullname" . }})
+    {{- if .Values.auth.tls.enabled }}
+    export HTTPS_SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[?(@.name=='https')].port}" services {{ include "common.names.fullname" . }})
+    {{- end }}
+    kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} ${HTTP_SERVICE_PORT}:${HTTP_SERVICE_PORT} ${HTTPS_SERVICE_PORT}:${HTTPS_SERVICE_PORT} &
+
+    echo "http://127.0.0.1:${HTTP_SERVICE_PORT}/"
+    {{- if .Values.auth.tls.enabled }}
+    echo "https://127.0.0.1:${HTTPS_SERVICE_PORT}/"
+    {{- end }}
 
 {{- end }}
 {{- end }}

bitnami/keycloak/templates/service.yaml

@@ -47,6 +47,7 @@ spec:
       {{- else if eq .Values.service.type "ClusterIP" }}
       nodePort: null
       {{- end }}
+    {{- if .Values.auth.tls.enabled }}
     - name: https
       port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }}
       protocol: TCP
@@ -56,6 +57,7 @@ spec:
       {{- else if eq .Values.service.type "ClusterIP" }}
       nodePort: null
       {{- end }}
+    {{- end }}
     {{- if .Values.service.extraPorts }}
     {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
     {{- end }}

bitnami/keycloak/templates/statefulset.yaml

@@ -297,9 +297,11 @@ spec:
             - name: http
               containerPort: {{ .Values.containerPorts.http }}
               protocol: TCP
+            {{- if .Values.auth.tls.enabled }}
             - name: https
               containerPort: {{ .Values.containerPorts.https }}
               protocol: TCP
+            {{- end }}
             - name: http-management
               containerPort: {{ .Values.containerPorts.management }}
               protocol: TCP

bitnami/keycloak/values.yaml

@@ -139,7 +139,7 @@ auth:
   ## ref: https://github.com/bitnami/bitnami-docker-keycloak#tls-encryption
   ##
   tls:
-    ## @param auth.tls.enabled Enable TLS encryption
+    ## @param auth.tls.enabled Enable TLS encryption. Required for HTTPs traffic.
     ##
     enabled: false
     ## @param auth.tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates