In the KC22 vs RHSSO 7.6 setup, we found that there is a better performance when using reencrypt for routes.
To make this work, Keycloak needs to have a TLS secret that is trusted by the ingress of OpenShift.
This issue is about driving this forward. Some change in the Operator might be necessary to get this implemented. An annotation like service.alpha.openshift.io/serving-cert-secret-name: keycloak-auto-tls-secret helps with that.
For the ingress, the following annotation helps with that: route.openshift.io/termination: reencrypt
There's the observation that the TLS connections between the route pod and the Keycloak pod could be a bit more persistent, and it would be good to look into that further once the first step of the setup is available.
Motivation
Provide an optimized setup for maximum performance
Description
In the KC22 vs RHSSO 7.6 setup, we found that there is a better performance when using reencrypt for routes.
To make this work, Keycloak needs to have a TLS secret that is trusted by the ingress of OpenShift.
This issue is about driving this forward. Some change in the Operator might be necessary to get this implemented. An annotation like
service.alpha.openshift.io/serving-cert-secret-name: keycloak-auto-tls-secret
helps with that.For the ingress, the following annotation helps with that:
route.openshift.io/termination: reencrypt
There's the observation that the TLS connections between the route pod and the Keycloak pod could be a bit more persistent, and it would be good to look into that further once the first step of the setup is available.
Motivation
Provide an optimized setup for maximum performance