Description

In the Quarkus distribution the management and health endpoints are served from the standard HTTP endpoint.

While security best practices require those endpoints not to be accessible from the outside, Keycloak still exposes the HTTP endpoint on OpenShift as a passthrough endpoint, which makes them accessible from the outside, which requires users to either disable those endpoints, use another loadbalancer in front of OpenShift, or configure a custom route.

Quarkus 3.0.0.Beta1 finally supports a management port which allows service health and metrics from a different port, which is then not accessible from the outside: quarkusio/quarkus#13602

Discussion

No response

Motivation

Security best practices and hardening.

Details

The pull request quarkusio/quarkus#30506 adds the necessary documentation for this.

The Operator needs to pass additional options to Keycloak to make this work, and Keycloak possibly needs to support additional parameters / a different internal handling to make this work.

### Follow-up tasks
- [ ] https://github.com/keycloak/keycloak/pull/28213
- [ ] https://github.com/keycloak/keycloak/issues/28404
- [ ] https://github.com/keycloak/keycloak/issues/28475