Description
Description
The use case is to deploy Keycloak on OpenShift, and leverate the OpenShift Service Certificates for the Keycloak TLS certificate, see https://docs.openshift.com/container-platform/4.12/security/certificates/service-serving-certificate.html.
On OCP, there is a way to request OCP to auto-generate the Certificate and put it into the Secret, for any Service which has annotation like service.beta.openshift.io/serving-cert-secret-name=<secret_name>.
However, currently Keycloak operator does not allow for any parameterization of the created Service, see https://github.com/keycloak/keycloak/blob/main/operator/src/main/java/org/keycloak/operator/controllers/KeycloakServiceDependentResource.java#L79 - meaning there is no way to pass any annotation or label via Keycloak CR for the Keycloak opeator to apply on the created Service resource.
The ask here is to introduce a parameterization via Keycloak CR of the created Service resource, so that one can pass arbitrary annotation or label into the Service resource.
Conceptually it's similar to the .spec.unsupported.podTemplate, where one can override the definition of Keycloak Pod, https://github.com/keycloak/keycloak/blob/main/operator/src/main/java/org/keycloak/operator/controllers/KeycloakDeployment.java#L182C23-L182C23)
Now, it's true that OCP creates the certificate/secret AFTER the Service is created, which means that Keycloak CR would point to the to-be-created TLS Secret and must tolerate the situation that the Secret does not yet exist and try to create the Service anyway, which is similar to #23087, but requires more thoughts in terms of coordinating asynchronous operations - which most probably would require separate work item.
Discussion
No response
Motivation
Don't need to externally supply the certificate for Keycloak, leverage the built-in OpenShift mechanism of service certificates.
Details
No response