Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

operator

Describe the bug

If a Keycloak instance is deployed using the OpenShift cluster ingress certificate , *.app.<cluster-domain> , when a client (browser) establishes a connection with Keycloak, the requests to other applications deployed on the same OpenShift cluster may be received by Keycloak instead of the requests being received by the application.

The Keycloak connection is reused and the request is received by Keycloak.

Workaround

Use reencrypt route for ingress controller

A reencrypt route fixes the issue because for re-encrypt routes, the Ingress Controller negotiates its connection to the application independently of the connection from the client.

route creation must be disabled on Keycloak CR , setting .spec.ingress.enabled: false

~~~
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: keycloak1
spec:
instances: 1
db:
vendor: postgres
host: postgres-db-w
usernameSecret:
name: keycloak-db-secret
key: username
passwordSecret:
name: keycloak-db-secret
key: password
http:
tlsSecret: tls-secret-wildcard
hostname:
hostname: keycloak1.apps.<domain>
ingress:
enabled: false
~~~

Version

24

Regression

[ ] The issue is a regression

Expected behavior

Requests should go to the appropriate application, which may not be Keycloak.

Actual behavior

Keycloak receives requests that are intended for other applications

How to Reproduce?

Deploy a Keycloak instance using the OpenShift cluster ingress certificate , *.app.<cluster-domain>

Anything else?

No response