From 6da34dc83679e53a44eab9d880a2e79467830d52 Mon Sep 17 00:00:00 2001 From: andymunro <48995441+andymunro@users.noreply.github.com> Date: Mon, 27 Jan 2025 02:56:08 -0500 Subject: [PATCH] Openshift conflict Closes #36745 Signed-off-by: AndyMunro Signed-off-by: Steven Hawkins Co-authored-by: Steven Hawkins (cherry picked from commit 9ab28e7ffebb454b500f68918fb3f9441acc51e7) --- docs/guides/operator/basic-deployment.adoc | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/guides/operator/basic-deployment.adoc b/docs/guides/operator/basic-deployment.adoc index 0b62ea552e1..d8a71e83b96 100644 --- a/docs/guides/operator/basic-deployment.adoc +++ b/docs/guides/operator/basic-deployment.adoc @@ -189,7 +189,9 @@ CONDITION: RollingUpdate === Accessing the {project_name} deployment -The {project_name} deployment is exposed through a basic Ingress and is accessible through the provided hostname. On installations with multiple default IngressClass instances +The {project_name} deployment can be exposed through a basic Ingress accessible through the provided hostname. + +On installations with multiple default IngressClass instances or when running on OpenShift 4.12+ you should provide an ingressClassName by setting `ingress` spec with `className` property to the desired class name: Edit YAML file `example-kc.yaml`: @@ -228,7 +230,12 @@ Apply the changes: ---- kubectl apply -f example-kc.yaml ---- -You can provide an alternative ingress resource pointing to the service `-service`. +You can then provide an alternative ingress resource pointing to the service `-service`. For example, on OpenShift you are not allowed to use wildcard certificates on passthrough Routes with HTTP/2 enabled. A Keycloak CR on OpenShift with TLS enabled using a wildcard certificate with the default IngressClass creates such a Route. In this case, you must disable the built-in ingress with `.spec.ingress.enabled: false`. Access may then be provided by creating a reencrypt Route instead: + +[source,yaml] +---- +$ oc create route reencrypt --service=-service --cert= --key= --dest-ca-cert= --ca-cert= --hostname= +---- For debugging and development purposes, consider directly connecting to the {project_name} service using a port forward. For example, enter this command: