ADR-077: No Ingress Traffic Separation for Admin and Public Interfaces

Category: architecture Provenance: human

Decision

We will not implement split Ingress configuration (separate hosts/paths for /admin and /realms) in the default Helm chart.

Rationale

Keycloak's traffic separation requirements (forcing HTTPS for admin, specific paths) often conflict with simple Ingress controller configurations. Implementing this reliably across different Ingress controllers (Nginx, Traefik, ALB, etc.) adds excessive complexity to the chart logic. It introduces risks of configuration mismatch (e.g. issuer errors, redirect loops). We prioritize a robust, simple default Ingress. Advanced routing should be handled by the user providing their own Ingress resource (disabling the chart's built-in one) or using an API Gateway.

Agent Instructions

Reject feature requests for complex Ingress routing in the Helm chart. Advise users to use custom Ingress resources if they need traffic splitting.

Rejected Alternatives

Separate Admin/Public Ingress templates

Maintenance burden and potential for user misconfiguration outweighs the benefit for the default use case.