Merge branch 'master' into opensearch

roles/haproxy/templates/haproxy.cfg.j2

@@ -52,15 +52,18 @@ listen opensearchserv
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/opensearches_whitelist.lst }
 	
 listen keycloakserv
-        bind *:12443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
-        mode http
+        # Keycloak needs to receive and check client certificates, which is easier when it handles TLS itself - so we use TCP mode here 
+        bind *:12443
+        mode tcp
         maxconn 5000
         fullconn 5000
         balance source
         option tcpka
-        option httplog
+        option tcp-check
+        option tcplog
+        tcp-check connect port 8443
 {% for keycloakhost in groups['keycloakcontainers'] %}
-	server {{keycloakhost}} {{keycloakhost}}:8443 ssl check verify none
+	server {{keycloakhost}} {{keycloakhost}}:8443 check
 {% endfor %}
 	tcp-request connection reject if !{ src -f /usr/local/etc/haproxy/keycloak_whitelist.lst }