KeyCloak is a complex software and so are the features for a gatekeeper. An end to end design will separate the concerns for deployment which should preferably be as no-brainer as possible. All the custom logic should be handled by the application and not the deployment code because they are likely tied to the application and not the Kubernetes platform.

The ingress resource can fan out the traffic to different destinations based on service uri paths. This
helps with routing the api calls to independent service implementations. The ingress resource can be specified declaratively as yaml or programmatically.  The routing may be determined by the host header.

The ingress resource can also route traffic to different backends. An ingress with no rules sends to a traffic to a default backend. The default backend is typically a configuration option of the ingress controller.

The ingress resource can also route traffic to different name based virtual hosts at the same ip
address. This feature can work without a name based virtual host being required which translates to all traffic as pass-through.

The ingress resource can be used to secure the ingress by specifying a tls private key and certificate.

The ingress only supports a single TLS port.  The TLS secret contains key and certificate with the corresponding lookup names as tls.key and tls.certificate.

#codingexercise
Node getSecondSmallestInBst(Node root) {
Node smallest = getLeftMost(root);
return getSuccessor(smallest);
}