I really want to avoid the old proxy style option that did a bunch of magic stuff, it was not really transparent and it was confusing to users.

Sorry for not being clear - yes what I'm looking for would strictly be for validation on the server side, calling it proxy-mode makes perfect sense.

If we had something like that it would drive the settings more from the cli / runtime experience and require less comprehension of the docs, and we could convert several of our validation warnings to hard errors.

I'm not sure how the operator benefits

When the keycloak instance has both http and https enabled, the operator assumes the ingress is to use https. That isn't necessarily correct, it's just being done by convention. Having a way to differentiate based up the user's intention would be more correct.

Originally posted by @shawkins in #48209 (comment)