Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/keycloak] Importing PSI Certificate #25290

Closed
rehanazher opened this issue Apr 20, 2024 · 3 comments
Closed

[bitnami/keycloak] Importing PSI Certificate #25290

rehanazher opened this issue Apr 20, 2024 · 3 comments
Assignees
@andresbono
Labels
keycloak solved stale 15 days without activity tech-issues The user has a technical issue about an application

Comments

@rehanazher
Copy link

Name and Version

bitnami/keycloak

What architecture are you using?

arm64

What steps will reproduce the bug?

I am trying to specify my ADFS certificate as PSI cert under keycloak values.yaml file. I had my cert as adfs_cert.em , i converted to der format using :

openssl x509 -outform der -in adfs_cert.pem -out adfs_cert.der

Then added it to a java keystore using below:

keytool -importcert -alias adfscert -keystore adfskeystore.jks -file adfs_cert.der -storepass changeit

updated my keycloak values.yaml as following:

$ more keycloak-values.yaml
production: true
replicaCount: 1
initContainers:
  - name: cert-import
    image: bitnami/keycloak:24.0.2-debian-12-r0
    command:
      - sh
      - -c
      - |
        keytool -import -trustcacerts -alias adfs-cert -file /etc/ssl/certs/adfs_cert.pem -keystore /opt/bitnami/java/lib/security/cacerts -storepass changeit -noprompt
    securityContext:
      runAsUser: 0
      allowPrivilegeEscalation: true
    volumeMounts:
      - name: cert-volume
        mountPath: /etc/ssl/certs
extraVolumes:
  - name: cert-volume
    secret:
      secretName: adfs-cert
volumes:
  - name: cert-volume
    secret:
      secretName: adfs-cert
auth:
  createAdminUser: true
  adminUser: exampleadmin
  adminPassword: example@@9
tls:
  enabled: true
  autoGenerated: true
spi:
  existingSecret: adfs-jks
  truststorePassword: changeit
  truststoreFilename: adfskeystore.jks
  passwordsSecret: example@@9
  hostnameVerificationPolicy: ANY
ingress:
  enabled: true
  hostname: keycloak.example.int
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
  servicePort: https
  tls: true
  extraTls:
  - hosts:
    - keycloak.example.int
    secretName: keycloak-tls
persistence:
  enable: true
postgresql:
  persistence:
    enable: true
  enabled: true
  postgresqlPassword: samplepswd

And then I upgraded my keycloak using below command:

helm upgrade keycloak bitnami/keycloak -n keycloak --values keycloak-values.yaml

When i check pods under keycloak namesspace I only see keycloak-postgresql Pod not pod for keycloak. I described the keycload staefulapp

k -n keycloak describe statefulsets.apps keycloak
Name:               keycloak
Namespace:          keycloak
CreationTimestamp:  Sat, 20 Apr 2024 05:53:48 -0400
Selector:           app.kubernetes.io/component=keycloak,app.kubernetes.io/instance=keycloak,app.kubernetes.io/name=keycloak
Labels:             app.kubernetes.io/component=keycloak
                    app.kubernetes.io/instance=keycloak
                    app.kubernetes.io/managed-by=Helm
                    app.kubernetes.io/name=keycloak
                    app.kubernetes.io/version=24.0.3
                    helm.sh/chart=keycloak-21.0.2
Annotations:        meta.helm.sh/release-name: keycloak
                    meta.helm.sh/release-namespace: keycloak
Replicas:           1 desired | 0 total
Update Strategy:    RollingUpdate
  Partition:        0
Pods Status:        0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:           app.kubernetes.io/component=keycloak
                    app.kubernetes.io/instance=keycloak
                    app.kubernetes.io/managed-by=Helm
                    app.kubernetes.io/name=keycloak
                    app.kubernetes.io/version=24.0.3
                    helm.sh/chart=keycloak-21.0.2
  Annotations:      checksum/configmap-env-vars: ba97b56874e255321296913f3de9d92138dcfe3f0a4c26ed76989ab11aa9b58f
                    checksum/secrets: 8b08372aaf63238727920e086f45e600f7d8b882b8ed69b8ef00407f3a98e0b6
  Service Account:  keycloak
  Init Containers:
   init-quarkus-directory:
    Image:           docker.io/bitnami/keycloak:24.0.3-debian-12-r0
    Port:            <none>
    Host Port:       <none>
    SeccompProfile:  RuntimeDefault
    Command:
      /bin/bash
    Args:
      -ec
      #!/bin/bash
      cp -r /opt/bitnami/keycloak/lib/quarkus/* /quarkus

    Limits:
      cpu:                750m
      ephemeral-storage:  1Gi
      memory:             768Mi
    Requests:
      cpu:                500m
      ephemeral-storage:  50Mi
      memory:             512Mi
    Environment:          <none>
    Mounts:
      /quarkus from empty-dir (rw,path="app-quarkus-dir")
      /tmp from empty-dir (rw,path="tmp-dir")
   cert-import:
    Image:      bitnami/keycloak:24.0.2-debian-12-r0
    Port:       <none>
    Host Port:  <none>
    Command:
      sh
      -c
      keytool -import -trustcacerts -alias adfs-cert -file /etc/ssl/certs/adfs_cert.pem -keystore /opt/bitnami/java/lib/security/cacerts -storepass changeit -noprompt

    Environment:  <none>
    Mounts:
      /etc/ssl/certs from cert-volume (rw)
  Containers:
   keycloak:
    Image:           docker.io/bitnami/keycloak:24.0.3-debian-12-r0
    Ports:           8080/TCP, 8443/TCP, 7800/TCP, 7800/TCP
    Host Ports:      0/TCP, 0/TCP, 0/TCP, 0/TCP
    SeccompProfile:  RuntimeDefault
    Limits:
      cpu:                750m
      ephemeral-storage:  1Gi
      memory:             768Mi
    Requests:
      cpu:                500m
      ephemeral-storage:  50Mi
      memory:             512Mi
    Liveness:             http-get http://:http/ delay=300s timeout=5s period=1s #success=1 #failure=3
    Readiness:            http-get http://:http/realms/master delay=30s timeout=1s period=10s #success=1 #failure=3
    Environment Variables from:
      keycloak-env-vars  ConfigMap  Optional: false
    Environment:
      KUBERNETES_NAMESPACE:               (v1:metadata.namespace)
      BITNAMI_DEBUG:                     false
      KEYCLOAK_ADMIN_PASSWORD:           <set to the key 'admin-password' in secret 'keycloak'>           Optional: false
      KEYCLOAK_DATABASE_PASSWORD:        <set to the key 'password' in secret 'keycloak-postgresql'>      Optional: false
      KEYCLOAK_SPI_TRUSTSTORE_PASSWORD:  <set to the key 'spi-truststore-password' in secret 'example@@9'>  Optional: false
      KEYCLOAK_HTTP_RELATIVE_PATH:       /
    Mounts:
      /opt/bitnami/keycloak/certs from certificates (ro)
      /opt/bitnami/keycloak/conf from empty-dir (rw,path="app-conf-dir")
      /opt/bitnami/keycloak/data from empty-dir (rw,path="app-data-dir")
      /opt/bitnami/keycloak/lib/quarkus from empty-dir (rw,path="app-quarkus-dir")
      /opt/bitnami/keycloak/spi-certs from spi-certificates (ro)
      /tmp from empty-dir (rw,path="tmp-dir")
  Volumes:
   empty-dir:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
   certificates:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  keycloak-crt
    Optional:    false
   spi-certificates:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  psi-adfs
    Optional:    false
   cert-volume:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  adfs-cert
    Optional:    false
Volume Claims:   <none>
Events:
  Type     Reason               Age                  From                    Message
  ----     ------               ----                 ----                    -------
  Normal   SuccessfulDelete     25s (x44 over 130m)  statefulset-controller  delete Pod keycloak-0 in StatefulSet keycloak successful
  Warning  RecreatingFailedPod  25s (x42 over 130m)  statefulset-controller  StatefulSet keycloak/keycloak is recreating failed Pod keycloak-0
  Warning  FailedCreate         25s (x37 over 130m)  statefulset-controller  create Pod keycloak-0 in StatefulSet keycloak failed error: Pod "keycloak-0" is invalid: spec.containers[0].env[4].valueFrom.secretKeyRef.name: Invalid value: "example@@9": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

This issue is only specific to

spi:
  existingSecret: adfs-jks
  truststorePassword: changeit
  truststoreFilename: adfskeystore.jks
  passwordsSecret: example@@9
  hostnameVerificationPolicy: ANY

if i remove those lines, i can still successful bring up key cloak.

Are you using any custom parameters or values?

My values.yaml is as below:


$ more keycloak-values.yaml
production: true
replicaCount: 1
initContainers:
  - name: cert-import
    image: bitnami/keycloak:24.0.2-debian-12-r0
    command:
      - sh
      - -c
      - |
        keytool -import -trustcacerts -alias adfs-cert -file /etc/ssl/certs/adfs_cert.pem -keystore /opt/bitnami/java/lib/security/cacerts -storepass changeit -noprompt
    securityContext:
      runAsUser: 0
      allowPrivilegeEscalation: true
    volumeMounts:
      - name: cert-volume
        mountPath: /etc/ssl/certs
extraVolumes:
  - name: cert-volume
    secret:
      secretName: adfs-cert
volumes:
  - name: cert-volume
    secret:
      secretName: adfs-cert
auth:
  createAdminUser: true
  adminUser: exampleadmin
  adminPassword: example@@9
tls:
  enabled: true
  autoGenerated: true
spi:
  existingSecret: adfs-jks
  truststorePassword: changeit
  truststoreFilename: adfskeystore.jks
  passwordsSecret: example@@9
  hostnameVerificationPolicy: ANY
ingress:
  enabled: true
  hostname: keycloak.example.int
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
  servicePort: https
  tls: true
  extraTls:
  - hosts:
    - keycloak.example.int
    secretName: keycloak-tls
persistence:
  enable: true
postgresql:
  persistence:
    enable: true
  enabled: true
  postgresqlPassword: samplepswd

What is the expected behavior?

Expected behavior is to get keycloak updated with PSI certificate.

What do you see instead?

I see below error in Stateful App:

`Events:
  Type     Reason               Age                  From                    Message
  ----     ------               ----                 ----                    -------
  Normal   SuccessfulDelete     25s (x44 over 130m)  statefulset-controller  delete Pod keycloak-0 in StatefulSet keycloak successful
  Warning  RecreatingFailedPod  25s (x42 over 130m)  statefulset-controller  StatefulSet keycloak/keycloak is recreating failed Pod keycloak-0
  Warning  FailedCreate         25s (x37 over 130m)  statefulset-controller  create Pod keycloak-0 in StatefulSet keycloak failed error: Pod "keycloak-0" is invalid: spec.containers[0].env[4].valueFrom.secretKeyRef.name: Invalid value: "example@@9": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
  Warning  FailedCreate         25s (x37 over 130m)  statefulset-controller  create Pod keycloak-0 in StatefulSet keycloak failed error: Pod "keycloak-0" is invalid: spec.containers[0].env[4].valueFrom.secretKeyRef.name: Invalid value: "example@@9": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')`

Additional information

No response
@rehanazher rehanazher added the tech-issues The user has a technical issue about an application label Apr 20, 2024
@github-actions github-actions bot added the triage Triage is needed label Apr 20, 2024
@javsalgar javsalgar changed the title Importing PSI Certificate [bitnami/keycloak] Importing PSI Certificate Apr 22, 2024
@github-actions github-actions bot removed the triage Triage is needed label Apr 22, 2024
@github-actions github-actions bot assigned andresbono and unassigned javsalgar Apr 22, 2024
@andresbono
Copy link
Member

Hi, the spi.passwordsSecretName value refers to the name of a secret k8s object containing the SPI Truststore passwords:

charts/bitnami/keycloak/templates/_helpers.tpl

Lines 282 to 292 in a8cdb55

{{/*
Return the secret containing Keycloak SPI TLS certificates
*/}}
{{- define "keycloak.spiPasswordsSecretName" -}}
{{- $secretName := .Values.spi.passwordsSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s-spi-passwords" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}

See the full list of parameters here: https://github.com/bitnami/charts/tree/main/bitnami/keycloak#parameters

@github-actions GitHub Actions
Copy link

github-actions bot commented May 8, 2024

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label May 8, 2024
@github-actions GitHub Actions
Copy link

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

@bitnami-bot bitnami-bot closed this as not planned Won't fix, can't repro, duplicate, stale May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andresbono andresbono

Labels
keycloak solved stale 15 days without activity tech-issues The user has a technical issue about an application
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rehanazher @andresbono @javsalgar @bitnami-bot