[bitnami/keycloak] Better documentation on how to add certificate for ldaps

[StianHaugland1]

To configure ldaps im currently using JAVA_OPTS to add the cert. This works, because when no truststore is configured in the standalone.xml it falls back to javax.net.ssl.trustStore, but id like to configure it for "keycloak" istead, any tips?

keytool -import -alias somealias -keystore keystore.jks -file somecer.cer
kubectl create secret generic ldap-keystore --from-file=truststore.jks

values:

  - name: ldap-keystore
    secret:
      secretName: ldap-keystore

extraVolumeMounts: |
  - name: ldap-keystore
    mountPath: /bitnami/keycloak/keystore
    readOnly: true

extraEnvVars: |
  - name: JAVA_OPTS
    value: >-
      -Djavax.net.ssl.trustStore=/bitnami/keycloak/keystore/truststore.jks
      -Djavax.net.ssl.trustStorePassword=somepass```

[lknite]

Here's something you might try, but it hasn't worked for me fully with federation. Maybe it'd work for you?
#7536

[alvneiayu]

first of all, thanks for your help @lknite

@StianHaugland1 could you try with the solution suggested by @lknite? Let me know if you still have problems and I will try to help you too.

Thanks a lot

Álvaro

[lknite]

Just to be more clear, here is the section from the values.yaml I was inviting you to look into, this seems to be the way keycloak is wanting us to do this:

    ## @param auth.tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica
    ## Create this secret following the steps below:
    ## 1) Generate your trustore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl)
    ## 2) Rename your truststore to `keycloak.truststore.jks`.
    ## 3) Rename your keystores to `keycloak-X.keystore.jks` where X is the ID of each Keycloak replica
    ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
    ##       kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak-0.keystore.jks --from-file=./keycloak-1.keystore.jks ...
    ##
    existingSecret: ""

[lknite]

@alvneiayu can you tell me what I can run within the keycloak-0 container to check for the existence of the truststore / keystore which I was attempting to set?

[lknite]

It occured to me that I might need to set a password for the truststore/keystore, even though I was using the default of 'changeit'. I specified the password like so:

# required otherwise you get a blank page when visiting the admin console
proxyAddressForwarding: true

# to specify the ad ca public certificate in order to access ldaps
auth:
  tls:
    enabled: true
    existingSecret: keycloak-certs
    truststorePassword: changeit

I noticed this change was reflected in the secret 'keycloak' as:

Data
====
management-password:     10 bytes
tls-truestore-password:  8 bytes
admin-password:          10 bytes

Looks like there may be a typo, 'tls-truestore-password', which probably should be 'tls-truststore-password'?. This also exists in the values.yaml file, if this is a typo maybe this causing things not to work?

[lknite]

I checked inside the container and I can see the following environment variables being set, which look right:

KEYCLOAK_TLS_TRUSTSTORE_FILE=/opt/bitnami/keycloak/certs/keycloak.truststore.jks
KEYCLOAK_ENABLE_TLS=true
KEYCLOAK_TLS_TRUSTSTORE_PASSWORD=changeit
KEYCLOAK_TLS_CREATE_KEYSTORE=false
KEYCLOAK_TLS_KEYSTORE_FILE=/opt/bitnami/keycloak/certs/keycloak.keystore.jks

What to check next?

[lknite]

This worked after I also set the keystore password, so for ldaps it must use the keystore and not the truststore:

auth:
  tls:
    enabled: true
    existingSecret: keycloak-certs
    keystorePassword: changeit
    truststorePassword: changeit

[StianHaugland1]

@ikeeip Thanks, ill test this today 🙌

[alvneiayu]

hi @lknite

First of all, sorry for the late reply.

As you said, this is a typo "tls-truestore-password', we are open to receive PRs if you want to send us a contribution. I will be really happy to review it.

Happy to hear that finally you found the solution and thanks a lot for sharing the solution. Let me know if I can help you with something and sorry again for the late reply.

Thanks a lot

Álvaro

[StianHaugland1]

I created a secret containing the truststore and keystore, but when i click test connection with ldaps:// in userfederation i get this error:
[org.keycloak.truststore.SSLSocketFactory] (default task-1) No truststore provider found - using default SSLSocketFactory 14:20:28,875 ERROR [org.keycloak.services] (default task-1) KC-SERVICES0055: Error when connecting to LDAP

Ive checked the env vars and they are the same as you posted above, except ive pass: 123456

Did i forget to do something @lknite ?

secret:

Data
====
keycloak-0.keystore.jks:  1314 bytes
keycloak.truststore.jks:  1314 bytes

values:

auth:
  tls:
    enabled: true
    existingSecret: keycloak-certs
    keystorePassword: "123456"
    truststorePassword: "123456"

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[alvneiayu]

hi @StianHaugland1

Sorry for the late reply, are you still reproducing the same problem? Just to investigate a little bit and try to help you

Thanks a lot

Álvaro

[StianHaugland1]

Yes I still have the same problem

[alvneiayu]

Could you share with me logs with the error, please? And the last values that you are using to try to reproduce the problem.

Thanks a lot

Álvaro

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.