Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/keycloak] Add custom certs to system truststore #27197

Merged
merged 8 commits into from
Jul 8, 2024
Merged

[bitnami/keycloak] Add custom certs to system truststore #27197

merged 8 commits into from
Jul 8, 2024

Conversation

moritzwiechers
Copy link
Contributor

@moritzwiechers moritzwiechers commented Jun 17, 2024
edited by carrodher
Loading

to enable https-communication with hosts with certificates generated by custom ca's.

Description of the change

Added the option to specify a secret which contains the custom ca certificates. They will be mounted to the container and loaded on keycloak startup by setting the environment variable KC_TRUSTSTORE_PATHS

Benefits

  • Easy way to add custom-ca's to keycloak to communicate with onprem ldap/identity provider etc.
  • No need to configure keystores/truststore, add keys or other things related to the tls settings

Applicable issues

Should resolve:

Checklist

  • Chart version bumped in Chart.yaml according to semver. This is not necessary when the changes only affect README.md files.
  • Variables are documented in the values.yaml and added to the README.md using readme-generator-for-helm
  • Title of the pull request follows this pattern [bitnami/<name_of_the_chart>] Descriptive title
  • All commits signed off and in agreement of Developer Certificate of Origin (DCO)

@moritzwiechers
[bitnami/keycloak] Add custom certs to system truststore to enable ht…
0378509 
…tps-communication with hosts with certificates generated by custom ca's.

Signed-off-by: Moritz Wiechers <moritz.wiechers@gmail.com>
@github-actions github-actions bot added keycloak triage Triage is needed labels Jun 17, 2024
@github-actions github-actions bot requested a review from carrodher June 17, 2024 09:50
@moritzwiechers moritzwiechers changed the title [bitnami/keycloak] Add custom certs to system truststore to enable ht… [bitnami/keycloak] Add custom certs to system truststore Jun 17, 2024
@bitnami-bot
Update CHANGELOG.md
4f8d9d3 
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
@carrodher carrodher added verify Execute verification workflow for these changes in-progress labels Jun 17, 2024
@github-actions github-actions bot removed the triage Triage is needed label Jun 17, 2024
@github-actions github-actions bot removed the request for review from carrodher June 17, 2024 10:35
@github-actions github-actions bot requested a review from migruiz4 June 17, 2024 10:35
@migruiz4
Merge branch 'main' into main
1732282 
Signed-off-by: Miguel Ruiz <miruiz@vmware.com>
migruiz4
migruiz4 reviewed Jun 18, 2024
View reviewed changes
Copy link
Member

@migruiz4 migruiz4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @moritzwiechers,

Thank you for your contribution! Since this is a new feature, could you please bump a minor version?

migruiz4
migruiz4 reviewed Jun 18, 2024
View reviewed changes
Copy link
Member

@migruiz4 migruiz4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please update the value description? I left a suggestion below:

bitnami/keycloak/values.yaml Outdated
@@ -138,6 +138,11 @@ auth:
## @param auth.annotations Additional custom annotations for Keycloak auth secret object
##
annotations: {}
## Custom Certificates
## @param customCaExistingSecret define a secret for merging certificates to the system trustore like custom ca-certs (pem, pkcs12)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## @param customCaExistingSecret define a secret for merging certificates to the system trustore like custom ca-certs (pem, pkcs12)
## @param customCaExistingSecret Name of the secret containing the Keycloak custom CA certificates. The secret will be mounted as a directory and configured using KC_TRUSTSTORE_PATHS.

Copy link
Contributor Author

@moritzwiechers moritzwiechers Jun 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your review.
Updated the value description. Put it in one commit with readme update version bump

moritzwiechers and others added 2 commits June 18, 2024 15:47
@moritzwiechers
[bitnami/keycloak] review-rework Changed chart version and param desc…
7e730a3 
…ription

Signed-off-by: Moritz Wiechers <moritz.wiechers@gmail.com>
@bitnami-bot
Update CHANGELOG.md
6959ae6 
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
@moritzwiechers
Copy link
Contributor Author

@migruiz4 Is there anything you need from me to advance with your review?

migruiz4 and others added 3 commits July 8, 2024 11:51
@migruiz4
Merge branch 'main' into main
6fb0c41 
Signed-off-by: Miguel Ruiz <miruiz@vmware.com>
@bitnami-bot
Update CHANGELOG.md
ac43ff7 
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
@bitnami-bot
Update README.md with readme-generator-for-helm
7b80306 
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
migruiz4
migruiz4 approved these changes Jul 8, 2024
View reviewed changes
Copy link
Member

@migruiz4 migruiz4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@migruiz4 migruiz4 enabled auto-merge (squash) July 8, 2024 10:04
@migruiz4 migruiz4 merged commit 82b4d3e into bitnami:main Jul 8, 2024
11 checks passed
@luhahn
Copy link
Contributor

luhahn commented Jul 8, 2024

thats basically what were currently trying to do, does it work for you this way? It still seems ldaps ignores our certificates.

@moritzwiechers
Copy link
Contributor Author

thats basically what were currently trying to do, does it work for you this way? It still seems ldaps ignores our certificates.

Hey,
It should work for ldap, the docs name it outgoing ssl connections. I tested it with an ms adfs configured as oidc identity Provider. Maybe you could show your config. And the start up log from your keycloak container.
Also please make sure, that the server you a trying to connect sends the correct cert including the whole certificate chain. (especially when you use intermediate ca's explanation

Grougalorasalar pushed a commit to Grougalorasalar/charts that referenced this pull request Jul 8, 2024
@moritzwiechers @bitnami-bot
@migruiz4 @Grougalorasalar
[bitnami/keycloak] Add custom certs to system truststore (bitnami#27197)
5aeb152 
* [bitnami/keycloak] Add custom certs to system truststore to enable https-communication with hosts with certificates generated by custom ca's.

Signed-off-by: Moritz Wiechers <moritz.wiechers@gmail.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* [bitnami/keycloak] review-rework Changed chart version and param description

Signed-off-by: Moritz Wiechers <moritz.wiechers@gmail.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

---------

Signed-off-by: Moritz Wiechers <moritz.wiechers@gmail.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Signed-off-by: Miguel Ruiz <miruiz@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Miguel Ruiz <miruiz@vmware.com>
@chee-yee
Copy link

chee-yee commented Oct 13, 2024
edited
Loading

Hi, please can someone share an example of the required configuration in the YAML file for adding a certificate which has been created as a secret named "keycloak-ldaps-cert"?

I've added the below but still LDAPS is not able to connect - do I need to specify additional config in order for the certificate to be referenced by KeyCloak?

customCaExistingSecret: keycloak-ldaps-cert

cc: @moritzwiechers

@moritzwiechers
Copy link
Contributor Author

hey,
adding
customCaExistingSecret: keycloak-ldaps-cert

is the right way. You need to create the secret before and it has to be in the same namespace, e.g.:

kubectl --namespace create secret generic keycloak-ldaps-cert --from-file=<path/to/your/.keycloak-ldaps-cert.pem>

Maybe you should check your keycloak log for any errors. When successfully loaded a message like this should appear on startup:

keycloak 2024-08-15 13:09:47,763 INFO [org.keycloak.truststore.TruststoreBuilder] (main) Found the following truststore files under directories specified in the truststore paths [/opt/bitnami/keycloak/custom-ca/keycloak-ldaps-cert.pem, /opt/bitnami/keycloak/custom-ca/..data/keycloak-ldaps-cert.pem, /opt/bitnami/keycloak/custom-ca/..2024_08_15_13_08_42.3315499878/keycloak-ldaps-cert.pem

@chee-yee
Copy link

Thanks for responding @moritzwiechers and will give it a try. Do you know if we need to specify any other parameters in the yaml file for KeyCloak to reference this certificate during LDAPS connection or is this the only config required?

@luhahn
Copy link
Contributor

luhahn commented Oct 14, 2024
edited
Loading

i couldn't get it to work with ldaps and simple certificates, so i ended up creating a java truststore and loaded it with

extraEnvVars:
  - name: JAVA_OPTS
    value: "-Djavax.net.ssl.trustStore=/opt/keycloak/truststores/truststore.jks -Djavax.net.ssl.trustStorePassword=changeme"

extraVolumes:
  - name: ca-secret
    secret:
      secretName: certificates-secret
      defaultMode: 420
      items:
        - key: truststore.jks
          path: truststore.jks

extraVolumeMounts:
  - name: ca-secret
    mountPath: /opt/keycloak/truststores
    readOnly: true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migruiz4 migruiz4 migruiz4 approved these changes

Assignees

@migruiz4 migruiz4

Labels
keycloak solved verify Execute verification workflow for these changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@moritzwiechers @luhahn @chee-yee @migruiz4 @carrodher @bitnami-bot