Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Propagate custom CA certificate into Keycloak trust store #267

Merged
merged 1 commit into from
May 29, 2020
Merged

Propagate custom CA certificate into Keycloak trust store #267

merged 1 commit into from
May 29, 2020

Conversation

mmorhun
Copy link
Contributor

@mmorhun mmorhun commented May 18, 2020
edited by tolusha
Loading

Signed-off-by: Mykola Morhun mmorhun@redhat.com

What this PR does

We have serverTrustStoreConfigMapName parameter in Che CR, which hold name of config map with custom CA certificates. They are added into Che server trust store only, but to fully support trusting to custom CA certificates we need to propagate them into Keycloak and user workspaces.
This PR adds functionality which propagates custom CA certificates into Keycloak trust store.

Reference issue

https://issues.redhat.com/browse/CRW-336

How to test

  1. Create a configmap which has CA certificates only.
    This could be done via kubectl apply -f <yaml> where the config map definition could be like:
--- 
apiVersion: v1
kind: ConfigMap
metadata: 
  name: ca-certs
data: 
  demoCA.crt: |
    -----BEGIN CERTIFICATE-----
    MIIE9DCCAtygAwIBAgIULvsF/i5fe7k9lmHB5vVcYVzUu6IwDQYJKoZIhvcNAQEL
    ...
    yIxypcdoasYNfQA8pv4jaOaOo6ED61Wi
    -----END CERTIFICATE-----
  testCA.crt: |
    -----BEGIN CERTIFICATE-----
    MIIE9DCCAtygAwIBAgIUclWFCOb945tF50cWQOOIhrKHgOYwDQYJKoZIhvcNAQEL
   ...
    hl7GDIY6ql9YpHFsyUuNG4mNqq8NLt1X
    -----END CERTIFICATE-----
  1. Modify Che custom resource by adding serverTrustStoreConfigMapName under spec.server. Or this could be done by providing --che-operator-cr-patch-yaml option to chectl. Pathc file content:
spec:
  server:
    serverTrustStoreConfigMapName: "ca-certs"
  1. Exec into Keycloak container and query trust store for certificates.

@mmorhun mmorhun self-assigned this May 18, 2020
@tolusha tolusha closed this May 18, 2020
@tolusha
Copy link
Contributor

tolusha commented May 18, 2020

The changes will be included in another PR.

@tolusha tolusha reopened this May 27, 2020
@tolusha
Copy link
Contributor

tolusha commented May 27, 2020

corresponding doc
https://www.eclipse.org/che/docs/che-7/adding-custom-certificates-to-trust-store/

@tolusha tolusha mentioned this pull request May 27, 2020
Closed
56 tasks
@mmorhun
Copy link
Contributor Author

mmorhun commented May 27, 2020

Retested: certificates propagation into Keycloak trust store works as expected.

@tolusha tolusha force-pushed the crw-640-1 branch 2 times, most recently from 828e94b to 090a630 Compare May 28, 2020 09:24
@benoitf benoitf changed the title Propogate custom CA certificate into Keycloak trust store Propagate custom CA certificate into Keycloak trust store May 28, 2020
davidfestal
davidfestal approved these changes May 29, 2020
View reviewed changes
Copy link
Contributor

@davidfestal davidfestal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with just a question

pkg/deploy/deployment_keycloak.go
addCertToTrustStoreCommand := addRouterCrt + " && " + addOpenShiftAPICrt + " && " + addMountedCrt + " && " + addMountedServiceCrt + " && " + importJavaCacerts
customPublicCertsDir := "/public-certs"
customPublicCertsVolumeSource := corev1.VolumeSource{}
if checluster.Spec.Server.ServerTrustStoreConfigMapName != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So you preferred creating the volume in any case and leaving the volume source empty in case no public certificate is provided ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right

@tolusha
Propogate custom CA certificate into Keycloak trust store
df91fa3 
Signed-off-by: Anatoliy Bazko <abazko@redhat.com>
@tolusha tolusha merged commit 08c4714 into master May 29, 2020
@tolusha tolusha deleted the crw-640-1 branch May 29, 2020 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tolusha tolusha tolusha approved these changes

@davidfestal davidfestal davidfestal approved these changes

@AndrienkoAleksandr AndrienkoAleksandr AndrienkoAleksandr approved these changes

@sleshchenko sleshchenko Awaiting requested review from sleshchenko

@vinokurig vinokurig Awaiting requested review from vinokurig

@l0rd l0rd Awaiting requested review from l0rd

@nickboldt nickboldt Awaiting requested review from nickboldt

@rhopp rhopp Awaiting requested review from rhopp

@vparfonov vparfonov Awaiting requested review from vparfonov

Assignees

@mmorhun mmorhun

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mmorhun @tolusha @davidfestal @AndrienkoAleksandr