[stable/keycloak] how to add ca cert for connecting https sites

[Hokwang]

Is this a request for help?:
yes

Version of Helm and Kubernetes:
1.11.3

Which chart:
stable/keycloak

I am in corporate proxy environment, and my OpenID Auth URL is https (only provided).

Simple fix solution is add ca cert to keycloak docker image,
but docker image does not provide update-ca-certificates command.

So I have to do in kubernetes (helm chart),
I think I need run commands like

mkdir $JBOSS_HOME/.cacerts/
cp $JAVA_HOME/jre/lib/security/cacerts $JBOSS_HOME/.cacerts/
$JAVA_HOME/bin/keytool -keystore $JBOSS_HOME/.cacerts/cacerts -import -alias my -file /opt/jboss/cacert/ca.crt

ca.crt file is volume mounted from secret.

How to do this ?

And I need to use below options.

-Djavax.net.ssl.trustStore=$JBOSS_HOME/.cacerts/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit

I can handle this using extraArgs,
but I think it does not works actually.

For now, my values.yaml is

keycloak:
  basepath: keycloak
  username: keycloakadmin
  password: "1qaz2wsx"
  extraArgs: -Djavax.net.ssl.trustStore=/opt/jboss/keycloak/.cacerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit
  extraEnv: |
    - name: https_proxy
      value: http://1.2.3.4:8080
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"
  extraVolumes: |
    - name: scert
      secret:
        secretName: scert
  extraVolumeMounts: |
    - name: scert
      mountPath: /opt/jboss/.cacerts
      readOnly: true
  ingress:
    enabled: true
    path: /keycloak
    hosts:
    - test.net
    tls:
    - hosts:
      - test.net
      secretName: ingress-tls

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[stale]

This issue is being automatically closed due to inactivity.

[deepti-cloudibility]

Can anyone answer this part as I'm also facing the same issue.

[zvaraondrej]

Hey there,

I have been dealing with similar issue, working with recommended KC helm chart.

As stated in the KC docker docs:

Keycloak image allows you to specify both a private key and a certificate for serving HTTPS. In that case you need to provide two files:

tls.crt - a certificate
tls.key - a private key
Those files need to be mounted in /etc/x509/https directory. The image will automatically convert them into a Java keystore and reconfigure Wildfly to use it.

and

It is also possible to provide an additional CA bundle and setup Mutual TLS this way. In that case, you need to mount an additional volume (or multiple volumes) to the image. These volumes should contain all necessary crt files. The final step is to configure the X509_CA_BUNDLE environment variable to contain a list of the locations of the various CA certificate bundle files specified before, separated by space ().

This means, you need to store all the certs in a single secret, then mount the secret as files to appropriate destination:

The secret:

...
kind: Secret
name:  certs-secret-name 
data:
  certA: <base64_encoded_certA_value>
  certB: <base64_encoded_certB_value>

Helm values:

extraVolumes: |
    ...
    - name: certs
      secret:
        secretName: certs-secret-name 

extraVolumeMounts: |
   ...
    - name: certs
      mountPath: /etc/x509/https

extraEnv: |
    - name: X509_CA_BUNDLE
      value: /etc/x509/https/certA.pem /etc/x509/https/certB.pem

If you need to configure truststore settings you can manipulate those using jboss CLI:

 cli:
   ...
   custom: |
      /subsystem=keycloak-server/spi=truststore/provider=file/:write-attribute(name=properties.<prop-name>,value=<value>)

This can be useful in case you are using self signed PKIs - you might need to disable hostname verification, e.g.:

/subsystem=keycloak-server/spi=truststore/provider=file/:write-attribute(name=properties.hostname-verification-policy,value=ANY)