LDAPS failed betwenn Keycloak and Freeipa - CA certificate not found about helm-charts HOT 11 CLOSED

在KeyCloak的镜像中提供加载外部证书的功能，可以参考 https://hub.docker.com/r/jboss/keycloak 中 Setting up TLS(SSL) 部分，这里的解决方法如下，先自己生成一个包含所有证书的 ConfigMap，然后在 Values 中添加下面的设置，其中 keycloak-outgoing-ca 是自己的 CM：

    extraEnv: |
     - name: X509_CA_BUNDLE
       value: "/tmp/certs/*.crt"
    extraVolumeMounts: |
      - name: keycloak-outgoing-ca
        mountPath: /tmp/certs
    extraVolumes: |
      - name: keycloak-outgoing-ca
        configMap:
          name: keycloak-outgoing-ca

完事以后，配置下 Realm 中的 Email，添加一个带 SSL 的邮箱，然后开启 Login 的忘记密码功能，然后试试能否通过邮箱找回密码，其它类似需要增加外部证书的情况，直接修改 keycloak-outgoing-ca 增加证书即可。

from helm-charts.

在KeyCloak的镜像中提供加载外部证书的功能，可以参考 https://hub.docker.com/r/jboss/keycloak 中 Setting up TLS(SSL) 部分，这里的解决方法如下，先自己生成一个包含所有证书的 ConfigMap，然后在 Values 中添加下面的设置，其中 keycloak-outgoing-ca 是自己的 CM：

    extraEnv: |
     - name: X509_CA_BUNDLE
       value: "/tmp/certs/*.crt"
    extraVolumeMounts: |
      - name: keycloak-outgoing-ca
        mountPath: /tmp/certs
    extraVolumes: |
      - name: keycloak-outgoing-ca
        configMap:
          name: keycloak-outgoing-ca

完事以后，配置下 Realm 中的 Email，添加一个带 SSL 的邮箱，然后开启 Login 的忘记密码功能，然后试试能否通过邮箱找回密码，其它类似需要增加外部证书的情况，直接修改 keycloak-outgoing-ca 增加证书即可。

Thanks for this! This solution solved my issue in running the latest version (9.0) inside of a Kubernetes cluster running on a postgres db and using Helm to deploy.

I created my own values.yaml config, added these in under the keycloak section and had a config map made already to hold my cert (key was ca.crt and value was the plain text of the cert, not b64 encoded)

Hope it helps someone else out!

from helm-charts.

Hello All,

I have had the same issue as you and couldn't resolve it with the messages above. So, I will try to explain to all people who want to resolve it as simply as possible.

• Step 1
  You need to have the CA certificate of LDAPS. Then run the next command to add this CA certificate to the truststure.jks:
  keytool -import -alias youre.ldaps.domain.com -keystore truststore.jks -file ca.crt
  You will be asked to create the password. This password need to be in the file keycloak-values.yml which you will create in the Step 3

• Step 2
  After that, you will see truststore.jks in the current directory. Next, need to add to the Kubernetes secret:
  kubectl create secret generic ldap-keystore --from-file=truststore.jks

• Step 3
  Then create the file keycloak-values.yml with next information. Just need to change LDAPS_TRUSTSTORE_PASSWORD to your password that you created in Step 1.

extraEnv: |
  - name: KEYCLOAK_USER
    value: AdminUser
  - name: KEYCLOAK_PASSWORD
    value: AdminPassword
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"
  - name: JAVA_OPTS
    value: >-
      -XX:+UseContainerSupport
      -XX:MaxRAMPercentage=50.0
      -Djava.net.preferIPv4Stack=true
      -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
      -Djava.awt.headless=true
      -Djavax.net.ssl.trustStore=/opt/jboss/.cacerts/truststore.jks
      -Djavax.net.ssl.trustStorePassword=LDAPS_TRUSTSTORE_PASSWORD
extraVolumes: |
  - name: scert
    secret:
      secretName: ldap-keystore
extraVolumeMounts: |
  - name: scert
    mountPath: /opt/jboss/.cacerts
    readOnly: true

• Step 4
  You can deploy your keycloak trough HELM!
  helm install keycloak codecentric/keycloak -f keycloak-values.yml

Happy helming! :)

from helm-charts.

Check out this example for our Jenkins chart. You should be able to adapt it and achieve something similar for Keycloak:

https://github.com/codecentric/helm-charts/tree/master/charts/jenkins#updating-javas-truststore

from helm-charts.

Hello @unguiculus,
I check your documentation but i struggle to reproduce the same for keycloak.

Here's what i tried.
I create a config map that contain my ldap-ca.crt:

kubectl -n keycloak create configmap ldap-ca-configmap --from-file=ldap-ca.crt --dry-run --output yaml | kubectl apply -f -

Download your helm charts and modifying the values.yaml to add the following:

referenceContent:
  - relativeDir: custom-init-scripts
    defaultMode: 0555
    data:
      - fileName: truststore.sh
        fileContent: |
          #!/usr/bin/env bash

          echo 'Adding CA certificate to Java truststore...'
          cd /opt/jboss/keycloak/standalone/configuration/keystores 
          chmod 666 /opt/jboss/keycloak/standalone/configuration/keystores 
          keytool -keystore truststore -storepass [a stong password] -noprompt -trustcacerts -importcert -alias ldap-ca -file ./ldap-ca/ldap-ca.crt
          chmod 444 /opt/jboss/keycloak/standalone/configuration/keystores 

  ## Additional init containers, e. g. for providing custom themes
  extraInitContainers: |
    - name: keycloak-truststore-init
      image: jboss/keycloak
      tag: 6.0.1
      imagePullPolicy: IfNotPresent
      command:
        - /opt/jboss/keycloak/custom-init-scripts/truststore.sh
      volumeMounts:
        - name: ldap-ca
          mountPath: /opt/jboss/keycloak/standalone/configuration/keystores/ldap-ca
        - name: truststore
          mountPath: /opt/jboss/keycloak/standalone/configuration/keystores 

 extraVolumes: |
    - name: ldap-ca
      configMap:
        name: ldap-ca-configmap
    - name: truststore
      emptyDir: {}

 extraVolumeMounts: |
    - name: truststore
      mountPath: /opt/jboss/keycloak/standalone/configuration/keystores 

javaOpts: >-
    -Djavax.net.ssl.trustStore=/opt/jboss/keycloak/standalone/configuration/keystores/truststore

One of the problem I encounter is this one when I lauch the helm charts with the modified values:

Error: failed to start container "keycloak-truststore-init": Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: \"/opt/jboss/keycloak/custom-init-scripts/truststore.sh\": stat /opt/jboss/keycloak/custom-init-scripts/truststore.sh: no such file or directory": unknown

I think it's because I didn't have persistence on the keycloak pod itself and I've to set a pvc to be able to mount the volume as keycloak_home in the extraInitContainers to be able to perform the operation. Also I have to modify the statefulset templates to mount the volume keycloak_home on the keycloak containers.

What do you think ?

from helm-charts.

The current helm chart does not support this. referenceContent does not exist so defining it has no effect. We would need this functionality added so we could use it in the extraInitContainers. Thanks!

from helm-charts.

@wilf1rst did you find out a solution for this ? even i am stuck in the same issue regarding certs

from helm-charts.

The chart supports custom startup scripts. The following should be possible:

keycloak:
  startupScripts:
    truststore.sh: |
      #!/usr/bin/env bash

      echo 'Adding CA certificate to Java truststore...'
      cd /opt/jboss/keycloak/standalone/configuration/keystores 
      chmod 666 /opt/jboss/keycloak/standalone/configuration/keystores 
      keytool -keystore truststore -storepass [a stong password] -noprompt -trustcacerts -importcert -alias ldap-ca -file ./ldap-ca/ldap-ca.crt
      chmod 444 /opt/jboss/keycloak/standalone/configuration/keystores 

from helm-charts.

@unguiculus , this is an interesting proposal, though I wonder 3 things:

1. how can the Helm values file pass the content of the file to add? Your above script mentions -file ./ldap-ca/ldap-ca.crt but the file needs to be exposed to the running container...
2. where is it configured that anything in /opt/jboss/keycloak/standalone/configuration/keystores will be taken into account by Keycloak? As the official doc states that a trust store should be configured with a <spi name="truststore"> block, and there is none of it in standalone.xml.
3. Assuming anything in that subdirectory will indeed be treated as additional keystores by Keycloak, how will it guess [a stong password] defined in your above script?

Currently the ability to add keystores as a chart value is blocking us so I'm eager to work on this...

from helm-charts.

I finally managed to get my customs certificates trusted with a combination of:

• an extra init container that copies the certificates in an extra volume
• the X509_CA_BUNDLE variable (used in this script: /opt/jboss/tools/x509.sh)
• keycloak v8.0.1 image

Warnings:

• There's a bug in keycloak docker image v7.0.0 in the /opt/jboss/tools/x509.sh script that is fixed in v8.0.1. Make sure to use that one.
• Make sure to explicitly define the PROXY_ADDRESS_FORWARDING variable since the usage of any other variable in extraEnv will undefine the default value for extraEnv.
• All the pipes "|" you see are necessary since the chart uses the tpl function
• The quotes around the value true for the PROXY_ADDRESS_FORWARDING variable are necessary

keycloak:
  image:
    repository: jboss/keycloak
    tag: 8.0.1
  extraEnv: |
    - name: X509_CA_BUNDLE
      value: "/tmp/certs/*.crt"
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"
  extraInitContainers: |
    - name: certs
      image: my.private.registry/certs
      imagePullPolicy: Always
      command:
        - sh
      args:
        - -c
        - |
          echo "Copying certificates..."
          cp -r /certs/* /tmp/certs
      volumeMounts:
        - name: certs
          mountPath: /tmp/certs
  extraVolumeMounts: |
    - name: certs
      mountPath: /tmp/certs
  extraVolumes: |
    - name: certs
      emptyDir: {}

Here's my Dockerfile for the init container:

FROM busybox

COPY certs/ /certs/

from helm-charts.

Hi, I created a container with an easy way to solve this, I copied the idea from: https://github.com/codecentric/helm-charts/tree/master/charts/jenkins#updating-javas-truststore,

https://github.com/rdcarrera/add-ca-to-cacert

First you must created a configmap with the certificate:

---
kind: ConfigMap
metadata:
  name: a-ca-certificate
data:
  ca.pem: |-
    -----BEGIN CERTIFICATE-----
    fooooooo
    ......
    fooooooo
    -----END CERTIFICATE-----

And then add to your helm variables files:

---
keycloak:
 extraInitContainers: |
    - name: "trust-ca-certificate"
      image: "rdcarrera/add-ca-to-cacert"
      imagePullPolicy: Always
      env:
      - name: CACERT_DEST
        value: "/test"
      volumeMounts:
      - name: cacerts-binary
        mountPath: /test
      - name: a-ca-certificate
        mountPath: /certs/ca.pem
        subPath: ca.pem

  extraVolumeMounts: |
    - name: cacerts-binary
      mountPath: /etc/pki/ca-trust/extracted/java/cacerts
      subPath: cacerts
      readOnly: true

  extraVolumes: |
    - name: a-ca-certificate
      configMap:
        name: a-ca-certificate
    - name: cacerts-binary
      emptyDir: {}

Also, Give thanks to @unguiculus .

Regards.

from helm-charts.