Comments (11)
在KeyCloak的镜像中提供加载外部证书的功能,可以参考 https://hub.docker.com/r/jboss/keycloak 中 Setting up TLS(SSL) 部分,这里的解决方法如下,先自己生成一个包含所有证书的 ConfigMap,然后在 Values 中添加下面的设置,其中 keycloak-outgoing-ca 是自己的 CM:
extraEnv: |
- name: X509_CA_BUNDLE
value: "/tmp/certs/*.crt"
extraVolumeMounts: |
- name: keycloak-outgoing-ca
mountPath: /tmp/certs
extraVolumes: |
- name: keycloak-outgoing-ca
configMap:
name: keycloak-outgoing-ca
完事以后,配置下 Realm 中的 Email,添加一个带 SSL 的邮箱,然后开启 Login 的忘记密码功能,然后试试能否通过邮箱找回密码,其它类似需要增加外部证书的情况,直接修改 keycloak-outgoing-ca 增加证书即可。
from helm-charts.
在KeyCloak的镜像中提供加载外部证书的功能,可以参考 https://hub.docker.com/r/jboss/keycloak 中 Setting up TLS(SSL) 部分,这里的解决方法如下,先自己生成一个包含所有证书的 ConfigMap,然后在 Values 中添加下面的设置,其中 keycloak-outgoing-ca 是自己的 CM:
extraEnv: | - name: X509_CA_BUNDLE value: "/tmp/certs/*.crt" extraVolumeMounts: | - name: keycloak-outgoing-ca mountPath: /tmp/certs extraVolumes: | - name: keycloak-outgoing-ca configMap: name: keycloak-outgoing-ca
完事以后,配置下 Realm 中的 Email,添加一个带 SSL 的邮箱,然后开启 Login 的忘记密码功能,然后试试能否通过邮箱找回密码,其它类似需要增加外部证书的情况,直接修改 keycloak-outgoing-ca 增加证书即可。
Thanks for this! This solution solved my issue in running the latest version (9.0) inside of a Kubernetes cluster running on a postgres db and using Helm to deploy.
I created my own values.yaml config, added these in under the keycloak section and had a config map made already to hold my cert (key was ca.crt and value was the plain text of the cert, not b64 encoded)
Hope it helps someone else out!
from helm-charts.
Hello All,
I have had the same issue as you and couldn't resolve it with the messages above. So, I will try to explain to all people who want to resolve it as simply as possible.
-
Step 1
You need to have the CA certificate of LDAPS. Then run the next command to add this CA certificate to the truststure.jks:
keytool -import -alias youre.ldaps.domain.com -keystore truststore.jks -file ca.crt
You will be asked to create the password. This password need to be in the file keycloak-values.yml which you will create in the Step 3 -
Step 2
After that, you will seetruststore.jks
in the current directory. Next, need to add to the Kubernetes secret:
kubectl create secret generic ldap-keystore --from-file=truststore.jks
-
Step 3
Then create the file keycloak-values.yml with next information. Just need to change LDAPS_TRUSTSTORE_PASSWORD to your password that you created in Step 1.
extraEnv: |
- name: KEYCLOAK_USER
value: AdminUser
- name: KEYCLOAK_PASSWORD
value: AdminPassword
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: JAVA_OPTS
value: >-
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=50.0
-Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true
-Djavax.net.ssl.trustStore=/opt/jboss/.cacerts/truststore.jks
-Djavax.net.ssl.trustStorePassword=LDAPS_TRUSTSTORE_PASSWORD
extraVolumes: |
- name: scert
secret:
secretName: ldap-keystore
extraVolumeMounts: |
- name: scert
mountPath: /opt/jboss/.cacerts
readOnly: true
- Step 4
You can deploy your keycloak trough HELM!
helm install keycloak codecentric/keycloak -f keycloak-values.yml
Happy helming! :)
from helm-charts.
Check out this example for our Jenkins chart. You should be able to adapt it and achieve something similar for Keycloak:
https://github.com/codecentric/helm-charts/tree/master/charts/jenkins#updating-javas-truststore
from helm-charts.
Hello @unguiculus,
I check your documentation but i struggle to reproduce the same for keycloak.
Here's what i tried.
I create a config map that contain my ldap-ca.crt
:
kubectl -n keycloak create configmap ldap-ca-configmap --from-file=ldap-ca.crt --dry-run --output yaml | kubectl apply -f -
Download your helm charts and modifying the values.yaml to add the following:
referenceContent:
- relativeDir: custom-init-scripts
defaultMode: 0555
data:
- fileName: truststore.sh
fileContent: |
#!/usr/bin/env bash
echo 'Adding CA certificate to Java truststore...'
cd /opt/jboss/keycloak/standalone/configuration/keystores
chmod 666 /opt/jboss/keycloak/standalone/configuration/keystores
keytool -keystore truststore -storepass [a stong password] -noprompt -trustcacerts -importcert -alias ldap-ca -file ./ldap-ca/ldap-ca.crt
chmod 444 /opt/jboss/keycloak/standalone/configuration/keystores
## Additional init containers, e. g. for providing custom themes
extraInitContainers: |
- name: keycloak-truststore-init
image: jboss/keycloak
tag: 6.0.1
imagePullPolicy: IfNotPresent
command:
- /opt/jboss/keycloak/custom-init-scripts/truststore.sh
volumeMounts:
- name: ldap-ca
mountPath: /opt/jboss/keycloak/standalone/configuration/keystores/ldap-ca
- name: truststore
mountPath: /opt/jboss/keycloak/standalone/configuration/keystores
extraVolumes: |
- name: ldap-ca
configMap:
name: ldap-ca-configmap
- name: truststore
emptyDir: {}
extraVolumeMounts: |
- name: truststore
mountPath: /opt/jboss/keycloak/standalone/configuration/keystores
javaOpts: >-
-Djavax.net.ssl.trustStore=/opt/jboss/keycloak/standalone/configuration/keystores/truststore
One of the problem I encounter is this one when I lauch the helm charts with the modified values:
Error: failed to start container "keycloak-truststore-init": Error response from daemon: OCI runtime create failed: container_linux.go:344: starting container process caused "exec: \"/opt/jboss/keycloak/custom-init-scripts/truststore.sh\": stat /opt/jboss/keycloak/custom-init-scripts/truststore.sh: no such file or directory": unknown
I think it's because I didn't have persistence on the keycloak pod itself and I've to set a pvc to be able to mount the volume as keycloak_home
in the extraInitContainers
to be able to perform the operation. Also I have to modify the statefulset templates to mount the volume keycloak_home
on the keycloak containers.
What do you think ?
from helm-charts.
The current helm chart does not support this. referenceContent
does not exist so defining it has no effect. We would need this functionality added so we could use it in the extraInitContainers
. Thanks!
from helm-charts.
@wilf1rst did you find out a solution for this ? even i am stuck in the same issue regarding certs
from helm-charts.
The chart supports custom startup scripts. The following should be possible:
keycloak:
startupScripts:
truststore.sh: |
#!/usr/bin/env bash
echo 'Adding CA certificate to Java truststore...'
cd /opt/jboss/keycloak/standalone/configuration/keystores
chmod 666 /opt/jboss/keycloak/standalone/configuration/keystores
keytool -keystore truststore -storepass [a stong password] -noprompt -trustcacerts -importcert -alias ldap-ca -file ./ldap-ca/ldap-ca.crt
chmod 444 /opt/jboss/keycloak/standalone/configuration/keystores
from helm-charts.
@unguiculus , this is an interesting proposal, though I wonder 3 things:
- how can the Helm values file pass the content of the file to add? Your above script mentions
-file ./ldap-ca/ldap-ca.crt
but the file needs to be exposed to the running container... - where is it configured that anything in /opt/jboss/keycloak/standalone/configuration/keystores will be taken into account by Keycloak? As the official doc states that a trust store should be configured with a
<spi name="truststore">
block, and there is none of it in standalone.xml. - Assuming anything in that subdirectory will indeed be treated as additional keystores by Keycloak, how will it guess
[a stong password]
defined in your above script?
Currently the ability to add keystores as a chart value is blocking us so I'm eager to work on this...
from helm-charts.
I finally managed to get my customs certificates trusted with a combination of:
- an extra init container that copies the certificates in an extra volume
- the
X509_CA_BUNDLE
variable (used in this script:/opt/jboss/tools/x509.sh
) - keycloak v8.0.1 image
Warnings:
- There's a bug in keycloak docker image v7.0.0 in the
/opt/jboss/tools/x509.sh
script that is fixed in v8.0.1. Make sure to use that one. - Make sure to explicitly define the
PROXY_ADDRESS_FORWARDING
variable since the usage of any other variable inextraEnv
will undefine the default value forextraEnv
. - All the pipes "
|
" you see are necessary since the chart uses thetpl
function - The quotes around the value
true
for thePROXY_ADDRESS_FORWARDING
variable are necessary
keycloak:
image:
repository: jboss/keycloak
tag: 8.0.1
extraEnv: |
- name: X509_CA_BUNDLE
value: "/tmp/certs/*.crt"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
extraInitContainers: |
- name: certs
image: my.private.registry/certs
imagePullPolicy: Always
command:
- sh
args:
- -c
- |
echo "Copying certificates..."
cp -r /certs/* /tmp/certs
volumeMounts:
- name: certs
mountPath: /tmp/certs
extraVolumeMounts: |
- name: certs
mountPath: /tmp/certs
extraVolumes: |
- name: certs
emptyDir: {}
Here's my Dockerfile for the init container:
FROM busybox
COPY certs/ /certs/
from helm-charts.
Hi, I created a container with an easy way to solve this, I copied the idea from: https://github.com/codecentric/helm-charts/tree/master/charts/jenkins#updating-javas-truststore,
https://github.com/rdcarrera/add-ca-to-cacert
First you must created a configmap with the certificate:
---
kind: ConfigMap
metadata:
name: a-ca-certificate
data:
ca.pem: |-
-----BEGIN CERTIFICATE-----
fooooooo
......
fooooooo
-----END CERTIFICATE-----
And then add to your helm variables files:
---
keycloak:
extraInitContainers: |
- name: "trust-ca-certificate"
image: "rdcarrera/add-ca-to-cacert"
imagePullPolicy: Always
env:
- name: CACERT_DEST
value: "/test"
volumeMounts:
- name: cacerts-binary
mountPath: /test
- name: a-ca-certificate
mountPath: /certs/ca.pem
subPath: ca.pem
extraVolumeMounts: |
- name: cacerts-binary
mountPath: /etc/pki/ca-trust/extracted/java/cacerts
subPath: cacerts
readOnly: true
extraVolumes: |
- name: a-ca-certificate
configMap:
name: a-ca-certificate
- name: cacerts-binary
emptyDir: {}
Also, Give thanks to @unguiculus .
Regards.
from helm-charts.
Related Issues (20)
- Upgrade issue from 20.0.1 to 21.1.1 using old db, themes and deployment HOT 1
- Unable to add security context allowPrivilegeEscalation and capabilities. HOT 1
- [keycloak] README.md Postresql HOT 1
- Version Upgrade HOT 4
- timeout reached before the port went into state "inuse"/cannot resolve host "keycloak-postgresql": lookup keycloak-postgresql on 10.96.0.10:53 HOT 1
- Unable to scale up keycloak on kubernetes HOT 1
- Migration Guide for keycloak to keycloakx helm chart HOT 1
- What is the reason for using Statefulset for Keycloak? HOT 1
- Pods fail to form Infinispan clustering in minikube HOT 3
- (keycloakx chart) KC_PROXY has been deprecated in Keycloak v24.0.0 HOT 1
- Can we generate 4.14.3 with quay repository reference for keycloak image
- Mixed content issue HOT 1
- Support for external database? HOT 4
- KeycloakX Update to 24.0.3 HOT 3
- [Keycloak] Network Policy enabling causes no connection between the pods or infini span instances HOT 1
- Is this repo still being maintained? HOT 2
- Support extraVolumeMounts and extraVolumes for deployment in templates HOT 2
- SHA1 support has been removed from JDK 9 onwards. Need to have option to support SHA1 algorithm. HOT 2
- Defaults for container memory limit HOT 1
- PVCs for postgres
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.