keycloak/keycloak-containers

X509_CA_BUNDLE for quarkus based image

dejwsz opened this issue · 4 comments

dejwsz commented

Description

Would be good to have something like X509_CA_BUNDLE from Wildfly based image too. It is very convenient in kubernetes deployment where you can mount a number of secrets or configmaps and add custom public certs to keycloak truststore.
There is "https-trust-store-file" server configuration option in the operator (v2alpha1 crd) but it is not the same (although also useful).

Discussion

No response

Motivation

You can mount many secrets and configmaps and easily add custom certs with X509_CA_BUNDLE for a wildfly base image. In case of quarkus based one I understand you need to prepare one common truststore first and then use it in server config (using v2alpha1) - it needs a little more effort like using init container with emptydir volume for example.

Details

Maybe x509 tool script can be reused in some form in quarkus based image too? https://github.com/keycloak/keycloak-containers/blob/main/server/tools/x509.sh

b-long commented

I'll just note that this is a prerequisite in some environments for using ldaps:// for User Federation. For some Keycloak users, losing this feature by updating from an older Keycloak is fairly significant.

  • 👍1
freswa commented

In the meantime, I'd suggest to use something along these lines (written for a container):

/usr/bin/cp /etc/pki/java/cacerts /opt/keycloak/cacerts
/usr/bin/chmod 644 /opt/keycloak/cacerts
/usr/bin/keytool -importcert -alias ucsCA -keystore /opt/keycloak/cacerts -file /opt/keycloak/customCA/customCA.pem -storepass changeit -noprompt
/opt/keycloak/bin/kc.sh build
/opt/keycloak/bin/kc.sh start

And then setting:

KC_SPI_TRUSTSTORE_FILE_FILE: /opt/keycloak/cacerts
KC_SPI_TRUSTSTORE_FILE_PASSWORD: changeit
RomainMou commented

I've made a custom entrypoint for this issue on some custom images, it seams to work for now, if this can help.

https://gist.github.com/RomainMou/3bcea4d7c01db1d04a0a8bc7b31819d2

  • 👍1
stianst commented

With Keycloak 20 the WildFly based distribution is no longer supported. For the newer Quarkus distribution of Keycloak, check out the new documentation, or the updated container sources.