terrakube with keycloak authentication #36
Comments
|
Hello @scabarrus, let me check this during the weekend, there should be a way to add a new CA certs, we are basically using the spring buildpacks with the following maven command to create the docker images. mvn spring-boot:build-imageI guess there should be an option inside the maven configuration to add the certs during the build. I will check this I think I can provide maybe a bash script that you can use to add the certs |
|
Hello @scabarrus I was checking some documentation and it looks like there are two ways to add a custom certificate. Add certificates binding at build time.For this method I have updated the project configuration, you could include the certificates in PEM format inside the folder "bindings/ca-certificates" and create some custom images using the example build script. Add certificates binding at runtimeTo see how you can do it at runtime you can check this two examples: |
|
I have updated the helm chart to support ca certificates at runtime, please use the following property security.caCerts Use this example to setup the ca certs inside the terrakube components, you will need to setup one env variable, a volume and volument mounts: ## API properties
api:
enabled: true
version: "2.7.0"
replicaCount: "1"
serviceType: "ClusterIP"
env:
- name: SERVICE_BINDING_ROOT
value: /mnt/platform/bindings
volumes:
- name: ca-certs
secret:
secretName: terrakube-ca-secrets
items:
- key: "terrakubeDemo1.pem"
path: "terrakubeDemo1.pem"
- key: "terrakubeDemo2.pem"
path: "terrakubeDemo2.pem"
- key: "type" #mandadory
path: "type"
volumeMounts:
- name: ca-certs
mountPath: /mnt/platform/bindings/ca-certificates
readOnly: true
properties:
databaseType: "H2"
## Executor properties
executor:
enabled: true
version: "2.7.0"
replicaCount: "1"
serviceType: "ClusterIP"
env:
- name: SERVICE_BINDING_ROOT
value: /mnt/platform/bindings
volumes:
- name: ca-certs
secret:
secretName: terrakube-ca-secrets
items:
- key: "terrakubeDemo1.pem"
path: "terrakubeDemo1.pem"
- key: "terrakubeDemo2.pem"
path: "terrakubeDemo2.pem"
- key: "type"
path: "type"
volumeMounts:
- name: ca-certs
mountPath: /mnt/platform/bindings/ca-certificates
readOnly: true
properties:
toolsRepository: "https://github.com/AzBuilder/terrakube-extensions"
toolsBranch: "main"
## Registry properties
registry:
enabled: true
version: "2.7.0"
replicaCount: "1"
serviceType: "ClusterIP"
env:
- name: SERVICE_BINDING_ROOT
value: /mnt/platform/bindings
volumes:
- name: ca-certs
secret:
secretName: terrakube-ca-secrets
items:
- key: "terrakubeDemo1.pem"
path: "terrakubeDemo1.pem"
- key: "terrakubeDemo2.pem"
path: "terrakubeDemo2.pem"
- key: "type"
path: "type"
volumeMounts:
- name: ca-certs
mountPath: /mnt/platform/bindings/ca-certificates
readOnly: trueIf the configuration is correct the pods log will show something like:
|
|
Hi, Thanks a lot, I'll try on Monday and give you a feedback. |
|
Sure, if you want to share the example feel free to send a PR to the repo to add the example configuration using OIDC |
|
Hello, Unfortunately something seems to not work from my side/ I get the following errors: If I remove the env variable, I'm able to see the certificate (I trunc it) inside of the container: If you have an idea ? |
|
Hello @scabarrus, you need to add the key "type", this is a configuration file that needs to be included inside the directory where you have your certs in this case the folder /mnt/platform/bindings. this file is already included in the helm chart in the secret terrakube-ca-secrets This file is already incluced inside the kubernetes secrets apiVersion: v1
kind: Secret
metadata:
name: terrakube-ca-secrets
type: Opaque
stringData:
type: |
ca-certificates
{{- with .Values.security.caCerts }}
{{- toYaml . | nindent 2 }}
{{- end }}Reference: https://github.com/AzBuilder/terrakube-helm-chart/blob/main/templates/secrets-certs.yaml This is the reason the error is showing: Example: ## API properties
api:
enabled: true
version: "2.7.0"
replicaCount: "1"
serviceType: "ClusterIP"
env:
- name: SERVICE_BINDING_ROOT
value: /mnt/platform/bindings
volumes:
- name: ca-certs
secret:
secretName: terrakube-ca-secrets
items:
- key: "terrakubeDemo1.pem"
path: "terrakubeDemo1.pem"
- key: "terrakubeDemo2.pem"
path: "terrakubeDemo2.pem"
- key: "type" # FILE REQUIRE TO ENABLE CUSTOM CERTS
path: "type" # FILE REQUIRE TO ENABLE CUSTOM CERTS
volumeMounts:
- name: ca-certs
mountPath: /mnt/platform/bindings/ca-certificates
readOnly: true
properties:
databaseType: "H2" |
Hello,
We try to use terrakube with dex configuration to use openid connect authentication via keycloak.
We use for each components an internal pki to provide certificate signed per our CA.
We import the certificate of our IdP in dex in folder /etc/ssl/certs and also in each other pod to see if it solve my issue.
We are able to authenticate with admin role, but when we try to create an organization, We have these errors:
GET https://terrakube-api.xxxxxx/api/v1/organization 500
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It seems the certificate need to be imported in keystore, but as I'm not fluent in Java, I would like to know if you have some guidance to help me.
Best regards,
The text was updated successfully, but these errors were encountered: