KEYCLOAK-7891 OpenShift managed SSL certificates

openshift-examples/README.md

@@ -0,0 +1,6 @@
+# Keycloak OpenShift examples
+
+This directory contains a set of predefined OpenShift templates for running Keycloak, including:
+
+* `keycloak-https.json` - A standard template for most of the use cases. It uses both HTTP and HTTPS routes.
+* `keycloak-https-mutual-tls.json` - A similar template to the one above but uses OpenShift generated certificates to setup Mutual TLS.

openshift-examples/keycloak-https-mutual-tls.json

@@ -0,0 +1,242 @@
+{
+ "kind": "Template",
+ "apiVersion": "v1",
+ "metadata": {
+ "name": "keycloak-https",
+ "annotations": {
+ "iconClass": "icon-sso",
+ "tags": "keycloak",
+ "version": "4.0.0.Beta2",
+ "openshift.io/display-name": "Keycloak",
+ "description": "An example Keycloak server with HTTPS"
+ }
+ },
+ "parameters": [
+ {
+ "displayName": "Application Name",
+ "description": "The name for the application.",
+ "name": "APPLICATION_NAME",
+ "value": "keycloak",
+ "required": true
+ },
+ {
+ "displayName": "Keycloak Administrator Username",
+ "description": "Keycloak Server administrator username",
+ "name": "KEYCLOAK_USER",
+ "from": "[a-zA-Z0-9]{8}",
+ "generate": "expression",
+ "required": true
+ },
+ {
+ "displayName": "Keycloak Administrator Password",
+ "description": "Keycloak Server administrator password",
+ "name": "KEYCLOAK_PASSWORD",
+ "from": "[a-zA-Z0-9]{8}",
+ "generate": "expression",
+ "required": true
+ },
+ {
+ "displayName": "DB Vendor",
+ "description": "DB vendor (H2, POSTGRES, MYSQL or MARIADB)",
+ "name": "DB_VENDOR",
+ "value": "H2",
+ "required": true
+ },
+ {
+ "displayName": "Custom http Route Hostname",
+ "description": "Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>.<project>.<default-domain-suffix>",
+ "name": "HOSTNAME_HTTP",
+ "value": "",
+ "required": false
+ },
+ {
+ "displayName": "Custom https Route Hostname",
+ "description": "Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>.<project>.<default-domain-suffix>",
+ "name": "HOSTNAME_HTTPS",
+ "value": "",
+ "required": false
+ }
+ ],
+ "objects": [
+ {
+ "kind": "Service",
+ "apiVersion": "v1",
+ "spec": {
+ "ports": [
+ {
+ "port": 8080,
+ "targetPort": 8080
+ }
+ ],
+ "selector": {
+ "deploymentConfig": "${APPLICATION_NAME}"
+ }
+ },
+ "metadata": {
+ "name": "${APPLICATION_NAME}",
+ "labels": {
+ "application": "${APPLICATION_NAME}"
+ },
+ "annotations": {
+ "description": "The web server's http port."
+ }
+ }
+ },
+ {
+ "kind": "Service",
+ "apiVersion": "v1",
+ "spec": {
+ "ports": [
+ {
+ "port": 8443,
+ "targetPort": 8443
+ }
+ ],
+ "selector": {
+ "deploymentConfig": "${APPLICATION_NAME}"
+ }
+ },
+ "metadata": {
+ "name": "secure-${APPLICATION_NAME}",
+ "labels": {
+ "application": "${APPLICATION_NAME}"
+ },
+ "annotations": {
+ "description": "The web server's https port.",
+ "service.alpha.openshift.io/serving-cert-secret-name": "keycloak-x509-https-secret"
+ }
+ }
+ },
+ {
+ "kind": "Route",
+ "apiVersion": "v1",
+ "id": "${APPLICATION_NAME}-http",
+ "metadata": {
+ "name": "${APPLICATION_NAME}",
+ "labels": {
+ "application": "${APPLICATION_NAME}"
+ },
+ "annotations": {
+ "description": "Route for application's http service."
+ }
+ },
+ "spec": {
+ "host": "${HOSTNAME_HTTP}",
+ "to": {
+ "name": "${APPLICATION_NAME}"
+ }
+ }
+ },
+ {
+ "kind": "Route",
+ "apiVersion": "v1",
+ "id": "${APPLICATION_NAME}-https",
+ "metadata": {
+ "name": "secure-${APPLICATION_NAME}",
+ "labels": {
+ "application": "${APPLICATION_NAME}"
+ },
+ "annotations": {
+ "description": "Route for application's https service."
+ }
+ },
+ "spec": {
+ "host": "${HOSTNAME_HTTPS}",
+ "to": {
+ "name": "secure-${APPLICATION_NAME}"
+ },
+ "tls": {
+ "termination": "passthrough"
+ }
+ }
+ },
+ {
+ "kind": "DeploymentConfig",
+ "apiVersion": "v1",
+ "metadata": {
+ "name": "${APPLICATION_NAME}",
+ "labels": {
+ "application": "${APPLICATION_NAME}"
+ }
+ },
+ "spec": {
+ "strategy": {
+ "type": "Recreate"
+ },
+ "triggers": [
+ {
+ "type": "ConfigChange"
+ }
+ ],
+ "replicas": 1,
+ "selector": {
+ "deploymentConfig": "${APPLICATION_NAME}"
+ },
+ "template": {
+ "metadata": {
+ "name": "${APPLICATION_NAME}",
+ "labels": {
+ "deploymentConfig": "${APPLICATION_NAME}",
+ "application": "${APPLICATION_NAME}"
+ }
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "${APPLICATION_NAME}",
+ "image": "jboss/keycloak-openshift",
+ "ports": [
+ {
+ "containerPort": 8080,
+ "protocol": "TCP"
+ },
+ {
+ "name": "https",
+ "containerPort": 8443,
+ "protocol": "TCP"
+ }
+ ],
+ "env": [
+ {
+ "name": "KEYCLOAK_USER",
+ "value": "${KEYCLOAK_USER}"
+ },
+ {
+ "name": "KEYCLOAK_PASSWORD",
+ "value": "${KEYCLOAK_PASSWORD}"
+ },
+ {
+ "name": "DB_VENDOR",
+ "value": "${DB_VENDOR}"
+ },
+ {
+ "name": "X509_CA_BUNDLE",
+ "value": "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+ }
+ ],
+ "securityContext": {
+ "privileged": false
+ },
+ "volumeMounts": [
+ {
+ "name": "keycloak-x509-https-volume",
+ "mountPath": "/etc/x509/https",
+ "readOnly": true
+ }
+ ]
+ }
+ ],
+ "volumes": [
+ {
+ "name": "keycloak-x509-https-volume",
+ "secret": {
+ "secretName": "keycloak-x509-https-secret"
+ }
+ }
+ ]
+ }
+ }
+ }
+ }
+ ]
+}

server/Dockerfile

@@ -16,7 +16,7 @@ ARG KEYCLOAK_DIST=https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/keycloa
 
 USER root
 
-RUN yum install -y epel-release git && yum install -y jq && yum clean all
+RUN yum install -y epel-release git && yum install -y jq openssl which && yum clean all
 
 ADD tools /opt/jboss/tools
 RUN /opt/jboss/tools/build-keycloak.sh

server/README.md

@@ -184,6 +184,22 @@ When running Keycloak behind a proxy, you will need to enable proxy address forw
 
 
 
+### Setting up TLS(SSL)
+
+Keycloak image allows you to specify both a private key and a certificate for serving HTTPS. In that case you need to provide two files:
+
+* tls.crt - a certificate
+* tls.key - a private key
+
+Those files need to be mounted in `/etc/x509/https` directory. The image will automatically convert them into a Java keystore and reconfigure Wildfly to use it.
+
+It is also possible to provide an additional CA bundle and setup Mutual TLS this way. In that case, you need to mount an additional volume to the image
+containing a `crt` file and point `X509_CA_BUNDLE` environmental variable to that file. 
+
+NOTE: See `openshift-examples` directory for an out of the box setup for OpenShift.
+
+
+
 ## Other details
 
 This image extends the [`jboss/base-jdk`](https://github.com/JBoss-Dockerfiles/base-jdk) image which adds the OpenJDK

server/tools/cli/x509-keystore.cli

@@ -0,0 +1,9 @@
+embed-server --server-config=$configuration_file --std-out=discard
+/subsystem=elytron/key-store=kcKeyStore:add(path=$keycloak_tls_keystore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/key-manager=kcKeyManager:add(key-store=kcKeyStore,credential-reference={clear-text=$keycloak_tls_keystore_password})
+/subsystem=elytron/server-ssl-context=kcSSLContext:add(key-manager=kcKeyManager)
+batch
+/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
+/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=kcSSLContext)
+run-batch
+stop-embedded-server

server/tools/cli/x509-truststore.cli

@@ -0,0 +1,15 @@
+embed-server --server-config=$configuration_file --std-out=discard
+/subsystem=elytron/key-store=kcTrustStore:add(path=$keycloak_tls_truststore_file,type=JKS,credential-reference={clear-text=$keycloak_tls_truststore_password})
+/subsystem=elytron/trust-manager=kcTrustManager:add(key-store=kcTrustStore)
+if (outcome != success) of /subsystem=elytron/server-ssl-context=kcSSLContext:read-resource
+ /subsystem=elytron/server-ssl-context=kcSSLContext:add(trust-manager=kcTrustManager,need-client-auth=true)
+ batch
+ /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
+ /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=kcSSLContext)
+ run-batch
+else
+ # The SSL Context has been added by keystore, not much to do - just append trust store and we are done.
+ /subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=trust-manager, value=kcTrustManager)
+ /subsystem=elytron/server-ssl-context=kcSSLContext:write-attribute(name=need-client-auth, value=true)
+end-if
+stop-embedded-server

server/tools/docker-entrypoint.sh

@@ -94,6 +94,8 @@ if [ "$DB_VENDOR" != "h2" ]; then
  /bin/sh /opt/jboss/tools/change-database.sh $DB_VENDOR
 fi
 
+/opt/jboss/tools/x509.sh
+
 ##################
 # Start Keycloak #
 ##################