I'm fairly new to kubernetes, so forgive me for my ignorance on this topic.
I am trying to set up x509 authentication in keycloak. This guide indicates that I need to edit a standalone.xml file and add my configurations there.
I'm not too sure how to edit this file on launch of the instance and copy my Java Key Store into the container image.
Replica of How to edit standalone.xml file dynamically in keycloak
You're going to need to dynamically create a keycloak image, then use that image for your configs.
Related
Does Keycloak 17 and above powered by Quarkus distribution has standalone mode?
The keycloak documentation says, that i can still use it, to setting up HTTPS/SSL. In the documentation there is a procedure, to edit the standalone.xml file, that no longer exist in this new version of keycloak.
Does standalone mode still exist? Or is there a different documentation in this not deprecated, new version that should be used? How to set up HTTPS/SSL then?
See https://www.keycloak.org/server/all-config?q=https
Use these parameters to customize TLS configuration based on your needs:
https-certificate-file
The file path to a server certificate or certificate chain in PEM format.
https-certificate-key-file
The file path to a private key in PEM format.
https-cipher-suites
The cipher suites to use.
https-client-auth
Configures the server to require/request client authentication.
https-key-store-file
The key store which holds the certificate information instead of specifying separate files.
https-key-store-password
The password of the key store file.
https-key-store-type
The type of the key store file.
https-port
The used HTTPS port.
https-protocols
The list of protocols to explicitly enable.
https-trust-store-file
The trust store which holds the certificate information of the certificates to trust.
https-trust-store-password
The password of the trust store file.
https-trust-store-type
The type of the trust store file.
Container deployement has also support for TLS, see Keycloak Docker HTTPS required
I have a enterprise level Kafka hosted in AWS Cluster. I'm trying to consume a topic from AWS Cluster. I need to use SSL protocol for connecting to servers.
From documentation i found that, i need to enable few properties,
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
I have a problem here, i cannot store the keystore.jks and truststore.jks in the source. Our security does not allow storing sensitive data in the source.
Instead I have a encrypted keystore file, which I pull it from Vault.
Is there a possibility that i can use this encrypted keystore? I don't see such feasibility in the documentation.
A local file path is needed for SSL certificates. You'll need a wrapper script before your code starts (or before the main method consumer logic) that will download the necessary information from Vault and fills in the properties files/configs
Or use a library that handles this, such as Spring Vault
By default we want to mask the keystore password using wildfly vault(using vault.sh) and configure appropriately in the standalone.xml. Now if we want add addtional key to the keystore, what are the options available? I am seeing vault.sh provides only option to add or remove the confidential information but not to retrieve it(may be for security reasons). As wildlfly able to retrieve the actual password from masked vaule, it should be possible programatically. But I want some script or utility to do that. Please let me know how to address this.
simple query is How to access the JKS keystore to add new key if the keystore password is protected by wildfly vault?
I'm trying to setup Rancher to use Keycloak as an authentication provider and following the setups laid out here. The last step says to export the metadata in the SAML Metadata IDPSSODescriptor format but I only see SAML Metadata SPSSODescriptor as an option. I've tried using that but authentication isn't working - it opens another window with the same Keycloak setup page when clicking the Authenticate with Keycloak button to validate the setup. There are no errors in the Docker logs for either the Rancher or Keycloak containers when running docker logs CONTAINER command.
I'm wondering if I need to do something specific to setup Keycloak as an IDP to get the correct metadata option but I can't find anything in their documentation.
For Keycloak 6.0 and up, along with the location of the IDPSSODescriptor even its format has changed. This doc explains how that can be edited to be used by Rancher
From the Installation tab, choose the SAML Metadata IDPSSODescriptor format option and download your file.
Or you can directly visit Keycloak URL with IDPSSODescriptor metadata:
https://<keycloak-domain>/auth/realms/<realm>/protocol/saml/descriptor
I have created keycloak docker image and deployed in kubernates in my on premise server and setup localhost: as redirect URLs and when I am accessing it from other systems, it should be the IP address of that system, instead of localhost. Could you please help me to get dynamic IP setup in my keycloak from Kubernetes script?
I think you can just set the redirectUris in your realm config to *. Otherwise each system to be accessible needs to be added to the realm, which you can do from the admin console or through the API.
In Activiti we distribute a keycloak helm chart with a custom realm for activiti installations. In that we set redirectUris to * and allow that to be overridden at install time. We're doing that in a helm chart but if you weren't using a helm template then you could do a sed to replace a string. But that is for a shareable distribution. If you've just got a single installation then I'd expect you to be adding applications/clients to the realm through the console or API.