Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: adding the kube ca cert to the truststores #25586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ahus1 merged 2 commits into from
Dec 18, 2023
Merged

fix: adding the kube ca cert to the truststores #25586

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f5ceb9f
fix: adding the kube ca cert to the truststores
shawkins Dec 14, 2023
378d6c7
Update docs/documentation/release_notes/topics/24_0_0.adoc
shawkins Dec 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/documentation/release_notes/topics/24_0_0.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ spec:

Currently only Secrets are supported.

== Trust Kubernetes CA

The cert for the Kubernetes CA is added automatically to your {project_name} Pods managed by the Operator.

= Automatic certificate management for SAML identity providers

The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature the option `Metadata descriptor URL` should be configured in the provider (URL where the IDP metadata information with the certificates is published) and `Use metadata descriptor URL` needs to be `ON`. The certificates are automatically downloaded and cached in the `public-key-storage` SPI from that URL. The certificates can also be reloaded or imported from the admin console, using the action combo in the provider page.
Expand Down
12 changes: 9 additions & 3 deletions .../src/main/java/org/keycloak/operator/controllers/KeycloakDeploymentDependentResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,8 @@
@KubernetesDependent(labelSelector = Constants.DEFAULT_LABELS_AS_STRING)
public class KeycloakDeploymentDependentResource extends CRUDKubernetesDependentResource<StatefulSet, Keycloak> {

public static final String KC_TRUSTSTORE_PATHS = "KC_TRUSTSTORE_PATHS";

static final String JGROUPS_DNS_QUERY_PARAM = "-Djgroups.dns.query=";

public static final String OPTIMIZED_ARG = "--optimized";
Expand Down Expand Up @@ -323,9 +325,13 @@ private void addEnvVars(StatefulSet baseDeployment, Keycloak keycloakCR, TreeSet
var env = Optional.ofNullable(baseDeployment.getSpec().getTemplate().getSpec().getContainers().get(0).getEnv()).orElse(List.of());

// accumulate the env vars in priority order - unsupported, first class, additional
var envVars = new ArrayList<>(Stream.concat(Stream.concat(env.stream(), firstClasssEnvVars.stream()), additionalEnvVars.stream())
.collect(Collectors.toMap(EnvVar::getName, Function.identity(), (e1, e2) -> e1, LinkedHashMap::new))
.values());
LinkedHashMap<String, EnvVar> varMap = Stream.concat(Stream.concat(env.stream(), firstClasssEnvVars.stream()), additionalEnvVars.stream())
.collect(Collectors.toMap(EnvVar::getName, Function.identity(), (e1, e2) -> e1, LinkedHashMap::new));

// include the kube CA if the user is not controlling KC_TRUSTSTORE_PATHS via the unsupported or the additional
varMap.putIfAbsent(KC_TRUSTSTORE_PATHS, new EnvVarBuilder().withName(KC_TRUSTSTORE_PATHS).withValue("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt").build());

var envVars = new ArrayList<>(varMap.values());
baseDeployment.getSpec().getTemplate().getSpec().getContainers().get(0).setEnv(envVars);

// watch the secrets used by secret key - we don't currently expect configmaps, optional refs, or watch the initial-admin
Expand Down
19 changes: 18 additions & 1 deletion operator/src/test/java/org/keycloak/operator/testsuite/unit/PodTemplateTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,7 +363,7 @@ public void testRelativePathHealthProbes() {
}

@Test
public void testDefaultArgs() {
public void testDefaults() {
// Arrange
PodTemplateSpec additionalPodTemplate = null;

Expand All @@ -372,6 +372,7 @@ public void testDefaultArgs() {

// Assert
assertThat(podTemplate.getSpec().getContainers().get(0).getArgs()).doesNotContain(KeycloakDeploymentDependentResource.OPTIMIZED_ARG);
assertThat(podTemplate.getSpec().getContainers().get(0).getEnv().stream().anyMatch(envVar -> envVar.getName().equals(KeycloakDeploymentDependentResource.KC_TRUSTSTORE_PATHS)));
}

@Test
Expand All @@ -388,6 +389,22 @@ public void testImageNotOptimized() {
assertThat(podTemplate.getSpec().getContainers().get(0).getArgs()).doesNotContain(KeycloakDeploymentDependentResource.OPTIMIZED_ARG);
}

@Test
public void testAdditionalOptionTruststorePath() {
// Arrange
PodTemplateSpec additionalPodTemplate = null;

// Act
var podTemplate = getDeployment(additionalPodTemplate, null,
s -> s.addToAdditionalOptions(new ValueOrSecret(KeycloakDeploymentDependentResource.KC_TRUSTSTORE_PATHS, "/something")))
.getSpec().getTemplate();

// Assert
assertThat(podTemplate.getSpec().getContainers().get(0).getEnv().stream()
.anyMatch(envVar -> envVar.getName().equals(KeycloakDeploymentDependentResource.KC_TRUSTSTORE_PATHS)
&& envVar.getValue().equals("/something")));
}

@Test
public void testImageForceOptimized() {
// Arrange
Expand Down