Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support java keystore for configuration of sensitive options #189

Merged
merged 6 commits into from
Apr 17, 2024
Merged

Support java keystore for configuration of sensitive options #189

merged 6 commits into from
Apr 17, 2024

Conversation

hwo-wd
Copy link
Collaborator

@hwo-wd hwo-wd commented Apr 16, 2024
edited by guidograzioli
Loading

New parameters allow to set sensitive options using a Java KeyStore file:

Variable Description Default
keycloak_quarkus_key_store_file Deprecated, use keycloak_quarkus_https_key_store_file instead.
keycloak_quarkus_key_store_password Password for the key store ""
keycloak_quarkus_https_trust_store_enabled Enable configuration of a trust store False
keycloak_quarkus_trust_store_file The file pat to the trust store {{ keycloak.home }}/conf/trust_store.p12
keycloak_quarkus_trust_store_password Password for the trust store ""
keycloak_quarkus_proxy_headers Parse reverse proxy headers (forwarded or xforwardedPassword) ""
keycloak_quarkus_https_trust_store_password Password for the trust store ""
keycloak_quarkus_proxy_headers Parse reverse proxy headers (forwarded or xforwarded) ""
keycloak_quarkus_config_key_store_file Path to the configuration key store; only used if keycloak_quarkus_keystore_password is not empty {{ keycloak.home }}/conf/conf_store.p12 if keycloak_quarkus_keystore_password != '', else ''
keycloak_quarkus_config_key_store_password Password of the configuration key store; if non-empty, keycloak_quarkus_db_pass will be saved to the key store at keycloak_quarkus_config_key_store_file (instead of being written to the configuration file in clear text ""

For additional details, refer to: https://www.keycloak.org/server/configuration#_setting_sensitive_options_using_a_java_keystore_file

Fix #188

=== original PR notes

keytool might not be the best tool for this, but I didn't find any better: openssl does support PKCS12 stores, but does not allow for creating PBEs (password-based entries);

Note that this has a breaking change since variables had to be renamed to reduce confusion.

Open for any improvements, but I didn't find a more ansiblish way to do it since keytool doesn't allow for reading the actual secret values, only whether it exists or not.

Moreover let me know if you see more variables from keycloak.conf that would fit into this key store, thanks.

@hwo-wd hwo-wd changed the title Feature/188 configuration key store #188: add support for configuration key store Apr 16, 2024
@hwo-wd hwo-wd force-pushed the feature/188_config_keystore branch 2 times, most recently from 2375142 to bbc649e Compare April 16, 2024 08:11
@guidograzioli
Copy link
Member

I am thinking writing a general keytool module for the middleware common collection, but for the time being this is cool.
But, I'd keep the two "old" renamed vars, setting them to the new parameters value. We can mark them deprecated and remove in the next release, without breaking (so basically, temporarily, keycloak_quarkus_key_store_file default to keycloak_quarkus_https_key_store_file), wdyt?

@guidograzioli guidograzioli added the major_changes Major changes mean the user can CHOOSE to make a change when they update but do not have to label Apr 17, 2024
guidograzioli
guidograzioli reviewed Apr 17, 2024
View reviewed changes
roles/keycloak_quarkus/tasks/config_store.yml Outdated
@@ -0,0 +1,64 @@
---
- name: "Check if keytool exists in path"
block:
Copy link
Member

@guidograzioli guidograzioli Apr 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This block happen quite late in the deployment; would you mind moving it to the prereq tasks, so that we fail fast? change_when below can safely be set to false

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The check now happens after having installed JVM in fastpackages.yml, so keytool should definitely be there, but a check never hurts either ;)

@hwo-wd hwo-wd force-pushed the feature/188_config_keystore branch 3 times, most recently from ea203ef to 8b9dd2a Compare April 17, 2024 14:22
@hwo-wd
Copy link
Collaborator Author

hwo-wd commented Apr 17, 2024

I am thinking writing a general keytool module for the middleware common collection, but for the time being this is cool. But, I'd keep the two "old" renamed vars, setting them to the new parameters value. We can mark them deprecated and remove in the next release, without breaking (so basically, temporarily, keycloak_quarkus_key_store_file default to keycloak_quarkus_https_key_store_file), wdyt?

I've added this, probably a bit too compliced but it might serve as a base for other roles.

@guidograzioli
Copy link
Member

I am thinking writing a general keytool module for the middleware common collection, but for the time being this is cool. But, I'd keep the two "old" renamed vars, setting them to the new parameters value. We can mark them deprecated and remove in the next release, without breaking (so basically, temporarily, keycloak_quarkus_key_store_file default to keycloak_quarkus_https_key_store_file), wdyt?

I've added this, probably a bit too compliced but it might serve as a base for other roles.

Brilliant, I was just implying a line or two in the docs to mention the deprecation, but this is perfect

@hwo-wd hwo-wd force-pushed the feature/188_config_keystore branch 2 times, most recently from a6a4013 to d0e916d Compare April 17, 2024 14:50
@guidograzioli
Copy link
Member

new linter rules on ahub driving me crazy, please rebase on main (again); sorry bout that

@hwo-wd hwo-wd force-pushed the feature/188_config_keystore branch from d0e916d to 43cd306 Compare April 17, 2024 15:09
@hwo-wd hwo-wd force-pushed the feature/188_config_keystore branch from 43cd306 to e991bd3 Compare April 17, 2024 15:09
@hwo-wd
Copy link
Collaborator Author

hwo-wd commented Apr 17, 2024

new linter rules on ahub driving me crazy, please rebase on main (again); sorry bout that

no worries -> done.

@guidograzioli
Copy link
Member

OK; i'll release .2 as final 2.1 (with all the linter ****); then I'll merge and we can eventually start 2.2
Thanks for your contribution!

guidograzioli
guidograzioli approved these changes Apr 17, 2024
View reviewed changes
Copy link
Member

@guidograzioli guidograzioli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@guidograzioli guidograzioli merged commit 4f8ed51 into ansible-middleware:main Apr 17, 2024
18 checks passed
@guidograzioli guidograzioli changed the title #188: add support for configuration key store Add support for configuration key store Apr 17, 2024
@guidograzioli guidograzioli changed the title Add support for configuration key store Support java keystore for configuration of sensitive options Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guidograzioli guidograzioli guidograzioli approved these changes

Assignees
No one assigned
Labels
major_changes Major changes mean the user can CHOOSE to make a change when they update but do not have to
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

keycloak_quarkus: allow setting "sensitive options" using a Java KeyStore file
2 participants
@hwo-wd @guidograzioli