Propogate custom CA certificate into Keycloak trust store

Signed-off-by: Anatoliy Bazko <[email protected]>

pkg/deploy/deployment.go

@@ -33,6 +33,7 @@ var deploymentDiffOpts = cmp.Options{
 	cmpopts.IgnoreFields(appsv1.DeploymentStrategy{}, "RollingUpdate"),
 	cmpopts.IgnoreFields(corev1.Container{}, "TerminationMessagePath", "TerminationMessagePolicy"),
 	cmpopts.IgnoreFields(corev1.PodSpec{}, "DNSPolicy", "SchedulerName", "SecurityContext"),
+	cmpopts.IgnoreFields(corev1.ConfigMapVolumeSource{}, "DefaultMode"),
 	cmpopts.IgnoreFields(corev1.VolumeSource{}, "EmptyDir"),
 	cmp.Comparer(func(x, y resource.Quantity) bool {
 		return x.Cmp(y) == 0

pkg/deploy/deployment_keycloak.go

@@ -83,7 +83,8 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 	if clusterDeployment != nil {
 		env := clusterDeployment.Spec.Template.Spec.Containers[0].Env
 		for _, e := range env {
-			if "TRUSTPASS" == e.Name {
+			// To be compatible with prev deployments when "TRUSTPASS" env was used
+			if "TRUSTPASS" == e.Name || "SSO_TRUSTSTORE_PASSWORD" == e.Name {
 				trustpass = e.Value
 				break
 			}
@@ -117,7 +118,31 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 		" -destkeystore " + jbossDir + "/openshift.jks" +
 		" -srcstorepass changeit -deststorepass " + trustpass
 
-	addCertToTrustStoreCommand := addRouterCrt + " && " + addOpenShiftAPICrt + " && " + addMountedCrt + " && " + addMountedServiceCrt + " && " + importJavaCacerts
+	customPublicCertsDir := "/public-certs"
+	customPublicCertsVolumeSource := corev1.VolumeSource{}
+	if checluster.Spec.Server.ServerTrustStoreConfigMapName != "" {
+		customPublicCertsVolumeSource = corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: checluster.Spec.Server.ServerTrustStoreConfigMapName,
+				},
+			},
+		}
+	}
+	customPublicCertsVolume := corev1.Volume{
+		Name:         "che-public-certs",
+		VolumeSource: customPublicCertsVolumeSource,
+	}
+	customPublicCertsVolumeMount := corev1.VolumeMount{
+		Name:      "che-public-certs",
+		MountPath: customPublicCertsDir,
+	}
+	addCustomPublicCertsCommand := "if [[ -d \"" + customPublicCertsDir + "\" && -n \"$(find " + customPublicCertsDir + " -type f)\" ]]; then " +
+		"for certfile in " + customPublicCertsDir + "/* ; do " +
+		"keytool -importcert -alias CERT_$(basename $certfile) -keystore " + jbossDir + "/openshift.jks -file $certfile -storepass " + trustpass + " -noprompt; " +
+		"done; fi"
+
+	addCertToTrustStoreCommand := addRouterCrt + " && " + addOpenShiftAPICrt + " && " + addMountedCrt + " && " + addMountedServiceCrt + " && " + importJavaCacerts + " && " + addCustomPublicCertsCommand
 
 	// upstream Keycloak has a bit different mechanism of adding jks
 	changeConfigCommand := "echo Installing certificates into Keycloak && " +
@@ -205,7 +230,15 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 			Value: "keycloak",
 		},
 		{
-			Name:  "TRUSTPASS",
+			Name:  "SSO_TRUSTSTORE",
+			Value: "openshift.jks",
+		},
+		{
+			Name:  "SSO_TRUSTSTORE_DIR",
+			Value: jbossDir,
+		},
+		{
+			Name:  "SSO_TRUSTSTORE_PASSWORD",
 			Value: trustpass,
 		},
 		{
@@ -451,6 +484,9 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 					Labels: labels,
 				},
 				Spec: corev1.PodSpec{
+					Volumes: []corev1.Volume{
+						customPublicCertsVolume,
+					},
 					Containers: []corev1.Container{
 						{
 							Name:            KeycloakDeploymentName,
@@ -493,6 +529,9 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 								SuccessThreshold:    1,
 							},
 							Env: keycloakEnv,
+							VolumeMounts: []corev1.VolumeMount{
+								customPublicCertsVolumeMount,
+							},
 						},
 					},
 					TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,

templates/keycloak_provision

@@ -2,6 +2,7 @@ $script config credentials --server http://0.0.0.0:8080/auth \
                                         --realm master \
                                         --user $keycloakAdminUserName \
                                         --password $keycloakAdminPassword \
+&& $script config truststore --trustpass ${SSO_TRUSTSTORE_PASSWORD} ${SSO_TRUSTSTORE_DIR}/${SSO_TRUSTSTORE} \
 && $script update realms/master -s sslRequired=none \
 && $script get realms/$keycloakRealm; \
 if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \
@@ -33,4 +34,4 @@ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \
                                         --cclientid broker \
                                         --rolename read-token \
 && CLIENT_ID=$($script get clients -r '$keycloakRealm' -q clientId=broker | sed -n 's/.*"id" *: *"\([^"]\+\).*/\1/p') \
-&& $script update clients/$CLIENT_ID -r '$keycloakRealm' -s "defaultRoles+=read-token"
+&& $script update clients/$CLIENT_ID -r '$keycloakRealm' -s "defaultRoles+=read-token"

templates/oauth_provision

@@ -1,5 +1,6 @@
 connect_to_keycloak() {
   {{ .Script }} config credentials --server http://0.0.0.0:8080/auth --realm master --user {{ .KeycloakAdminUserName }} --password {{ .KeycloakAdminPassword }}
+  {{ .Script }} config truststore --trustpass ${SSO_TRUSTSTORE_PASSWORD} ${SSO_TRUSTSTORE_DIR}/${SSO_TRUSTSTORE}
 }
 
 create_identity_provider() {
@@ -98,4 +99,4 @@ enable_openshift_token-exchange() {
 }
 
 set -x
-connect_to_keycloak && create_identity_provider && default_to_openshift_login && enable_openshift_token-exchange
+connect_to_keycloak && create_identity_provider && default_to_openshift_login && enable_openshift_token-exchange