Merge pull request #267 from eclipse/crw-640-1

Propagate custom CA certificate into Keycloak trust store
2020-05-29 17:01:15 +03:00 · 2020-05-29 17:01:15 +03:00 · 08c471465e
parent b9fe55c292 df91fa33c7
commit 08c471465e
4 changed files with 46 additions and 4 deletions
--- a/pkg/deploy/deployment.go
+++ b/pkg/deploy/deployment.go
@ -33,6 +33,7 @@ var deploymentDiffOpts = cmp.Options{
 	cmpopts.IgnoreFields(appsv1.DeploymentStrategy{}, "RollingUpdate"),
 	cmpopts.IgnoreFields(corev1.Container{}, "TerminationMessagePath", "TerminationMessagePolicy"),
 	cmpopts.IgnoreFields(corev1.PodSpec{}, "DNSPolicy", "SchedulerName", "SecurityContext"),
+	cmpopts.IgnoreFields(corev1.ConfigMapVolumeSource{}, "DefaultMode"),
 	cmpopts.IgnoreFields(corev1.VolumeSource{}, "EmptyDir"),
 	cmp.Comparer(func(x, y resource.Quantity) bool {
 		return x.Cmp(y) == 0
--- a/pkg/deploy/deployment_keycloak.go
+++ b/pkg/deploy/deployment_keycloak.go
@ -89,7 +89,8 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 	if clusterDeployment != nil {
 		env := clusterDeployment.Spec.Template.Spec.Containers[0].Env
 		for _, e := range env {
-			if "TRUSTPASS" == e.Name {
+			// To be compatible with prev deployments when "TRUSTPASS" env was used
+			if "TRUSTPASS" == e.Name || "SSO_TRUSTSTORE_PASSWORD" == e.Name {
 				trustpass = e.Value
 				break
 			}
@ -124,7 +125,31 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 		" -destkeystore " + jbossDir + "/openshift.jks" +
 		" -srcstorepass changeit -deststorepass " + trustpass

-	addCertToTrustStoreCommand := addRouterCrt + " && " + addOpenShiftAPICrt + " && " + addMountedCrt + " && " + addMountedServiceCrt + " && " + importJavaCacerts
+	customPublicCertsDir := "/public-certs"
+	customPublicCertsVolumeSource := corev1.VolumeSource{}
+	if checluster.Spec.Server.ServerTrustStoreConfigMapName != "" {
+		customPublicCertsVolumeSource = corev1.VolumeSource{
+			ConfigMap: &corev1.ConfigMapVolumeSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: checluster.Spec.Server.ServerTrustStoreConfigMapName,
+				},
+			},
+		}
+	}
+	customPublicCertsVolume := corev1.Volume{
+		Name:         "che-public-certs",
+		VolumeSource: customPublicCertsVolumeSource,
+	}
+	customPublicCertsVolumeMount := corev1.VolumeMount{
+		Name:      "che-public-certs",
+		MountPath: customPublicCertsDir,
+	}
+	addCustomPublicCertsCommand := "if [[ -d \"" + customPublicCertsDir + "\" && -n \"$(find " + customPublicCertsDir + " -type f)\" ]]; then " +
+		"for certfile in " + customPublicCertsDir + "/* ; do " +
+		"keytool -importcert -alias CERT_$(basename $certfile) -keystore " + jbossDir + "/openshift.jks -file $certfile -storepass " + trustpass + " -noprompt; " +
+		"done; fi"
+
+	addCertToTrustStoreCommand := addRouterCrt + " && " + addOpenShiftAPICrt + " && " + addMountedCrt + " && " + addMountedServiceCrt + " && " + importJavaCacerts + " && " + addCustomPublicCertsCommand

 	// upstream Keycloak has a bit different mechanism of adding jks
 	changeConfigCommand := "echo Installing certificates into Keycloak && " +
@ -212,7 +237,15 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 			Value: "keycloak",
 		},
 		{
-			Name:  "TRUSTPASS",
+			Name:  "SSO_TRUSTSTORE",
+			Value: "openshift.jks",
+		},
+		{
+			Name:  "SSO_TRUSTSTORE_DIR",
+			Value: jbossDir,
+		},
+		{
+			Name:  "SSO_TRUSTSTORE_PASSWORD",
 			Value: trustpass,
 		},
 		{
@ -464,6 +497,9 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 					Labels: labels,
 				},
 				Spec: corev1.PodSpec{
+					Volumes: []corev1.Volume{
+						customPublicCertsVolume,
+					},
 					Containers: []corev1.Container{
 						{
 							Name:            KeycloakDeploymentName,
@ -506,6 +542,9 @@ func getSpecKeycloakDeployment(checluster *orgv1.CheCluster, clusterDeployment *
 								SuccessThreshold:    1,
 							},
 							Env: keycloakEnv,
+							VolumeMounts: []corev1.VolumeMount{
+								customPublicCertsVolumeMount,
+							},
 						},
 					},
 					TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
--- a/templates/keycloak_provision
+++ b/templates/keycloak_provision
@ -2,6 +2,7 @@ $script config credentials --server http://0.0.0.0:8080/auth \
                                        --realm master \
                                        --user $keycloakAdminUserName \
                                        --password $keycloakAdminPassword \
+&& $script config truststore --trustpass ${SSO_TRUSTSTORE_PASSWORD} ${SSO_TRUSTSTORE_DIR}/${SSO_TRUSTSTORE} \
 && $script get realms/$keycloakRealm; \
 if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \
 && $script create realms  -s realm='$keycloakRealm' \
--- a/templates/oauth_provision
+++ b/templates/oauth_provision
@ -1,5 +1,6 @@
 connect_to_keycloak() {
  {{ .Script }} config credentials --server http://0.0.0.0:8080/auth --realm master --user {{ .KeycloakAdminUserName }} --password {{ .KeycloakAdminPassword }}
+  {{ .Script }} config truststore --trustpass ${SSO_TRUSTSTORE_PASSWORD} ${SSO_TRUSTSTORE_DIR}/${SSO_TRUSTSTORE}
 }

 create_identity_provider() {
@ -98,4 +99,4 @@ enable_openshift_token-exchange() {
 }

 set -x
-connect_to_keycloak && create_identity_provider && default_to_openshift_login && enable_openshift_token-exchange
+connect_to_keycloak && create_identity_provider && default_to_openshift_login && enable_openshift_token-exchange