Configure Keycloak using the Operator to trust Custom CA
I recently switched from Gitlab to Keycloak as Identity Provider for my OCP cluster. Keyclaok itself had then in turn Gitlab as IdP. Since we use a custom PKI at home, Keyclaok had to trust this PKI.
I use ArgoCD / Openshift Gitops for configuring the cluster, here’s the relevant bits for the certificate configuration I added:
Patch added to the kustomization.yaml:
- op: add path: "/spec/keycloakDeploymentSpec" value: experimental: volumes: defaultMode: 420 items: - configMaps: - trusted-cas mountPath: /tmp/additional-user-certs name: trusted-cas env: - name: X509_CA_BUNDLE value: '/var/run/secrets/kubernetes.io/serviceaccount/*.crt /tmp/additional-user-certs/*.crt'
And the configmap
trusted-cas is simply just an empty config map properly labelled to get the cluster’s trusted CAs (which includes our custom CA) injected to it:
apiVersion: v1 kind: ConfigMap metadata: creationTimestamp: null name: trusted-cas annotations: argocd.argoproj.io/sync-wave: "-1" labels: config.openshift.io/inject-trusted-cabundle: "true"
Read other posts