fix: adds service-ca.crt to the trust stores (#26912)
closes: #26910 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
This commit is contained in:
Steven Hawkins
GitHub
parent
1a823e8733
commit
5f0ee7b0f7
2 changed files with 37 additions and 1 deletions
|
|
@ -49,6 +49,8 @@ import org.keycloak.operator.crds.v2alpha1.deployment.spec.TruststoreSource;
|
|||
import org.keycloak.operator.crds.v2alpha1.deployment.spec.UnsupportedSpec;
|
||||
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Base64;
|
||||
import java.util.LinkedHashMap;
|
||||
|
|
@ -69,6 +71,9 @@ import static org.keycloak.operator.crds.v2alpha1.CRDUtils.isTlsConfigured;
|
|||
@KubernetesDependent(labelSelector = Constants.DEFAULT_LABELS_AS_STRING)
|
||||
public class KeycloakDeploymentDependentResource extends CRUDKubernetesDependentResource<StatefulSet, Keycloak> {
|
||||
|
||||
private static final String SERVICE_ACCOUNT_DIR = "/var/run/secrets/kubernetes.io/serviceaccount/";
|
||||
private static final String SERVICE_CA_CRT = SERVICE_ACCOUNT_DIR + "service-ca.crt";
|
||||
|
||||
public static final String CACHE_CONFIG_FILE_MOUNT_NAME = "cache-config-file-configmap";
|
||||
|
||||
public static final String KC_TRUSTSTORE_PATHS = "KC_TRUSTSTORE_PATHS";
|
||||
|
|
@ -86,8 +91,15 @@ public class KeycloakDeploymentDependentResource extends CRUDKubernetesDependent
|
|||
@Inject
|
||||
KeycloakDistConfigurator distConfigurator;
|
||||
|
||||
private boolean useServiceCaCrt;
|
||||
|
||||
public KeycloakDeploymentDependentResource() {
|
||||
super(StatefulSet.class);
|
||||
useServiceCaCrt = Files.exists(Path.of(SERVICE_CA_CRT));
|
||||
}
|
||||
|
||||
public void setUseServiceCaCrt(boolean useServiceCaCrt) {
|
||||
this.useServiceCaCrt = useServiceCaCrt;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -344,8 +356,14 @@ public class KeycloakDeploymentDependentResource extends CRUDKubernetesDependent
|
|||
LinkedHashMap<String, EnvVar> varMap = Stream.concat(Stream.concat(env.stream(), firstClasssEnvVars.stream()), additionalEnvVars.stream())
|
||||
.collect(Collectors.toMap(EnvVar::getName, Function.identity(), (e1, e2) -> e1, LinkedHashMap::new));
|
||||
|
||||
String truststores = SERVICE_ACCOUNT_DIR + "ca.crt";
|
||||
|
||||
if (useServiceCaCrt) {
|
||||
truststores += "," + SERVICE_CA_CRT;
|
||||
}
|
||||
|
||||
// include the kube CA if the user is not controlling KC_TRUSTSTORE_PATHS via the unsupported or the additional
|
||||
varMap.putIfAbsent(KC_TRUSTSTORE_PATHS, new EnvVarBuilder().withName(KC_TRUSTSTORE_PATHS).withValue("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt").build());
|
||||
varMap.putIfAbsent(KC_TRUSTSTORE_PATHS, new EnvVarBuilder().withName(KC_TRUSTSTORE_PATHS).withValue(truststores).build());
|
||||
|
||||
var envVars = new ArrayList<>(varMap.values());
|
||||
baseDeployment.getSpec().getTemplate().getSpec().getContainers().get(0).setEnv(envVars);
|
||||
|
|
|
|||
|
|
@ -444,4 +444,22 @@ public class PodTemplateTest {
|
|||
assertThat(volume.getConfigMap().getName()).isEqualTo("cm");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testServiceCaCrt() {
|
||||
this.deployment.setUseServiceCaCrt(true);
|
||||
try {
|
||||
// Arrange
|
||||
PodTemplateSpec additionalPodTemplate = null;
|
||||
|
||||
// Act
|
||||
var podTemplate = getDeployment(additionalPodTemplate, null, null).getSpec().getTemplate();
|
||||
|
||||
// Assert
|
||||
var paths = podTemplate.getSpec().getContainers().get(0).getEnv().stream().filter(envVar -> envVar.getName().equals(KeycloakDeploymentDependentResource.KC_TRUSTSTORE_PATHS)).findFirst().orElseThrow();
|
||||
assertThat(paths.getValue()).isEqualTo("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt,/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt");
|
||||
} finally {
|
||||
this.deployment.setUseServiceCaCrt(false);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue