fix: adds service-ca.crt to the trust stores (#26912)

closes: #26910

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
This commit is contained in:
Steven Hawkins 2024-02-09 08:32:12 -05:00 committed by GitHub
parent 1a823e8733
commit 5f0ee7b0f7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 37 additions and 1 deletions

View file

@ -49,6 +49,8 @@ import org.keycloak.operator.crds.v2alpha1.deployment.spec.TruststoreSource;
import org.keycloak.operator.crds.v2alpha1.deployment.spec.UnsupportedSpec;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Base64;
import java.util.LinkedHashMap;
@ -69,6 +71,9 @@ import static org.keycloak.operator.crds.v2alpha1.CRDUtils.isTlsConfigured;
@KubernetesDependent(labelSelector = Constants.DEFAULT_LABELS_AS_STRING)
public class KeycloakDeploymentDependentResource extends CRUDKubernetesDependentResource<StatefulSet, Keycloak> {
private static final String SERVICE_ACCOUNT_DIR = "/var/run/secrets/kubernetes.io/serviceaccount/";
private static final String SERVICE_CA_CRT = SERVICE_ACCOUNT_DIR + "service-ca.crt";
public static final String CACHE_CONFIG_FILE_MOUNT_NAME = "cache-config-file-configmap";
public static final String KC_TRUSTSTORE_PATHS = "KC_TRUSTSTORE_PATHS";
@ -86,8 +91,15 @@ public class KeycloakDeploymentDependentResource extends CRUDKubernetesDependent
@Inject
KeycloakDistConfigurator distConfigurator;
private boolean useServiceCaCrt;
public KeycloakDeploymentDependentResource() {
super(StatefulSet.class);
useServiceCaCrt = Files.exists(Path.of(SERVICE_CA_CRT));
}
public void setUseServiceCaCrt(boolean useServiceCaCrt) {
this.useServiceCaCrt = useServiceCaCrt;
}
@Override
@ -344,8 +356,14 @@ public class KeycloakDeploymentDependentResource extends CRUDKubernetesDependent
LinkedHashMap<String, EnvVar> varMap = Stream.concat(Stream.concat(env.stream(), firstClasssEnvVars.stream()), additionalEnvVars.stream())
.collect(Collectors.toMap(EnvVar::getName, Function.identity(), (e1, e2) -> e1, LinkedHashMap::new));
String truststores = SERVICE_ACCOUNT_DIR + "ca.crt";
if (useServiceCaCrt) {
truststores += "," + SERVICE_CA_CRT;
}
// include the kube CA if the user is not controlling KC_TRUSTSTORE_PATHS via the unsupported or the additional
varMap.putIfAbsent(KC_TRUSTSTORE_PATHS, new EnvVarBuilder().withName(KC_TRUSTSTORE_PATHS).withValue("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt").build());
varMap.putIfAbsent(KC_TRUSTSTORE_PATHS, new EnvVarBuilder().withName(KC_TRUSTSTORE_PATHS).withValue(truststores).build());
var envVars = new ArrayList<>(varMap.values());
baseDeployment.getSpec().getTemplate().getSpec().getContainers().get(0).setEnv(envVars);

View file

@ -444,4 +444,22 @@ public class PodTemplateTest {
assertThat(volume.getConfigMap().getName()).isEqualTo("cm");
}
@Test
public void testServiceCaCrt() {
this.deployment.setUseServiceCaCrt(true);
try {
// Arrange
PodTemplateSpec additionalPodTemplate = null;
// Act
var podTemplate = getDeployment(additionalPodTemplate, null, null).getSpec().getTemplate();
// Assert
var paths = podTemplate.getSpec().getContainers().get(0).getEnv().stream().filter(envVar -> envVar.getName().equals(KeycloakDeploymentDependentResource.KC_TRUSTSTORE_PATHS)).findFirst().orElseThrow();
assertThat(paths.getValue()).isEqualTo("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt,/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt");
} finally {
this.deployment.setUseServiceCaCrt(false);
}
}
}