Hello, i’m trying to configure my ldap server under with secure connection for user federation. Test connectivity passes but test authentication fails.
The keycloak is running as a pod in kubernetes using default public docker image.
In server logs, I see that certificate is not recognized because certificate is not CA(known) signed. It is a self-signed certificate. Would love to have some suggestion to solve this issue in kubernetes without having to include certificates as part of docker image.
Is there a way to handle via init container or secrets? Or any recommended approach is appreciated
Our LDAP Server also has a self-sign certificate, signed by the IT with a internal CA. To add the CA, I created a cacert-store file with keytool and added it in Keycloak with required parameter at server start (Configure a Truststore).
What I didn’t know at first, these parameters overwrite the default used cacert-store, which in my case leads to an untrusted smtp server error, but that one is signed by a well-known provider.
To work around that, I created my own Container and added the CA in the global PKI store (for keycloak:19.0.2 add ca in /usr/share/pki/ca-trust-source/anchors/ and exec update-ca-cert)
So I’m also interested in a simple and recommended approach to just add CAs to the default cacert-store used by keycloak
env:
- name: KC_SPI_TRUSTSTORE_FILE_FILE
value: /mnt/truststore/ldaps.jks
- name: KC_SPI_TRUSTSTORE_FILE_PASSWORD
value: <keystore password> (you can make this a secretRef, for clarity I'm just doing this)
This will then make the keystore contents available to your Keycloak instance in Kubernetes.