Create the ConfigMap for Wildfly Keystore
Introduction
Even though XtremeCloud Single Sign-On (SSO) does not encrypt inside a Docker container (see Aspen Mesh (Istio)) documentation, it is looked for in the undertow realm module.
This will also be the same technique used to import Certificate Authority (CA) roots (such as DoD Root Certs) for Common Access Card (CAC authentication) into the keystore.
Getting Started
As seen in the standalone-ha.xml ConfigMap in the provided XtremeCloud SSO Helm Chart:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keycloak.jks" relative-to="jboss.server.config.dir" keystore-password="${env.KEYSTORE_PASSWORD}" />
</ssl>
</server-identities>
</security-realm>
Create the Java Keystore keycloak.jks at the command line:
$ keytool -genkey -alias xtremecloud -keyalg RSA -keystore keycloak.jks -deststoretype pkcs12 -validity 10950 -keypass <password> -storepass <password>
Enter keystore password: password
What is your first and last name?
[Unknown]: xtremecloud.eupraxia.io
What is the name of your organizational unit?
[Unknown]: Development
What is the name of your organization?
[Unknown]: Eupraxia Labs
What is the name of your City or Locality?
[Unknown]: Austin
What is the name of your State or Province?
[Unknown]: Texas
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=xtremecloud.eupraxia.io, OU=Development, O=Eupraxia Labs,
L=Austin, ST=Texas, C=US?
[no]: yes
Enter key password for <xtremecloud>
(RETURN if same as keystore password): <password>
Create the Kubernetes ConfigMap from the keystore. It will be injected into the container at the time of deployment.
$ kubectl create configmap keycloak-jks --from-file=keycloak.jks
Make sure it was created:
[centos@vm-controller keytool-config]$ kubectl get cm
NAME DATA AGE
clustered-gcp-xml 1 42h
keycloak-jks 0 19h
standalone-ha-xml 1 18h
xcsso-keycloak-config 2 18h
[centos@vm-controller keytool-config]$ kubectl describe cm keycloak-jks
Name: keycloak-jks
Namespace: dev
Labels: <none>
Annotations: <none>
Data
====
Events: <none>
‘Exec’ into the running container and confirm that it is injected:
[centos@vm-controller keytool-config]$ kubectl exec -it sso-dev-xtremecloud-sso-gcp-0 bash
[jboss@sso-dev-xtremecloud-sso-gcp-0 keycloak]$ cd /opt/jboss/keycloak/standalone/configuration/
[jboss@sso-dev-xtremecloud-sso-gcp-0 configuration]$ ls
application-roles.properties keycloak-add-user.json logging.properties mgmt-users.properties standalone.xml
application-users.properties keycloak.jks mgmt-groups.properties standalone-ha.xml
[jboss@sso-dev-xtremecloud-sso-gcp-0 configuration]$ ls -lsa
total 112
4 drwxrwxr-x 1 jboss root 4096 Jul 14 16:52 .
8 drwxrwx--x 1 jboss root 4096 Jul 14 16:52 ..
4 -rw-rw---- 1 jboss root 711 Jul 5 13:45 application-roles.properties
4 -rw-rw---- 1 jboss root 935 Jul 5 13:45 application-users.properties
4 -rw-r--r-- 1 jboss jboss 422 Jul 14 16:52 keycloak-add-user.json
4 -rw-r--r-- 1 root root 2605 Jul 14 16:52 keycloak.jks
4 -rw-rw---- 1 jboss root 2395 Jul 5 13:45 logging.properties
4 -rw-rw---- 1 jboss root 669 Jul 5 13:45 mgmt-groups.properties
4 -rw-rw---- 1 jboss root 1111 Jul 13 18:53 mgmt-users.properties
40 -rw-r--r-- 1 root root 40274 Jul 14 16:52 standalone-ha.xml
32 -rw-rw-r-- 1 jboss root 31054 Jul 5 13:45 standalone.xml
Let’s output it in YAML syntax:
[centos@vm-controller keytool-config]$ kubectl get cm keycloak-jks -o yaml
apiVersion: v1
binaryData:
keycloak.jks: MIIKKQIBAzCCCeIGCSqGSIb3DQEHAaCCCdMEggnPMIIJyzCCBW8GCSqGSIb3DQEHAaCCBWAEggVcMIIFWDCCBVQGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBRJ0+UsPAy+dWDSANyYNG5NIN6EvwIDAMNQBIIEyGrmlOeP4YtCfou1xXD+4zkd1I8gUSD1YWjJRXm4LGR1NoVu2F52LVLYHb0LBMbmowboDlEqhJe9/zstleT9aepwmMbdAIZqkqPifK1BPtI12NQpQKDlI57opk0vTa+B3gRCRDa5Ydn8Hwt6X8eGIPtt5sWI+9aLJsRUvN8glNY0WodekuphNFpVCZ+ewIzcuUQm/4ODwIGMCzT5OevPWCOPqPPSj4WHtQrrlx604EtglyiG2QCj4E+acFlfdTTWPGz60J8Zra/iTkrt9eEeweJram9MB37l73TWgb/4WebjDAmFO4bDSkd7UmV9TuMRjwmcfHVAYV3iZLOhHtBMRhLKjh/Sgm3+nDbNQm7wQVYSut2vTgDhzktM6xomdPQvlarsOo4dvF73h8o6l9rfPsSueQjYnH7c05Sek2qOqjJCxuth1DdfArV3nsGTGurQZO4/nJDQUho6KHTfjXYGJFWF5bnEfT/Dkpc6iiWe1Y7fysCGHZpVykb39Y/FMRj+ICeRkROnQ7jMjefBoTczUOHRp6BLR/Ch3+dEnKDRyfB08Eqv2Q1gppDNne43sSmcYGTCIO4qjgwfdgjRs1H6SRTdfOb1b30VKE+4xBpYD6wl35tHUHmIm24nJAFCnNmwsZ4gDclUh3zLfLPhuRBAt9t4YWbbf3HeL586a1u+sliciWhKmGWerHr0FbKmof34RL4QLImp3U8cctOuJ27AVA4EItfj49QMG5UItHbec21l8dMnkNQFUNvC54zbNFSc6Bg4ksAVSLaTAAnlHfwMpik4LWfkU/WnXFLHlE4VuDJbtfI8OjpPHLVyJTFdTEga0und18e3yxoqTqYCYU90d4evbY4THmPJ1njFROB6d1223iPkPGsfsC3SwQSzAM065ezhW7iq9Qq66HhuUPv1ODQygw6G/MlxfeKRmPlNuqDAyTonFYFvbpJnQ6x5yRalH6Gz30vf2EXImDG1nCD3dfdg2LMzRQbNowrSvd5gvqCdMmr2gr9BQ+QTkncgPyleAMrBakrLfTjRGPY6UCLLT+3mDDh5Xctr/nKiSMgt7d7sJTsM3PzEw+q9Pb2BOPWeTIVYymGj2N09Pu5MLdMzZbOgkg6LtLrqIHPSxz6BcjztRgD8qEX5jMgC2iA0yMzLwpuWzLnUArezn4qKrmZhSa9rj5dVpkiCXM9lROF5Qm1aFNKbUC6OYSim12kmkug/EWoYFte6ijUnCFiec8E3RBTw2V9aXRchDYr5dmbSi1jL9Asl8SsYMoS5MK3Dbu2cM3Wck+KJ1xVHoc8EYfEHmap/5DM/PYfGUXC31QatqeYCzEhxM3wQw3etLq8SSEickmImNc/f9pElYL64vHvsdoI1ox0Jpc7OPpLwyBaHbj5gnYk0W4NwXG6Vkf+4MeIZwmJfmTXrzg1PxOsG0DReLWBQMtZtng4b7xtiQW1drEkVGYkEDCMkWw9pujFkzSK+8bqsRsKnGOL48A/WNWxHalifVrLi9TzBc7+wNmCRVPWDGrST0Z49jn+Y9VfKvXxamg4d8MYj8eEnHQthoQ5sYQ9lGIMw0PhNWBcakSElYS37DVWPzwzyCiiMrD1tyADWFKgsFXqd8rZjRagINGWEsKyeq3MuZtoJCjFGMCEGCSqGSIb3DQEJFDEUHhIAbABvAGMAYQBsAGgAbwBzAHQwIQYJKoZIhvcNAQkVMRQEElRpbWUgMTU2MzA0Mjk4MjI1NzCCBFQGCSqGSIb3DQEHBqCCBEUwggRBAgEAMIIEOgYJKoZIhvcNAQcBMCkGCiqGSIb3DQEMAQYwGwQU+v9Rg4wyXnpxgZZMcrBfPHaroLQCAwDDUICCBABS0NJMKXfOABWOvNdf6yhja3DOl/wv09WKu+u5BU0ET3F2+bEUUWbITfBXgYPFm0ud6Z67NSOUPyo/RKtg8JcE5+AN33EiHY8WRSTBA92btYH16ANJTN8qFiLLpl/bmwxy1sImVcSEJmNFj8McZ5IZAsCT2sJ6rxhs6VhM0e818IECWEjc+YtpyyJS0WxlSEH6WU8JHlrBtPz2rsP69dzAosjBtpXUuUYXSmJ4cYhjSPpPpFI8CbsKL5H+MsWls0WEAvqBnyuT0SRcH0H+8pfkU+e65HtPbaNJwiL+MoSutM6kZXtoxyW6NFx/V0eq2oEIO+iLEg/XNMCh1dP4ExrA1R8Zp5WDpvqFJp71bE0ISNN1R08psqLXh344rdr7QSulaH3vtOk3q8YuDTSk2layXgpQmF0bVMN8UPhi+7OnISAaFeBRuBgqVfkTZv3L9qwQAsmN2gZW/KkE2adm/lt/ReVIo8m+47RyqegLC0yw0giQ4g7Z3O4v4AhR8GYpstQzQojEhSpPEKpbGTlBZvHJob+IiPCgavxR5EWMiEe76B52c1iGvIdYNqRqdSc3owN9CjFKheAdS6qIWxexL1oT/z5aKA3VhqYFkJPb1H7Yb9IqTW+090uSNVoKVqfnK9S4IajJHqvqzkCTI/umZZNb/PUEWANyjV7YghMqzRSXqbI5JHjzf1OauzNatUGP93S+0qt1oFBwtjAq+pSPaKbfuCwdUkbBnZRQ7iS+AbStzeolzfbcrfl0XICQzh8DUw/vdko4aU5msnJrrfH3AIMhJGDzUJBhs0HqVJ5rDNUCVMDiIL+klE+vqEimFUiREm3Jm6Y8BLkGydqGn9px6WsXpYdFPTWsMuCycuVpC03KQ6N6IxqO7TAXWxdMmjLHvLh7RslcPFw7DhOYHUDE7BkpDKmbBRa3VyHW/Dv2PMAmjEjLL37McRbUZsf0nWO9kpHH8lH7d3F7QzOa6oH9/og66qA6rb3zJDFisg9OJ068g3bq4nSOuhz+4Mti3jK7u27ZkVcEAzGeezbSQ25NxQYK4bvaCyxyqXOfnfCQo9nQycDs2265rbUGDNu80nWN9QctE0eNT4IJh0uNLrE3o4jTnoJQk5LowoYxDvMbvq4LyCRhEyDUDuOUNgjLi0KKh9ZvGnehv1vElb7yYdNAlwq84V9/ekDwXjAiqLnn8Cn/qsXWSMAv1MReAsHciuspDFkMnEARjNQSnayrxc0gRtIrrdbaI0r34t5eoYZxc2SrJxY9/lOu7hBHxbFwEWLu4gHPzmcjCpECE2+VUByxM/TB4pbK04SWYcWBTX2LAsxnsJ3JjymBuiiZBS+vO1LYccFZ3Jo7HMvBTOlpG22HeqYSMD4wITAJBgUrDgMCGgUABBS2VY61NkXdFFBehLcPG3rTfFTnVgQUyB+W0lgoRsUsBRPsvp3QsrhZe9kCAwGGoA==
kind: ConfigMap
metadata:
creationTimestamp: "2019-07-13T18:46:16Z"
name: keycloak-jks
namespace: dev
resourceVersion: "37338192"
selfLink: /api/v1/namespaces/dev/configmaps/keycloak-jks
uid: 7f34058e-a59e-11e9-83e8-42010a80021c