Add a trust store to Keycloak for the IPA generated CA

This allows us to authenticate requests to LDAP with LDAPS and ensure a)
authenticity and b) security of the transmission.

Signed-off-by: Joe Banks <[email protected]>

3 files changed, 44 insertions, 1 deletions

diff --git a/kubernetes/namespaces/tooling/keycloak/configmap.yaml b/kubernetes/namespaces/tooling/keycloak/configmap.yaml
index b68ea27..bf3c49d 100644
--- a/kubernetes/namespaces/tooling/keycloak/configmap.yaml
+++ b/kubernetes/namespaces/tooling/keycloak/configmap.yaml
@@ -11,7 +11,7 @@ data:
 
   # Set the location of the TLS certificates generated by Vault
   KC_HTTPS_CERTIFICATE_FILE: "/vault/secrets/server.crt"
-  KC_HTTPS_CERTIFICATE_KEY_FILE:  "/vault/secrets/server.key"
+  KC_HTTPS_CERTIFICATE_KEY_FILE: "/vault/secrets/server.key"
 
   # Proxy settings
   KC_PROXY_HEADERS: "xforwarded"
@@ -21,3 +21,6 @@ data:
   KC_DB_USERNAME: "keycloak"
   KC_DB_URL_DATABASE: "keycloak"
   KC_DB_URL_HOST: "lovelace.box.pydis.wtf"
+
+  # Trusted cert for the connection to the LDAP server
+  KC_TRUSTSTORE_PATHS: "/opt/pydis/ca-store/pydis-ipa-cert.pem"
diff --git a/kubernetes/namespaces/tooling/keycloak/deployment.yaml b/kubernetes/namespaces/tooling/keycloak/deployment.yaml
index 8f9834a..2ccbb07 100644
--- a/kubernetes/namespaces/tooling/keycloak/deployment.yaml
+++ b/kubernetes/namespaces/tooling/keycloak/deployment.yaml
@@ -49,3 +49,10 @@ spec:
               path: /realms/master
               port: 8443
               scheme: HTTPS
+          volumeMounts:
+            - name: ca-store
+              mountPath: /opt/pydis/ca-store
+      volumes:
+        - name: ca-store
+          configMap:
+            name: keycloak-ca-configmap
diff --git a/kubernetes/namespaces/tooling/keycloak/ipa-ca-configmap.yaml b/kubernetes/namespaces/tooling/keycloak/ipa-ca-configmap.yaml
new file mode 100644
index 0000000..086479b
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/ipa-ca-configmap.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keycloak-ca-configmap
+  namespace: tooling
+data:
+  pydis-ipa-cert.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIETjCCAragAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1CT1gu
+    UFlESVMuV1RGMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjQw
+    NzE5MjExMDI2WhcNNDQwNzE5MjExMDI2WjA4MRYwFAYDVQQKDA1CT1guUFlESVMu
+    V1RGMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0GCSqGSIb3
+    DQEBAQUAA4IBjwAwggGKAoIBgQDvVLBXKeN0gj6OyMwf6VoVE64b6o3gsmoALrAe
+    VT+iIXQP4YZhvOOH/aMG+6o/2OQDxWGnYFbqLZlJ4jE+cCUKBmMBHSet85jH+4zZ
+    vQcmp7hdCEr3Kn0qSFtqdiB9H8zfRypN5RXSz6rwrm/WyfoY9N37uRm3ihkntwLI
+    +ooWBzgkJ2b/dvKViNGInrEXQ3E+raEeSJpnlu2+2sPFn3/lZzDr/tPLnFmZFT4V
+    jf8WFjeOcQ0v7QNApZ/31EI82BPwuzCtn2va2tOTxS/ni4nPGRztZKzaSKNGeN1D
+    fOK63aKaKRmD0yF9n6BEu0s8CzZlDr3K22Msix/iOBBgbj8oOcR/NaO/OLEk6sdm
+    v+bEZEE3wvEfi4dulhRn0P+E1acXbDg43Z08pJKRf2mFF1AUF/i8hrbQ8riWsfvr
+    9rsM5USONjZohw14oTUgmfqyLjEhKCc9XfWxEA/gnyqZW/8otwGPUkE/ZHtYMXD6
+    UruinbleLP8Enj0N1Cr0NYleH28CAwEAAaNjMGEwHQYDVR0OBBYEFGGvQuMOH2lq
+    GBWDQWhiJOuPGwl7MB8GA1UdIwQYMBaAFGGvQuMOH2lqGBWDQWhiJOuPGwl7MA8G
+    A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IB
+    gQCcVlRpHjapjKxnG66diR4GxgdpbT4CKYb+LliUpRuhrGPVZ5PL22P+iNH29y/w
+    PM1CuB0E/Rqhct6GhjU7ZYooVl4xZoYPgrjXcAHxbePfYkWCzRK5IY6ZZa7B83+d
+    mR30ptKQ7bdjATui7XA0rosiVF3Kxvot3wvxgEGVElvVgkayFTrgRaVr65Mro/E0
+    tq2JdWIe9wEHn11w7+SYFpaP+1J+gwsSukDJ9cSfRvtpUdk2a4zgLOnSdCjor5gJ
+    EaNoHPdd2cRSzbvZBIYfN50Oov6/mbwDDgD+g+SZy0HvYhQa/tr9udPQlXk0NjM8
+    4ItUH2+188Wa2Z00gPXLLz7AbsgnsONhf7omnw1muSnyrbWvYQsypmgzGuxs3MGC
+    bcvZ9wk5K5Ppg7pLtpYyjcM7C2K6Um1DuK/pIHdPFjdXl6rtgDs/tN9p8jiLAbUl
+    tdT9K7x8iF0anvzdTU/LLf2Uj3QfAy6RT09jkW0ukr54HFKYXZ3OprDgH5l6XkHy
+    JAM=
+    -----END CERTIFICATE-----