Setup a TLS certificate for Keycloak

Use service serving certificates on OCP4

On OpenShift 4, use the "openshift" TLS provider instead, to get a certificate that works with the OpenShift router, is valid for 2 years and will be autorenewed:

parameters:
  keycloak:
    tls:
      provider: openshift

This guide provides an example how to setup a TLS certificate for Keycloak.

Requirements

  • commodore

  • kubectl

  • openssl

  • vault

  1. Prepare certificate files

    Self-signed certificates
    # Adjust the lifetime as necessary
    lifetime=3650
    openssl req -x509 -newkey rsa:4096 -nodes -keyout keycloak.key -out keycloak.crt -days ${lifetime} -subj '/CN=keycloak'
    CA issued certificates
    # Save the cert and key in these temporary files
    editor keycloak.key
    editor keycloak.crt
  2. Store certificate in Vault

    instance=keycloak
    parent="clusters/kv/${TENANT_ID}/${CLUSTER_ID}"
    
    # Use the 'patch' subcommand to add to existing secret
    vault kv patch "${parent}/${instance}" keycloak-cert=@keycloak.crt keycloak-cert-key=@keycloak.key
  3. Remove temporary files

    rm keycloak.{key,crt}