Setup a TLS certificate for Keycloak

Use service serving certificates on OCP4

On OpenShift 4, use the "openshift" TLS provider instead, to get a certificate that works with the OpenShift router, is valid for 2 years and will be autorenewed:

parameters:
  keycloak:
    tls:
      provider: openshift

This guide provides an example how to setup a TLS certificate for Keycloak.

Requirements

  • commodore

  • kubectl

  • openssl

  • vault

  1. Prepare certificate files

    Self-signed certificates
    # Adjust the lifetime as necessary
lifetime=3650
openssl req -x509 -newkey rsa:4096 -nodes -keyout keycloak.key -out keycloak.crt -days ${lifetime} -subj '/CN=keycloak'
    CA issued certificates
    # Save the cert and key in these temporary files
editor keycloak.key
editor keycloak.crt

  2. Store certificate in Vault

    instance=keycloak
parent="clusters/kv/${TENANT_ID}/${CLUSTER_ID}"

# Use the 'patch' subcommand to add to existing secret
vault kv patch "${parent}/${instance}" keycloak-cert=@keycloak.crt keycloak-cert-key=@keycloak.key

  3. Remove temporary files

    rm keycloak.{key,crt}