Skip to content

Commit fd52fda

Browse files
committed
feat(keycloak): update entrypoint to handle certificate separation and adjust permissions
feat(postgres): restore schema-level privileges for Keycloak and app roles
1 parent b857e45 commit fd52fda

3 files changed

Lines changed: 58 additions & 19 deletions

File tree

services/keycloak/templates/agent.hcl.tpl

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,10 +22,11 @@ auto_auth {
2222
}
2323

2424
# ---------------------------------------------------------------------------
25-
# TLS certificate — cert + CA chain + private key in one PEM bundle.
26-
# KC_HTTPS_CERTIFICATE_FILE and KC_HTTPS_CERTIFICATE_KEY_FILE both reference
27-
# this file; Quarkus reads cert blocks from the cert path and key blocks from
28-
# the key path, so a combined bundle works for both.
25+
# TLS certificate — single pkiCert call renders cert+chain+key in one bundle.
26+
# The entrypoint splits this into separate cert and key files for Keycloak
27+
# because KC_HTTPS_CERTIFICATE_FILE and KC_HTTPS_CERTIFICATE_KEY_FILE must
28+
# be distinct files. Two separate pkiCert calls would issue two different
29+
# certificates whose keys would not match.
2930
# ---------------------------------------------------------------------------
3031

3132
template {
@@ -35,7 +36,7 @@ template {
3536
{{- end }}
3637
EOT
3738
destination = "/vault/certs/keycloak.pem"
38-
perms = "0640"
39+
perms = "0644"
3940
}
4041

4142
# ---------------------------------------------------------------------------
@@ -61,6 +62,8 @@ template {
6162
{{- with secret "${kv_admin_path}" -}}
6263
KC_BOOTSTRAP_ADMIN_USERNAME={{ .Data.data.username }}
6364
KC_BOOTSTRAP_ADMIN_PASSWORD={{ .Data.data.password }}
65+
KEYCLOAK_ADMIN={{ .Data.data.username }}
66+
KEYCLOAK_ADMIN_PASSWORD={{ .Data.data.password }}
6467
{{- end }}
6568
EOT
6669
destination = "/vault/secrets/keycloak-admin.env"

services/keycloak/templates/compose.yml.tpl

Lines changed: 42 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -41,21 +41,56 @@ services:
4141
image: ${keycloak_image}
4242
container_name: ${keycloak_container_name}
4343
restart: unless-stopped
44-
command: ["start"]
44+
entrypoint:
45+
- "sh"
46+
- "-ec"
47+
- |
48+
set -a
49+
. /vault/secrets/keycloak.env
50+
. /vault/secrets/keycloak-admin.env
51+
# Split the combined PEM into separate cert+chain and key files.
52+
# A single pkiCert template call is used to ensure cert and key match.
53+
: > /tmp/keycloak.crt
54+
: > /tmp/keycloak.key
55+
in_cert="0"
56+
in_key="0"
57+
while IFS= read -r line; do
58+
case "$$line" in
59+
"-----BEGIN CERTIFICATE-----") in_cert="1" ;;
60+
"-----END CERTIFICATE-----")
61+
printf '%s\n' "$$line" >> /tmp/keycloak.crt
62+
in_cert="0"
63+
continue
64+
;;
65+
"-----BEGIN EC PRIVATE KEY-----"|"-----BEGIN PRIVATE KEY-----") in_key="1" ;;
66+
"-----END EC PRIVATE KEY-----"|"-----END PRIVATE KEY-----")
67+
printf '%s\n' "$$line" >> /tmp/keycloak.key
68+
in_key="0"
69+
continue
70+
;;
71+
esac
72+
73+
if [ "$$in_cert" = "1" ]; then
74+
printf '%s\n' "$$line" >> /tmp/keycloak.crt
75+
fi
76+
if [ "$$in_key" = "1" ]; then
77+
printf '%s\n' "$$line" >> /tmp/keycloak.key
78+
fi
79+
done < /vault/certs/keycloak.pem
80+
81+
test -s /tmp/keycloak.crt
82+
test -s /tmp/keycloak.key
83+
exec /opt/keycloak/bin/kc.sh start
4584
depends_on:
4685
vault-agent:
4786
condition: service_healthy
4887

49-
env_file:
50-
- ${secrets_dir}/keycloak.env
51-
- ${secrets_dir}/keycloak-admin.env
52-
5388
environment:
5489
KC_DB: postgres
5590
KC_DB_URL: "jdbc:postgresql://${postgres_host}:5432/keycloak?ssl=true&sslmode=require"
5691
KC_DB_USERNAME: keycloak
57-
KC_HTTPS_CERTIFICATE_FILE: /vault/certs/keycloak.pem
58-
KC_HTTPS_CERTIFICATE_KEY_FILE: /vault/certs/keycloak.pem
92+
KC_HTTPS_CERTIFICATE_FILE: /tmp/keycloak.crt
93+
KC_HTTPS_CERTIFICATE_KEY_FILE: /tmp/keycloak.key
5994
KC_HOSTNAME_STRICT: "false"
6095
KC_HEALTH_ENABLED: "true"
6196

@@ -66,13 +101,6 @@ services:
66101
- ${certs_dir}:/vault/certs:ro,z
67102
- ${secrets_dir}:/vault/secrets:ro,z
68103

69-
healthcheck:
70-
test: ["CMD-SHELL", "curl -sf http://localhost:9000/health/ready"]
71-
interval: 10s
72-
timeout: 5s
73-
retries: 12
74-
start_period: 60s
75-
76104
networks:
77105
- keycloak-net
78106

services/postgres/templates/init.sql.tpl

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,14 @@ CREATE ROLE app_role NOLOGIN;
3535
GRANT ALL PRIVILEGES ON DATABASE app TO app_role;
3636
GRANT app_role TO vault_mgmt WITH ADMIN OPTION;
3737

38+
-- PostgreSQL 15+ revokes CREATE on public schema from PUBLIC by default.
39+
-- Restore schema-level privileges so Keycloak and app roles can create tables.
40+
\connect keycloak
41+
GRANT ALL ON SCHEMA public TO keycloak_role;
42+
\connect app
43+
GRANT ALL ON SCHEMA public TO app_role;
44+
\connect postgres
45+
3846
-- Keycloak application account -----------------------------------------------
3947
-- Managed by Vault Database static role. Initial password is a placeholder;
4048
-- Vault rotates it to a random value when the static role is first read.

0 commit comments

Comments
 (0)