Search
SupportConsoleDevelopersStart a trialContact

Appendix A. Configuring OpenShift service serving certificates to generate TLS certificates for Keycloak

download PDF

OpenShift’s service serving certificate can automate the generation and management of Transport Layer Security (TLS) certificates for use by Keycloak. Infrastructure components, such as the Ingress Controller, within an OpenShift cluster will trust these TLS certificates.

Prerequisites

  • OpenShift Container Platform version 4.13, 4.14, or 4.15.
  • Installation of the RHBK operator.
  • Access to the OpenShift web console with the cluster-admin role.

Procedure

  1. In OpenShift web console, from the Administrator perspective, expand Home from the navigation menu, and click Projects.
  2. Search for keycloak, and select the keycloak-system namespace.

  3. Create a new service.

    1. Click the + icon.

    2. In the Import YAML text box, copy the example, and paste it into the text box.

      Example

      apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.openshift.io/serving-cert-secret-name: keycloak-tls
  labels:
    app: keycloak
    app.kubernetes.io/instance: keycloak
  name: keycloak-service-trusted
  namespace: keycloak-system
spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: https
    port: 8443
  selector:
    app: keycloak
    app.kubernetes.io/instance: keycloak

    3. Click the Create button.
  4. Expand Operators from the navigation menu, click Installed Operators, and click Keycloak Operator.

  5. In the YAML view of the Keycloak resource, under the spec section, add the ingress property:

    Example

    spec:
...
  ingress:
    annotations:
      route.openshift.io/destination-ca-certificate-secret: keycloak-tls
      route.openshift.io/termination: reencrypt
...

    By default, the Keycloak operator creates Ingress resources instead of routes. OpenShift automatically creates a route based on the Ingress definition.

  6. Specify the name of the secret containing the TLS certificate, under the spec section:

    Example

    spec:
...
  http:
    tlsSecret: keycloak-tls
...

    Once Keycloak starts, OpenShift’s service serving certificate starts generating TLS certificates for Keycloak.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.