Appendix A. Configuring OpenShift service serving certificates to generate TLS certificates for Keycloak

Procedure

1. In OpenShift web console, from the Administrator perspective, expand Home from the navigation menu, and click Projects.
2. Search for keycloak, and select the keycloak-system namespace.

3. Create a new service.

   1. Click the + icon.

   2. In the Import YAML text box, copy the example, and paste it into the text box.

      Example

      apiVersion: v1
      kind: Service
      metadata:
        annotations:
          service.beta.openshift.io/serving-cert-secret-name: keycloak-tls
        labels:
          app: keycloak
          app.kubernetes.io/instance: keycloak
        name: keycloak-service-trusted
        namespace: keycloak-system
      spec:
        internalTrafficPolicy: Cluster
        ipFamilies:
        - IPv4
        ipFamilyPolicy: SingleStack
        ports:
        - name: https
          port: 8443
        selector:
          app: keycloak
          app.kubernetes.io/instance: keycloak

   3. Click the Create button.
4. Expand Operators from the navigation menu, click Installed Operators, and click Keycloak Operator.

5. In the YAML view of the Keycloak resource, under the spec section, add the ingress property:

   Example

   spec:
   ...
     ingress:
       annotations:
         route.openshift.io/destination-ca-certificate-secret: keycloak-tls
         route.openshift.io/termination: reencrypt
   ...

   By default, the Keycloak operator creates Ingress resources instead of routes. OpenShift automatically creates a route based on the Ingress definition.

6. Specify the name of the secret containing the TLS certificate, under the spec section:

   Example

   spec:
   ...
     http:
       tlsSecret: keycloak-tls
   ...

   Once Keycloak starts, OpenShift’s service serving certificate starts generating TLS certificates for Keycloak.