feature: Allow ability to pass in root ca in the provider config #6
Comments
|
Greetings, I released version v0.3.0: https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v0.3.0 can you test please? |
|
I will test it this evening and let you. Thank you for the quick turnaround! |
|
@Breee I am still getting this error... Warning CannotObserveExternalResource 16s (x9 over 6m32s) managed/realm.keycloak.crossplane.io/v1alpha1, kind=realm cannot run refresh: refresh failed: error initializing keycloak provider: failed to perform initial login to Keycloak: Post "https://keycloak.example.com/auth/realms/master/protocol/openid-connect/token": x509: certificate signed by unknown authorityand here is my creds file: {
"client_id": "admin-cli",
"username": "admin",
"password": "securePassword",
"url": "https://keycloak.example.com",
"base_path": "/auth",
"realm": "master",
"root_ca_certificate": "/certs/internal.ca-bundle"
}And here is my provider/runtime ---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-keycloak
spec:
package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v0.3.0
runtimeConfigRef:
name: runtime
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: runtime
spec:
deploymentTemplate:
spec:
replicas: 1
selector: {}
template:
spec:
containers:
- name: package-runtime
volumeMounts:
- mountPath: /certs
name: ca-certs
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
privileged: false
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
memory: 32Mi
volumes:
- name: ca-certs
secret:
secretName: intra-ca
securityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
|
|
Could you please provide debug logs of the provider? see https://docs.crossplane.io/knowledge-base/guides/troubleshoot/#provider-logs |
|
hm, i'll have to dig deeper into that issue later. All i can see in the code of the terraform provider is, that it will open the path of the cert: https://github.com/mrparkers/terraform-provider-keycloak/blob/264286d732483b72c0b790487529210ec5dfd1fb/provider/provider.go#L212 and then passes its content to the HTTP client https://github.com/mrparkers/terraform-provider-keycloak/blob/264286d732483b72c0b790487529210ec5dfd1fb/keycloak/keycloak_client.go#L81C24-L81C24 I'll later also add the "tls_insecure_skip_verify" option for you to test / avoid the issue until we find out what happens |
|
Having the |
|
Released v0.4.0 https://marketplace.upbound.io/providers/crossplane-contrib/provider-keycloak/v0.4.0 that added all arguments from here: https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs#argument-reference you can test if |
|
@Breee the |
|
@a1994sc you can also checkout if this helps you: https://docs.crossplane.io/knowledge-base/guides/self-signed-ca-certs/ if not we keep this issue open and investigate |
|
I can try over the weekend, but I think I tried that early on but I will let you know if that works. Thank you again |
|
Is this still an issue I have to look into? |
|
I believe so, sorry for the delay... This is the config that I ended up with: apiVersion: v1
kind: List
metadata:
resourceVersion: ""
items:
- apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-keycloak
spec:
package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v0.8.0
runtimeConfigRef:
name: deploy-ha
- apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
name: deploy-ha
spec:
deploymentTemplate:
metadata:
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 2
selector: {}
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
spec:
containers:
- name: package-runtime
args:
- --leader-election
env:
- name: CA_BUNDLE_PATH
value: "/certs/example.com.ca-bundle"
volumeMounts:
- mountPath: /certs
name: ca-certs
- mountPath: /etc/ssl/certs
name: trust-store
- mountPath: /tmp
name: tmp
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
limits:
cpu: null
memory: 512Mi
requests:
cpu: 10m
memory: 32Mi
volumes:
- name: ca-certs
secret:
secretName: intra-ca
- name: tmp
emptyDir:
sizeLimit: 128Mi
- name: trust-store
configMap:
name: ca-certificates
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: RuntimeDefault |
Issue
There does not seem to be a way to pass the
root_ca_certificateargument to the terraform provider, link hereCurrent solution
Changes
Add the ability to specify the
root_ca_certificatelike in the examplecredentialsbelow that will get passed to the terraform provider.{ "client_id": "admin-cli", "username": "admin", "password": "sercurePassword", "url": "https://keycloak.example.com", "base_path": "/auth", "realm": "master", "root_ca_certificate": "/certs/intra.ca-bundle" }The text was updated successfully, but these errors were encountered: