Skip to content

Commit

Permalink
doc update
Browse files Browse the repository at this point in the history
Signed-off-by: Tero Saarni <[email protected]>
  • Loading branch information
tsaarni committed Oct 11, 2024
1 parent 2cb75fd commit 4be95bb
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 10 deletions.
8 changes: 4 additions & 4 deletions docs/ingress-controllers.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ spec:
virtualhost:
fqdn: keycloak.127-0-0-121.nip.io
tls:
secretName: keycloak-external
secretName: keycloak-server-cert
clientValidation:
caSecret: client-ca
optionalClientCertificate: true
Expand Down Expand Up @@ -57,7 +57,7 @@ spec:
protocol: HTTPS
tls:
mode: OPTIONAL_MUTUAL
credentialName: keycloak-external
credentialName: keycloak-server-cert
hosts:
- "*"
```
Expand All @@ -68,7 +68,7 @@ spec:
To configure a client with the X509 authenticator, create a new client with the following settings:

1. In the "General settings" step, fill in:
- Set the Client ID name, for example: `x509test`
- Set the Client ID name, for example: `xfcc-client`
2. In the "Capabilicy config" step, fill in:
- Client Authentication: On
- Select "Service accounts roles"
Expand All @@ -82,7 +82,7 @@ Enable the X509 authenticator:
Make an HTTP request with the client certificate:

```console
$ http --cert certs/x509client.pem --cert-key certs/x509client-key.pem --verify certs/ca.pem --form POST https://keycloak.127-0-0-1.nip.io:8443/realms/master/protocol/openid-connect/token grant_type=client_credentials client_id=x509test
$ http --cert target/certs/client.pem --cert-key target/certs/client-key.pem --verify target/certs/server-ca.pem --form POST https://keycloak.127.0.0.1.nip.io:8443/realms/xfcc/protocol/openid-connect/token grant_type=client_credentials client_id=xfcc-client
HTTP/1.1 200 OK
cache-control: no-store
content-length: 1412
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@
import org.keycloak.http.HttpRequest;
import org.keycloak.services.x509.X509ClientCertificateLookup;

/**
* Extracts the client certificate chain from the HTTP request forwarded by Envoy.
*/
public class EnvoyProxySslClientCertificateLookup implements X509ClientCertificateLookup {

protected final static String XFCC_HEADER = "x-forwarded-client-cert";
Expand All @@ -30,10 +33,10 @@ public void close() {
/**
* Extracts the client certificate chain from the HTTP request forwarded by Envoy.
*
* The Envoy XFCC header value is a comma (“,”) separated string.
* The Envoy XFCC header value is a comma (",") separated string.
* Each substring is an XFCC element, which holds information added by a single proxy.
* Each XFCC element is a semicolon (“;”) separated list of key-value pairs.
* Each key-value pair is separated by an equal sign (“=”).
* Each XFCC element is a semicolon (";") separated list of key-value pairs.
* Each key-value pair is separated by an equal sign ("=").
*
* Example:
*
Expand All @@ -44,7 +47,6 @@ public void close() {
* 1. Cert - The entire client certificate in URL encoded PEM format.
* 2. Chain - The entire client certificate chain (including the leaf certificate) in URL encoded PEM format.
*
*
* For Envoy documentation, see
* https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert
*
Expand Down Expand Up @@ -89,8 +91,10 @@ public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws Gen
return certs;
}

/**
* Decodes the URL encoded value and removes enclosing quotes if present.
*/
private String decodeValue(String value) {
// Remove enclosing quotes if present.
if (value.startsWith("\"") && value.endsWith("\"")) {
value = value.substring(1, value.length() - 1);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
import org.keycloak.services.x509.X509ClientCertificateLookup;
import org.keycloak.services.x509.X509ClientCertificateLookupFactory;

/**
* Factory for creating EnvoyProxySslClientCertificateLookup instances.
*/
public class EnvoyProxySslClientCertificateLookupFactory implements X509ClientCertificateLookupFactory {

private final static String PROVIDER = "envoy";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@
import org.jboss.logging.Logger;
import org.junit.jupiter.api.extension.AfterAllCallback;

/**
* JUnit extension for starting and stopping Docker Compose.
*/
public class DockerComposeExtension implements BeforeAllCallback, AfterAllCallback {

private static final String DOCKER_COMPOSE_UP = "docker compose up --force-recreate --detach";
Expand All @@ -32,7 +35,7 @@ public class DockerComposeExtension implements BeforeAllCallback, AfterAllCallba
@Override
public void beforeAll(ExtensionContext context) throws Exception {
run(DOCKER_COMPOSE_UP, "Failed to start Docker Compose.");
logger.info("Use the following command to see the logs \"docker compose logs -f\"");
logger.info("To see logs, run 'docker compose logs -f'");
}

@Override
Expand Down

0 comments on commit 4be95bb

Please sign in to comment.