Skip to content

Installation

Jump to bottom
Mark Sibering edited this page Dec 3, 2022 · 2 revisions

In order to have a secure pipeline, we do not want secrets included in revision control systems, unless we rotate these secrets out immediately. Moreover, we do not want to use usernames and passwords to begin with except for the first time logging in. Users and Passwords are stored externally in AD or any other LDAP compatible source.

In order to do the latter, we use Keycloak as SSO solution. When someone needs to use an application in the toolbox, it first authenticates with Keycloak and OIDC makes sure the application knows who you are and what you are allowed to do. If an application wants to access another application, the same holds true. With client credential grants the client application can get access to the correct assets in the target application.

As a result, we need Keycloak to be operational. But Keycloak stores its data in PostgreSQL, so PostgreSQL needs to be up first. But... how does Postgres know that Keycloak actually is Keycloak? There are three essential elements here:

  • Access control on the database via pg_hba.conf
    In pg_hba.conf, we set the IP address of Keycloak, link it to the database it is permitted to access (keycloak) and the connection method (SSL)

  • Certificates
    In order to connect to the database, the certificates must be trusted. And so both Keycloak and PostgreSQL need to have a certificate. So you need to have certificates and a PKI in the first place.

  • username/password for the database
    The most obvious access control method are the database username and password. Often these are given in the docker-compose file (bad), environment variable (also bad, can be read easily, see this presentation). That is why you really want to use dynamic secrets.

So, before anything, we need something like Hashicorp Vault to be operational. But wait. Access to Hashicorp Vault is delivered though... Keycloak. So it seems we kind of have a catch-22 here.

Luckily we can:

  1. configure Hashicorp Vault
  2. as root user generate a PKI with the required certificates
  3. create the postgres database
  4. provide certificates for PostgreSQL
  5. create keycloak
  6. provide certificates for Keycloak
  7. nail down the SSL connection, as we know the IP address (172.16.10.11)
  8. Configure Keycloak including the creation of a Vault client
  9. get the secret out of the config
  10. enter that secret in Vault for SSO through Keycloak

Devoteam. Tech for people.

Clone this wiki locally