Details
-
Enhancement
-
Status: Resolved
-
Minor
-
Resolution: Done
-
12.0.4, 13.0.0
-
None
-
NEW
-
NEW
Description
++add support for retrieving the keycloak database credentials via Vault.
quarkus supports this and there should be no code changes needed, refer to this tutorial: https://quarkus.io/guides/vault-datasource#dynamic-database-credentials
In my tries with 12.0.4, I get to this point where the credentials are retrieved and the connection is established, but liquibase gets in the way for some reason:
{{}}
2021-05-23 17:50:45,886 DEBUG [io.qua.vau.run.VaultAuthManager] (agroal-11) authenticate with jwt at: /var/run/secrets/kubernetes.io/serviceaccount/token => *** 2021-05-23 17:50:46,325 DEBUG [io.qua.vau.run.VaultAuthManager] (agroal-11) created new login token: {clientToken: ***, renewable: true, leaseDuration: 2764800s, valid_until: Thu Jun 24 17:50:46 GMT 2021} 2021-05-23 17:50:49,989 DEBUG [io.qua.vau.run.VaultDbManager] (agroal-11) generated keycloak-role credentials: {leaseId: database/creds/keycloak-role/HxOGfxEiYhSBsm7nVU5SN4AQ, renewable: true, leaseDuration: 3600s, valid_until: Sun May 23 18:50:49 GMT 2021, username: keycloak-uspjiexn8gsrux4gahba-1621792246, password:***} 2021-05-23 17:50:50,387 DEBUG [io.qua.vau.run.VaultDbManager] (agroal-11) extended keycloak-role credentials with: {leaseId: database/creds/keycloak-role/HxOGfxEiYhSBsm7nVU5SN4AQ, renewable: true, leaseDuration: 3600s, valid_until: Sun May 23 18:50:50 GMT 2021, username: keycloak-uspjiexn8gsrux4gahba-1621792246, password:***} 2021-05-23 17:50:52,531 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:52,596 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:52,661 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:52,787 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:52,911 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:53,256 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:53,733 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:54,520 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:55,006 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:59,240 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 2021-05-23 17:50:59,266 ERROR [org.key.cli.Picocli] (main) ERROR: Failed to start server using profile (none). 2021-05-23 17:50:59,267 ERROR [org.key.cli.Picocli] (main) ERROR: liquibase.exception.DatabaseException: ERROR: relation "keycloak.public.databasechangeloglock" already exists [Failed SQL: CREATE TABLE public.databasechangeloglock (ID INT NOT NULL, LOCKED BOOLEAN NOT NULL, LOCKGRANTED TIMESTAMP WITHOUT TIME ZONE, LOCKEDBY VARCHAR(255), CONSTRAINT PK_DATABASECHANGELOGLOCK PRIMARY KEY (ID))] 2021-05-23 17:50:59,267 ERROR [org.key.cli.Picocli] (main) ERROR: ERROR: relation "keycloak.public.databasechangeloglock" already exists [Failed SQL: CREATE TABLE public.databasechangeloglock (ID INT NOT NULL, LOCKED BOOLEAN NOT NULL, LOCKGRANTED TIMESTAMP WITHOUT TIME ZONE, LOCKEDBY VARCHAR(255), CONSTRAINT PK_DATABASECHANGELOGLOCK PRIMARY KEY (ID))] 2021-05-23 17:50:59,267 ERROR [org.key.cli.Picocli] (main) ERROR: ERROR: relation "keycloak.public.databasechangeloglock" already exists
I should add that I am using cockrachdb and a pre-populated database and that liquibase with this db. I don't have any issues with liquibase when connecting with statically defined credentials.
In my trials with 13.0.0, I get a null pointer exception when keycloak is trying to authenticate to vault:
{{}}
2021-05-23 14:28:25,107 WARN [io.qua.agr.run.AgroalConnectionConfigurer] (main) Agroal does not support detecting if a connection is still usable after an exception for database kind: postgres 2021-05-23 14:28:25,123 DEBUG [io.qua.agr.run.DataSources] (main) Started datasource <default> connected to jdbc:postgresql://cockroachdb-public.cockroachdb.svc:26257/keycloak?ssl=true&sslmode=require&sslrootcert=/certs/ca.crt 2021-05-23 14:28:25,510 WARN [org.hib.eng.jdb.env.int.JdbcEnvironmentInitiator] (main) HHH000342: Could not obtain connection to query metadata: java.lang.NullPointerException at io.quarkus.vault.runtime.VaultCredentialsProvider.getCredentials(VaultCredentialsProvider.java:30) at io.quarkus.vault.runtime.VaultCredentialsProvider_ClientProxy.getCredentials(VaultCredentialsProvider_ClientProxy.zig:128) at io.quarkus.agroal.runtime.AgroalVaultCredentialsProviderPassword.asProperties(AgroalVaultCredentialsProviderPassword.java:21) at io.agroal.api.security.AgroalDefaultSecurityProvider.getSecurityProperties(AgroalDefaultSecurityProvider.java:23) at io.agroal.pool.ConnectionFactory.securityProperties(ConnectionFactory.java:190) at io.agroal.pool.ConnectionFactory.securityProperties(ConnectionFactory.java:179) at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:209) at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:490) at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:472) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:68) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1126) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829)
{{}}
here is my relevant config (same in both cases)
#datasource db=postgres db.url=jdbc:postgresql://cockroachdb-public.cockroachdb.svc:26257/keycloak?ssl=true&sslmode=require&sslrootcert=/certs/ca.crt quarkus.datasource.credentials-provider=keycloak quarkus.datasource.devservices=false quarkus.liquibase.migrate-at-start=false #Vault quarkus.vault.credentials-provider.keycloak.database-credentials-role=keycloak-role quarkus.vault.authentication.kubernetes.role=keycloak quarkus.vault.url=https://vault.vault.svc:8200 quarkus.vault.authentication.kubernetes.auth-mount-path=auth/kubernetes-{{ .Values.cluster }} quarkus.vault.tls.ca-cert=/vault-certs/ca.crt quarkus.vault.read-timeout=10s
Attachments
Issue Links
- is caused by
-
-
- Resolved
-
