XMLWordPrintable

Details

    • Enhancement
    • Status: Resolved
    • Minor
    • Resolution: Done
    • 12.0.4, 13.0.0
    • 15.1.0
    • Distribution - Quarkus
    • None

    Description

      ++add support for retrieving the keycloak database credentials via Vault.

      quarkus supports this and there should be no code changes needed, refer to this tutorial: https://quarkus.io/guides/vault-datasource#dynamic-database-credentials

       

      In my tries with 12.0.4, I get to this point where the credentials are retrieved and the connection is established, but liquibase gets in the way for some reason:

      {{}}

      2021-05-23 17:50:45,886 DEBUG [io.qua.vau.run.VaultAuthManager] (agroal-11) authenticate with jwt at: /var/run/secrets/kubernetes.io/serviceaccount/token => *** 
      2021-05-23 17:50:46,325 DEBUG [io.qua.vau.run.VaultAuthManager] (agroal-11) created new login token: {clientToken: ***, renewable: true, leaseDuration: 2764800s, valid_until: Thu Jun 24 17:50:46 GMT 2021} 
      2021-05-23 17:50:49,989 DEBUG [io.qua.vau.run.VaultDbManager] (agroal-11) generated keycloak-role credentials: {leaseId: database/creds/keycloak-role/HxOGfxEiYhSBsm7nVU5SN4AQ, renewable: true, leaseDuration: 3600s, valid_until: Sun May 23 18:50:49 GMT 2021, username: keycloak-uspjiexn8gsrux4gahba-1621792246, password:***} 
      2021-05-23 17:50:50,387 DEBUG [io.qua.vau.run.VaultDbManager] (agroal-11) extended keycloak-role credentials with: {leaseId: database/creds/keycloak-role/HxOGfxEiYhSBsm7nVU5SN4AQ, renewable: true, leaseDuration: 3600s, valid_until: Sun May 23 18:50:50 GMT 2021, username: keycloak-uspjiexn8gsrux4gahba-1621792246, password:***} 
      2021-05-23 17:50:52,531 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:52,596 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:52,661 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:52,787 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:52,911 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:53,256 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:53,733 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:54,520 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:55,006 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:59,240 WARN [org.key.con.jpa.upd.liq.loc.CustomLockService] (main) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 
      2021-05-23 17:50:59,266 ERROR [org.key.cli.Picocli] (main) ERROR: Failed to start server using profile (none). 
      2021-05-23 17:50:59,267 ERROR [org.key.cli.Picocli] (main) ERROR: liquibase.exception.DatabaseException: ERROR: relation "keycloak.public.databasechangeloglock" already exists [Failed SQL: CREATE TABLE public.databasechangeloglock (ID INT NOT NULL, LOCKED BOOLEAN NOT NULL, LOCKGRANTED TIMESTAMP WITHOUT TIME ZONE, LOCKEDBY VARCHAR(255), CONSTRAINT PK_DATABASECHANGELOGLOCK PRIMARY KEY (ID))] 
      2021-05-23 17:50:59,267 ERROR [org.key.cli.Picocli] (main) ERROR: ERROR: relation "keycloak.public.databasechangeloglock" already exists [Failed SQL: CREATE TABLE public.databasechangeloglock (ID INT NOT NULL, LOCKED BOOLEAN NOT NULL, LOCKGRANTED TIMESTAMP WITHOUT TIME ZONE, LOCKEDBY VARCHAR(255), CONSTRAINT PK_DATABASECHANGELOGLOCK PRIMARY KEY (ID))] 
      2021-05-23 17:50:59,267 ERROR [org.key.cli.Picocli] (main) ERROR: ERROR: relation "keycloak.public.databasechangeloglock" already exists

      I should add that I am using cockrachdb and a pre-populated database and that liquibase with this db. I don't have any issues with liquibase when connecting with statically defined credentials.

       

      In my trials with 13.0.0, I get a null pointer exception when keycloak is trying to authenticate to vault:

      {{}}

      2021-05-23 14:28:25,107 WARN [io.qua.agr.run.AgroalConnectionConfigurer] (main) Agroal does not support detecting if a connection is still usable after an exception for database kind: postgres 
      2021-05-23 14:28:25,123 DEBUG [io.qua.agr.run.DataSources] (main) Started datasource <default> connected to jdbc:postgresql://cockroachdb-public.cockroachdb.svc:26257/keycloak?ssl=true&sslmode=require&sslrootcert=/certs/ca.crt 
      2021-05-23 14:28:25,510 WARN [org.hib.eng.jdb.env.int.JdbcEnvironmentInitiator] (main) HHH000342: Could not obtain connection to query metadata: java.lang.NullPointerException at io.quarkus.vault.runtime.VaultCredentialsProvider.getCredentials(VaultCredentialsProvider.java:30) at io.quarkus.vault.runtime.VaultCredentialsProvider_ClientProxy.getCredentials(VaultCredentialsProvider_ClientProxy.zig:128) at io.quarkus.agroal.runtime.AgroalVaultCredentialsProviderPassword.asProperties(AgroalVaultCredentialsProviderPassword.java:21) at io.agroal.api.security.AgroalDefaultSecurityProvider.getSecurityProperties(AgroalDefaultSecurityProvider.java:23) at io.agroal.pool.ConnectionFactory.securityProperties(ConnectionFactory.java:190) at io.agroal.pool.ConnectionFactory.securityProperties(ConnectionFactory.java:179) at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:209) at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:490) at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:472) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:68) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1126) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829)

      {{}}

      here is my relevant config (same in both cases)

       
       

      #datasource   
      db=postgres db.url=jdbc:postgresql://cockroachdb-public.cockroachdb.svc:26257/keycloak?ssl=true&sslmode=require&sslrootcert=/certs/ca.crt   
      quarkus.datasource.credentials-provider=keycloak 
      quarkus.datasource.devservices=false 
      quarkus.liquibase.migrate-at-start=false 
       
      #Vault 
      quarkus.vault.credentials-provider.keycloak.database-credentials-role=keycloak-role 
      quarkus.vault.authentication.kubernetes.role=keycloak 
      quarkus.vault.url=https://vault.vault.svc:8200 
      quarkus.vault.authentication.kubernetes.auth-mount-path=auth/kubernetes-{{ .Values.cluster }} 
      quarkus.vault.tls.ca-cert=/vault-certs/ca.crt 
      quarkus.vault.read-timeout=10s

       

       

      Attachments

        Issue Links

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              rhn-gps-rspazzol Raffaele Spazzoli
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: