Reputation: 75
Using Cloud SQL as database for Keycloak
We are using kubernetes to host an instance of keycloak 4.0.0.Final together with a postgres 9.6 database as storage.
This works well, but now we want to move the database to a hosted Cloud SQL instance.
The Cloud SQL instance is setup, running and I can connect from my local machine with psql using SSL as well as through keycloak using non-SSL. Obviously, we want to connect using SSL for keycloak as well.
However, when I add the JDBC SSL configuration to keycloak:
ssl=true&sslmode=verify-ca&sslcert=/certs/client-cert.pem&sslkey=/certs/client-key.pem&sslrootcert=/certs/server-ca.pem
I get an error from keycloak saying:
org.postgresql.util.PSQLException: Could not read SSL key file /certs/client-key.pem
and in the stack trace:
Caused by: java.io.IOException: extra data given to DerValue constructor
Investigating this error has lead me to these reports, but not closer to finding a solution.
https://github.com/Graylog2/graylog2-server/issues/4304
Reading an X.509 certificate with Java
Upvotes: 1
Views: 1599
Answers (1)
Reputation: 524
Something that worked for me was creating a GAE(App Engine) service. In order to do that I activated the private IPv4 address on the Cloud SQL console and then create a VPC for serverless connection. The following was the docker file I used to build up keycloak's service.
FROM quay.io/keycloak/keycloak:latest
ENV DB_VENDOR postgres
ENV DB_ADDR <private_ipv4>
ENV DB_DATABASE <postgres_db>
ENV DB_SCHEMA public
ENV DB_USER postgres
ENV DB_PASSWORD postgres
ENV KEYCLOAK_USER admin
ENV KEYCLOAK_PASSWORD admin
ENV PROXY_ADDRESS_FORWARDING true
ENV JAVA_OPTS -server -Xms2048m -Xmx6144m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m \
-Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman \
-Djava.awt.headless=true
ENV PORT 8080
EXPOSE $PORT
In order to build the service on the Google app's engine, you need to provide a flex env file like this:
runtime: custom
# https://cloud.google.com/appengine/docs/flexible/python/customizing-the-python-runtime
env: flex
service: neurorad-keycloak
manual_scaling:
instances: 1
resources:
cpu: 2
memory_gb: 8
disk_size_gb: 10
liveness_check:
path: "/"
check_interval_sec: 30
timeout_sec: 10
failure_threshold: 5
success_threshold: 2
initial_delay_sec: 300
readiness_check:
path: "/"
timeout_sec: 10
check_interval_sec: 30
failure_threshold: 5
success_threshold: 2
app_start_timeout_sec: 180
And finally build the service.
gcloud app deploy --appyaml=./app.yaml
Upvotes: 3
Related Questions
- How to Connect to Cloud SQL Through Kubernetes
- Using API Keys to send Cloud SQL Queries in JavaScript
- SSL integration with Cloud SQL instance based MySQL
- how can i access cloud sql from google kubernetes engine
- how to connect a cloud sql instance to an sql cluster?
- Use external database with Keycloak
- Heroku with Google Cloud SQL
- Can I connect to Google Cloud SQL from Google Compute Engine?
- How to connect to Cloud SQL instance using nodejs and pem keyfile
- Google Cloud SQL + RETURN_GENERATED_KEYS