fix(keycloak): use templated full name for tls secrets
General MR
Summary
This MR fixes the default keycloak templates to correctly mount the TLS cert and TLS key.
Relevant logs/screenshots
NOTE: Not test-values.yaml because this bug shows up with default values.
❯ helm upgrade --install bigbang ./chart \
--debug \
--namespace bigbang \
--create-namespace \
--values ignore/ib_creds.yaml \
--values chart/ingress-certs.yaml \
--values ../product/packages/keycloak/docs/dev-overrides/enable-sso.yaml \
--values <(cat << YAML
addons:
authservice:
enabled: true
keycloak:
enabled: true
YAML
)❯ helm get values -n bigbang keycloak -a | yq .upstream.extraVolumes
- name: tlscert
secret:
secretName: '{{ include "keycloak.fullname" . }}-tlscert'
- name: tlskey
secret:
secretName: '{{ include "keycloak.fullname" . }}-tlskey'❯ kubectl -n keycloak get sts/keycloak-keycloak -o yaml | yq .spec.template.spec.volumes
- name: tlscert
secret:
defaultMode: 420
secretName: keycloak-keycloak-tlscert
- name: tlskey
secret:
defaultMode: 420
secretName: keycloak-keycloak-tlskey
❯ curl -v https://keycloak.dev.bigbang.mil/
* Host keycloak.dev.bigbang.mil:443 was resolved.
* IPv6: (none)
* IPv4: 3.30.15.65
* Trying 3.30.15.65:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp256r1 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: C=US; ST=District of Columbia; L=Washington; O=U.S Air Force; CN=dev.bigbang.mil
* start date: Jul 22 00:00:00 2025 GMT
* expire date: Jul 21 23:59:59 2026 GMT
* subjectAltName: host "keycloak.dev.bigbang.mil" matched cert's "*.dev.bigbang.mil"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
* SSL certificate verify ok.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* Established connection to keycloak.dev.bigbang.mil (3.30.15.65 port 443) from 172.16.0.234 port 40434
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://keycloak.dev.bigbang.mil/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: keycloak.dev.bigbang.mil]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.16.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: keycloak.dev.bigbang.mil
> User-Agent: curl/8.16.0
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 302
< location: /auth
< content-type: text/plain; charset=utf-8
< content-length: 21
<
* Connection #0 to host keycloak.dev.bigbang.mil:443 left intact
Redirecting to /auth.%Linked Issue
Upgrade Notices
N/A
Edited by Zach Callahan