Configure certificates in Keycloak
This topic provides guidance on configuring a self-signed certificate (with TLS) for Keycloak, which serves as the internal authorization provider component for Portworx Backup. This configuration is essential for enabling secure communication between Keycloak and external authorization providers.
To configure a self-signed certificate for Keycloak:
- Create a secret in the
px-backup
namespace with the external OIDC (for example, LDAP) certificate, assuming the filename-of-the-certificate.pem
contains the certificate:
kubectl create secret generic cert-file --from-file=<name-of-the-certificate.pem> -n <px-backup-namespace>
- Set the following parameter with the install or upgrade command with helm:
--set caCertsSecretName=cert-file
If you have added this parameter manually, delete the cronjob and then restart the Portworx Backup pod by executing the following commands:
kubectl -n <px-backup-namespace> get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob
kubectl -n <px-backup-namespace> get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob
kubectl delete pods -n <px-backup-namespace> <px-backup-pod-name>
Example:
kubectl -n px-backup get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n central delete cronjob
kubectl -n px-backup get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n central delete cronjob
kubectl delete pods -n px-backup px-backup-f56cdcbd9-rvb65
For detailed instructions on install and upgrade of Portworx Backup, refer to Install Portworx Backup and Upgrade Portworx Backup sections respectively.