Skip to main content
Version: 2.8

Configure certificates in Keycloak

This topic provides guidance on configuring a self-signed certificate (with TLS) for Keycloak, which serves as the internal authorization provider component for Portworx Backup. This configuration is essential for enabling secure communication between Keycloak and external authorization providers.

To configure a self-signed certificate for Keycloak:

  1. Create a secret in the px-backup namespace with the external OIDC (for example, LDAP) certificate, assuming the file name-of-the-certificate.pem contains the certificate:

    kubectl create secret generic cert-file --from-file=<name-of-the-certificate.pem> -n <px-backup-namespace>
  2. Set the following parameter with the install or upgrade command with helm:

    --set caCertsSecretName=cert-file

    If you have added this parameter manually, delete the cronjob and then restart the Portworx Backup pod by executing the following commands:

    kubectl -n <px-backup-namespace> get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob
    kubectl -n <px-backup-namespace> get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob
    kubectl delete pods -n <px-backup-namespace> <px-backup-pod-name>

    Example:

    kubectl -n px-backup get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n central delete cronjob
    kubectl -n px-backup get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n central delete cronjob
    kubectl delete pods -n px-backup px-backup-f56cdcbd9-rvb65

    For detailed instructions on install and upgrade of Portworx Backup, refer to Install Portworx Backup and Upgrade Portworx Backup sections respectively.