6.1.7. Keycloak Extensions#
Keycloak Extensions are a proof of concept for the openDesk project. The Keycloak Extensions provide the following experimental additional features:
Brute force protection
New device notification
By default, Nubus for Kubernetes deploys with Keycloak Extensions deactivated. This section describes how to enable the Keycloak Extensions and specific features.
Furthermore, this section describes how to enable an encrypted connection to the PostgreSQL database.
See also
- Keycloak Extensions
in Univention Nubus for Kubernetes - Architecture Manual [2] for information about the purpose, tasks, and architecture of the Keycloak Extensions.
6.1.7.1. Enable Keycloak Extensions#
By default, Nubus for Kubernetes has the Keycloak Extensions deactivated. To enable the Keycloak Extensions, use the following steps:
Add the lines in Listing 6.15 to your
custom_values.yamlvalues file.keycloak: ingress: enabled: false nubusKeycloakExtensions: enabled: true
To apply the configuration, follow the steps in Apply configuration.
6.1.7.2. Enable features#
By default, Nubus for Kubernetes has all features of the Keycloak Extensions deactivated, except the IP protection. You can enable the features of the Keycloak Extensions one by one. The Keycloak Extensions work like a proxy in front of Keycloak. If you deactivate the extensions’ features, the proxy forwards the traffic to Keycloak.
To enable the features, use the following steps:
Add the lines in Listing 6.16 to your
custom_values.yamlvalues file. You can also activate just a subset of the features.nubusKeycloakExtensions: handler: appConfig: newDeviceLoginNotificationEnable: "True" deviceProtectionEnable: "True" captchaProtectionEnable: "True" ipProtectionEnable: "True" # activated by default
For more information about the features, see the following references:
To apply the configuration, follow the steps in Apply configuration.
6.1.7.3. Enable encrypted connection to database#
For security reasons in your environment, or because your cluster doesn’t allow unencrypted connections you can configure an encrypted connection for the Keycloak Extension Proxy to your PostgreSQL database. This section describes how to configure an encrypted connection to your PostgreSQL database management system, and how to optionally also configure a custom CA through the Helm Chart.
To configure an encrypted connection to your PostgreSQL database, follow these steps:
Enable Keycloak Extensions, but don’t apply the configuration yet.
Add the lines in Listing 6.17 to your
custom_values.yamlvalues file.nubusKeycloakExtensions: postgresql: connection: host: "postgres.db.example.com" ssl: "true"
The configuration uses the following values:
Configure the secrets for the PostgreSQL connection, as shown in the example in Listing 6.18. The example uses existing secrets. For more information, see Existing secrets.
nubusKeycloakExtensions: postgresql: auth: username: "<your-db-user>" database: "<your-db-name>" existingSecret: name: "your-pg-secret"
The configuration uses the following values:
If your PostgreSQL databases uses a custom CA, you need to add the CA certificate to the values file, as shown in Listing 6.19.
A custom certificate authority (CA) is any CA that’s not in the list of publicly trusted CAs from Mozilla’s CA Certificate Program. An example is a CA created by yourself.
nubusKeycloakExtensions: postgresql: connection: customca: | -----BEGIN CERTIFICATE----- <your custom CA> -----END CERTIFICATE-----
The configuration uses the following values:
To apply the configuration, follow the steps in Apply configuration.