From 4b168a9df9516bd43fc0a8452d79373b36481ec5 Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 13 May 2026 15:14:54 +0200 Subject: [PATCH 01/14] draft --- modules/RHDHBUGS-2260.adoc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 modules/RHDHBUGS-2260.adoc diff --git a/modules/RHDHBUGS-2260.adoc b/modules/RHDHBUGS-2260.adoc new file mode 100644 index 00000000000..60c31244f90 --- /dev/null +++ b/modules/RHDHBUGS-2260.adoc @@ -0,0 +1,17 @@ +For each non-public or personal Certificate Authority that needs to be trusted by RHDH or the NodeJS environment in general: + +export from its source +convert it to .pem format +create a secret containing the CA (read the text version of the certificate and create a secret key with it) +mount the secret into RHDH environment (steps will depend on the deployment method, Helm or Operator) +set the NODE_EXTRA_CA_CERTS to point to the mount path of the secret (note: only file path is supported; the CA cannot be set as the direct value of the env) + +From NodeJS documentation, NODE_EXTRA_CA_CERTS supports only a single file path in PEM format (meaning you cannot concatenate multiple file paths as values of the environment variable). + +If you want to to inject multiple CAs or certificates chains, you have to: +extract all certificates and certificate chains +convert them into .pem format +concatenate them into a single file +create a secret with the concatenated file +mount the secret +set NODE_EXTRA_CA_CERTS to the .pem file mount path From aa21a170b8e92ba579e82ad9be4a79915939edbd Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Fri, 15 May 2026 16:10:47 +0200 Subject: [PATCH 02/14] draft --- ...ble-and-configure-the-keycloak-plugin.adoc | 18 --- .../proc-configure-the-keycloak-plugin.adoc | 113 ------------------ .../proc-enable-the-keycloak-plugin.adoc | 34 ------ .../master.adoc | 2 - 4 files changed, 167 deletions(-) delete mode 100644 assemblies/extend_configuring-dynamic-plugins/assembly-enable-and-configure-the-keycloak-plugin.adoc delete mode 100644 modules/shared/proc-configure-the-keycloak-plugin.adoc delete mode 100644 modules/shared/proc-enable-the-keycloak-plugin.adoc diff --git a/assemblies/extend_configuring-dynamic-plugins/assembly-enable-and-configure-the-keycloak-plugin.adoc b/assemblies/extend_configuring-dynamic-plugins/assembly-enable-and-configure-the-keycloak-plugin.adoc deleted file mode 100644 index 35bdf9a1cc2..00000000000 --- a/assemblies/extend_configuring-dynamic-plugins/assembly-enable-and-configure-the-keycloak-plugin.adoc +++ /dev/null @@ -1,18 +0,0 @@ -:_mod-docs-content-type: ASSEMBLY -ifdef::context[:parent-context: {context}] - -[id="enable-and-configure-the-keycloak-plugin_{context}"] -= Enable and configure the Keycloak plugin -:context: enable-and-configure-the-keycloak-plugin - -[role="_abstract"] -Integrate Keycloak into {product} to synchronize users and groups from your {rhbk-brand-name} ({rhbk}) realm. The supported {rhbk} version is `{keycloak-version}`. - -include::../modules/shared/proc-enable-the-keycloak-plugin.adoc[leveloffset=+1] - -include::../modules/shared/proc-configure-the-keycloak-plugin.adoc[leveloffset=+1] - -include::../modules/shared/ref-keycloak-plugin-metrics.adoc[leveloffset=+1] - -ifdef::parent-context[:context: {parent-context}] -ifndef::parent-context[:!context:] diff --git a/modules/shared/proc-configure-the-keycloak-plugin.adoc b/modules/shared/proc-configure-the-keycloak-plugin.adoc deleted file mode 100644 index dc7541eb652..00000000000 --- a/modules/shared/proc-configure-the-keycloak-plugin.adoc +++ /dev/null @@ -1,113 +0,0 @@ -:_mod-docs-content-type: PROCEDURE - -[id="configure-the-keycloak-plugin_{context}"] -= Configure the Keycloak plugin - -[role="_abstract"] -Configure schedule frequency, query parameters, and authentication methods for synchronizing Keycloak users and groups. - -.Procedure -. To configure the Keycloak plugin, add the following in your `{my-app-config-file}` file: -`schedule`:: -Configure the schedule frequency, timeout, and initial delay. -The fields support cron, ISO duration, "human duration" as used in code. -+ -[source,yaml] ----- - catalog: - providers: - keycloakOrg: - default: - schedule: - frequency: { minutes: 1 } - timeout: { minutes: 1 } - initialDelay: { seconds: 15 } ----- - -`userQuerySize` and `groupQuerySize`:: -Optionally, configure the Keycloak query parameters to define the number of users and groups to query at a time. -Default values are 100 for both fields. -+ -[source,yaml] ----- - catalog: - providers: - keycloakOrg: - default: - userQuerySize: 100 - groupQuerySize: 100 ----- - -Authentication:: -Communication between {product-short} and Keycloak is enabled by using the Keycloak API. Username and password, or client credentials are supported authentication methods. -+ -The following table describes the parameters that you can configure to enable the plugin under `catalog.providers.keycloakOrg.` object in the `{my-app-config-file}` file: -+ -|=== -| Name | Description | Default Value | Required - -| `baseUrl` -| Location of the Keycloak server, such as `pass:c[https://localhost:8443/auth]`. -| "" -| Yes - -| `realm` -| Realm to synchronize -| `master` -| No - -| `loginRealm` -| Realm used to authenticate -| `master` -| No - -| `username` -| Username to authenticate -| "" -| Yes if using password based authentication - -| `password` -| Password to authenticate -| "" -| Yes if using password based authentication - -| `clientId` -| Client ID to authenticate -| "" -| Yes if using client credentials based authentication - -| `clientSecret` -| Client Secret to authenticate -| "" -| Yes if using client credentials based authentication - -| `userQuerySize` -| Number of users to query at a time -| `100` -| No - -| `groupQuerySize` -| Number of groups to query at a time -| `100` -| No -|=== - -. When using client credentials -.. Set the access type to `confidential`. -.. Enable service accounts. -.. Add the following roles from the `realm-management` client role: -+ -. `query-groups` -. `query-users` -. `view-users` - -. Optionally, if you have self-signed or corporate certificate issues, you can set the following environment variable before starting {product-short}: -+ ----- -NODE_TLS_REJECT_UNAUTHORIZED=0 ----- -+ -[WARNING] -==== -Setting the environment variable is not recommended. -==== diff --git a/modules/shared/proc-enable-the-keycloak-plugin.adoc b/modules/shared/proc-enable-the-keycloak-plugin.adoc deleted file mode 100644 index edfcdd32ead..00000000000 --- a/modules/shared/proc-enable-the-keycloak-plugin.adoc +++ /dev/null @@ -1,34 +0,0 @@ -:_mod-docs-content-type: PROCEDURE - -[id="enable-the-keycloak-plugin_{context}"] -= Enable the Keycloak plugin - -[role="_abstract"] -Enable the Keycloak plugin to synchronize users and groups from your {rhbk-brand-name} realm into {product}. - -.Prerequisites -* To enable the Keycloak plugin, you must set the following environment variables: - -** `KEYCLOAK_BASE_URL` - -** `KEYCLOAK_LOGIN_REALM` - -** `KEYCLOAK_REALM` - -** `KEYCLOAK_CLIENT_ID` - -** `KEYCLOAK_CLIENT_SECRET` - -.Procedure -* The Keycloak plugin is pre-loaded in {product-short} with basic configuration properties. To enable it, set the `disabled` property to `false` in your `dynamic-plugins.yaml` file as follows: -+ --- -[source,yaml,subs="+quotes"] ----- -plugins: - - package: oci://ghcr.io/redhat-developer/rhdh-plugin-export-overlays/backstage-community-plugin-catalog-backend-module-keycloak-dynamic:____ - disabled: false ----- - -include::{docdir}/artifacts/snip-tag-for-OCI-package-paths.adoc[] --- diff --git a/titles/extend_configuring-dynamic-plugins/master.adoc b/titles/extend_configuring-dynamic-plugins/master.adoc index 78cf30939bd..ea5ddcfbf57 100644 --- a/titles/extend_configuring-dynamic-plugins/master.adoc +++ b/titles/extend_configuring-dynamic-plugins/master.adoc @@ -20,8 +20,6 @@ include::assemblies/extend_configuring-dynamic-plugins/assembly-install-and-conf include::assemblies/extend_configuring-dynamic-plugins/assembly-enable-and-configure-the-jfrog-plugin.adoc[leveloffset=+1] -include::assemblies/extend_configuring-dynamic-plugins/assembly-enable-and-configure-the-keycloak-plugin.adoc[leveloffset=+1] - include::assemblies/extend_configuring-dynamic-plugins/assembly-enable-and-configure-the-nexus-repository-manager-plugin.adoc[leveloffset=+1] include::modules/shared/proc-enable-the-tekton-plugin.adoc[leveloffset=+1] From 7eff862c9ba9233325aa5c51efc118138174312d Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Mon, 18 May 2026 14:15:18 +0200 Subject: [PATCH 03/14] draft --- modules/RHDHBUGS-2260.adoc | 50 ++++++++++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 8 deletions(-) diff --git a/modules/RHDHBUGS-2260.adoc b/modules/RHDHBUGS-2260.adoc index 60c31244f90..78e30fd5452 100644 --- a/modules/RHDHBUGS-2260.adoc +++ b/modules/RHDHBUGS-2260.adoc @@ -1,14 +1,48 @@ -For each non-public or personal Certificate Authority that needs to be trusted by RHDH or the NodeJS environment in general: +:_mod-docs-content-type: PROCEDURE -export from its source -convert it to .pem format -create a secret containing the CA (read the text version of the certificate and create a secret key with it) -mount the secret into RHDH environment (steps will depend on the deployment method, Helm or Operator) -set the NODE_EXTRA_CA_CERTS to point to the mount path of the secret (note: only file path is supported; the CA cannot be set as the direct value of the env) +[id="set-up-trust-for-certificate-authority_{context}"] += Configure trust for corporate Certificate Authority in {product} -From NodeJS documentation, NODE_EXTRA_CA_CERTS supports only a single file path in PEM format (meaning you cannot concatenate multiple file paths as values of the environment variable). +[role="_abstract"] +The best practice for configuring {product-very-short} to trust a certificate issued by your Certificate Authority (CA) is +to use the `NODE_EXTRA_CA_CERTS` environmental variable. -If you want to to inject multiple CAs or certificates chains, you have to: +[NOTE] +==== +The steps +to set up {product-very-short} to trust a CA may vary +depending on how your specific {product-very-short} deployment is configured. +The following instructions capture only the general outline of the procedure. +==== + +.Prerequisites +* You have a CA-issued certificate. + + +.Procedure +. Export the certificate from its source. +. Convert the certificate to `.pem` format. ++ +[IMPORTANT] +==== +The maximum of file paths in `.pem` format supported by `NODE_EXTRA_CA_CERTS` is *one*. +You cannot concatenate multiple file paths as values of the environment variable. +==== +. Create a secret containing the CA. +. Mount the secret into {product-very-short} environment. Follow the steps specific for your deployment method: Helm or Orchestrator. +. Set the `NODE_EXTRA_CA_CERTS` to point to the mount path of the secret. ++ +[IMPORTANT] +==== +You can only use the file path of the CA in this step. +Setting the CA directly as an environmental value is not supported. +==== +//Add link!!!!! +. OPTIONAL: Set up {rhbk} metrics. + + + +If you want to inject multiple CAs or certificates chains, you have to: extract all certificates and certificate chains convert them into .pem format concatenate them into a single file From 5b40e1da7d3eced1c82214e9a05daf180202179c Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 11:17:36 +0200 Subject: [PATCH 04/14] RHDHBUGS-2260 --- ...mbly-configure-trust-for-corporate-ca.adoc | 13 ++++++++++ ...e-authority-with-node-extra-ca-certs.adoc} | 25 +++++++------------ 2 files changed, 22 insertions(+), 16 deletions(-) create mode 100644 assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca.adoc rename modules/{RHDHBUGS-2260.adoc => configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc} (55%) diff --git a/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca.adoc b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca.adoc new file mode 100644 index 00000000000..5dd3aecb5e6 --- /dev/null +++ b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca.adoc @@ -0,0 +1,13 @@ +:_mod-docs-content-type: ASSEMBLY +ifdef::context[:parent-context: {context}] + +[id="configure-trust-for-certificate-authority-in-rhdh_{context}"] += Configure trust for corporate Certificate Authority in {product} + +:previouscontext: {context} +:context: configure-trust-for-certificate-authority_in_rhdh + +[role="_abstract"] +Set up trust for certificates issued by corporate Certificate Authority (CA) in your {product} deployment. + +include::../modules/configure_configuring-rhdh/proc- diff --git a/modules/RHDHBUGS-2260.adoc b/modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc similarity index 55% rename from modules/RHDHBUGS-2260.adoc rename to modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc index 78e30fd5452..5de080202fa 100644 --- a/modules/RHDHBUGS-2260.adoc +++ b/modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc @@ -1,10 +1,10 @@ :_mod-docs-content-type: PROCEDURE -[id="set-up-trust-for-certificate-authority_{context}"] -= Configure trust for corporate Certificate Authority in {product} +[id="configure-trust-for-certificate-authority-with-node-extra-ca-certs_{context}"] += Configure trust for corporate Certificate Authority with NODE_EXTRA_CA_CERTS [role="_abstract"] -The best practice for configuring {product-very-short} to trust a certificate issued by your Certificate Authority (CA) is +The best practice for configuring {product-very-short} to trust a certificate issued by your corporate Certificate Authority (CA) is to use the `NODE_EXTRA_CA_CERTS` environmental variable. [NOTE] @@ -16,8 +16,7 @@ The following instructions capture only the general outline of the procedure. ==== .Prerequisites -* You have a CA-issued certificate. - +* You have a corporate CA-issued certificate. .Procedure . Export the certificate from its source. @@ -29,23 +28,17 @@ The maximum of file paths in `.pem` format supported by `NODE_EXTRA_CA_CERTS` is You cannot concatenate multiple file paths as values of the environment variable. ==== . Create a secret containing the CA. -. Mount the secret into {product-very-short} environment. Follow the steps specific for your deployment method: Helm or Orchestrator. +. Mount the secret into {product-very-short} environment. . Set the `NODE_EXTRA_CA_CERTS` to point to the mount path of the secret. + [IMPORTANT] ==== -You can only use the file path of the CA in this step. +You can only use the file path of the CA as a mount path. Setting the CA directly as an environmental value is not supported. ==== -//Add link!!!!! -. OPTIONAL: Set up {rhbk} metrics. -If you want to inject multiple CAs or certificates chains, you have to: -extract all certificates and certificate chains -convert them into .pem format -concatenate them into a single file -create a secret with the concatenated file -mount the secret -set NODE_EXTRA_CA_CERTS to the .pem file mount path + +//If you want to inject multiple CAs or certificates chains, you have to: extract all certificates and certificate chains convert them into .pem format concatenate them into a single file +create a secret with the concatenated file mount the secret set NODE_EXTRA_CA_CERTS to the .pem file mount path. From ac98b947a92697687eea1c8fd6da29af4eef99c3 Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 11:28:18 +0200 Subject: [PATCH 05/14] RHDHBUGS-2260 --- ...ly-configure-trust-for-certificate-authority-in-rhdh.adoc} | 4 ++-- ...st-for-certificate-authority-with-node-extra-ca-certs.adoc | 2 +- titles/configure_configuring-rhdh/master.adoc | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) rename assemblies/configure_configuring-rhdh/{assembly-configure-trust-for-corporate-ca.adoc => assembly-configure-trust-for-certificate-authority-in-rhdh.adoc} (64%) diff --git a/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca.adoc b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-certificate-authority-in-rhdh.adoc similarity index 64% rename from assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca.adoc rename to assemblies/configure_configuring-rhdh/assembly-configure-trust-for-certificate-authority-in-rhdh.adoc index 5dd3aecb5e6..ffd5743e45d 100644 --- a/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca.adoc +++ b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-certificate-authority-in-rhdh.adoc @@ -5,9 +5,9 @@ ifdef::context[:parent-context: {context}] = Configure trust for corporate Certificate Authority in {product} :previouscontext: {context} -:context: configure-trust-for-certificate-authority_in_rhdh +:context: configure-trust-for-certificate-authority-in-rhdh [role="_abstract"] Set up trust for certificates issued by corporate Certificate Authority (CA) in your {product} deployment. -include::../modules/configure_configuring-rhdh/proc- +include::../modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc[leveloffset=+1] diff --git a/modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc b/modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc index 5de080202fa..489618869cd 100644 --- a/modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc +++ b/modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc @@ -1,7 +1,7 @@ :_mod-docs-content-type: PROCEDURE [id="configure-trust-for-certificate-authority-with-node-extra-ca-certs_{context}"] -= Configure trust for corporate Certificate Authority with NODE_EXTRA_CA_CERTS += Configure trust for corporate Certificate Authority with `NODE_EXTRA_CA_CERTS` [role="_abstract"] The best practice for configuring {product-very-short} to trust a certificate issued by your corporate Certificate Authority (CA) is diff --git a/titles/configure_configuring-rhdh/master.adoc b/titles/configure_configuring-rhdh/master.adoc index 97350e8a60f..87132dc521a 100644 --- a/titles/configure_configuring-rhdh/master.adoc +++ b/titles/configure_configuring-rhdh/master.adoc @@ -34,6 +34,8 @@ include::assemblies/configure_configuring-rhdh/assembly-configure-high-availabil include::assemblies/configure_configuring-rhdh/assembly-run-rhdh-behind-a-corporate-proxy.adoc[leveloffset=+1] +include::assemblies/configure_configuring-rhdh/assembly-configure-trust-for-certificate-authority-in-rhdh.adoc[leveloffset=+1] + include::assemblies/configure_configuring-rhdh/assembly-use-the-dynamic-plugins-cache.adoc[leveloffset=+1] include::modules/configure_configuring-rhdh/proc-enable-the-rhdh-plugin-assets-cache.adoc[leveloffset=+1] From 736ea0e5423792fb8a0dc0d1b2382a48cfd7431c Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 12:36:17 +0200 Subject: [PATCH 06/14] RHDHBUGS-2260 --- ...ly-configure-trust-for-corporate-ca-in-rhdh.adoc} | 12 +++++++++--- ...igure-trust-for-ca-with-node-extra-ca-certs.adoc} | 0 ...bly-configure-trust-for-corporate-ca-in-rhdh.adoc | 1 + 3 files changed, 10 insertions(+), 3 deletions(-) rename assemblies/configure_configuring-rhdh/{assembly-configure-trust-for-certificate-authority-in-rhdh.adoc => assembly-configure-trust-for-corporate-ca-in-rhdh.adoc} (53%) rename modules/configure_configuring-rhdh/{proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc => proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc} (100%) create mode 120000 titles/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc diff --git a/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-certificate-authority-in-rhdh.adoc b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc similarity index 53% rename from assemblies/configure_configuring-rhdh/assembly-configure-trust-for-certificate-authority-in-rhdh.adoc rename to assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc index ffd5743e45d..66bb5b29185 100644 --- a/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-certificate-authority-in-rhdh.adoc +++ b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc @@ -1,13 +1,19 @@ :_mod-docs-content-type: ASSEMBLY ifdef::context[:parent-context: {context}] -[id="configure-trust-for-certificate-authority-in-rhdh_{context}"] +[id="configure-trust-for-corporate-certificate-authority-in-rhdh_{context}"] = Configure trust for corporate Certificate Authority in {product} :previouscontext: {context} -:context: configure-trust-for-certificate-authority-in-rhdh +:context: configure-trust-for-corporate-ca-in-rhdh [role="_abstract"] Set up trust for certificates issued by corporate Certificate Authority (CA) in your {product} deployment. -include::../modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc[leveloffset=+1] +include::../modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc[leveloffset=+1] + +:context: {previouscontext} +:!previouscontext: + +ifdef::parent-context[:context: {parent-context}] +ifndef::parent-context[:!context:] diff --git a/modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc b/modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc similarity index 100% rename from modules/configure_configuring-rhdh/proc-configure-trust-for-certificate-authority-with-node-extra-ca-certs.adoc rename to modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc diff --git a/titles/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc b/titles/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc new file mode 120000 index 00000000000..3a2c715f6f6 --- /dev/null +++ b/titles/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc @@ -0,0 +1 @@ +assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc \ No newline at end of file From e5fbe15df3b9ad1dee0318de7ebf276a2e59aa53 Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 12:39:13 +0200 Subject: [PATCH 07/14] RHDHBUGS-2260 --- titles/configure_configuring-rhdh/master.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/titles/configure_configuring-rhdh/master.adoc b/titles/configure_configuring-rhdh/master.adoc index 87132dc521a..1631f23873f 100644 --- a/titles/configure_configuring-rhdh/master.adoc +++ b/titles/configure_configuring-rhdh/master.adoc @@ -34,7 +34,7 @@ include::assemblies/configure_configuring-rhdh/assembly-configure-high-availabil include::assemblies/configure_configuring-rhdh/assembly-run-rhdh-behind-a-corporate-proxy.adoc[leveloffset=+1] -include::assemblies/configure_configuring-rhdh/assembly-configure-trust-for-certificate-authority-in-rhdh.adoc[leveloffset=+1] +include::assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc[leveloffset=+1] include::assemblies/configure_configuring-rhdh/assembly-use-the-dynamic-plugins-cache.adoc[leveloffset=+1] From 783eeabc5415ae8c650b6235cac63c8be565348c Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 13:03:39 +0200 Subject: [PATCH 08/14] RHDHBUGS-2260 --- ...gure-trust-for-ca-with-node-extra-ca-certs.adoc | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc b/modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc index 489618869cd..16f1def0178 100644 --- a/modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc +++ b/modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc @@ -16,16 +16,19 @@ The following instructions capture only the general outline of the procedure. ==== .Prerequisites -* You have a corporate CA-issued certificate. +* You have access to the public root or intermediate certificate of the CA you wish to trust. .Procedure -. Export the certificate from its source. -. Convert the certificate to `.pem` format. +. Export the corporate CA certificate chain (root and intermediate certificates) from its source. +. Convert the certificate or the entire certificate chain to `.pem` format. + [IMPORTANT] ==== The maximum of file paths in `.pem` format supported by `NODE_EXTRA_CA_CERTS` is *one*. You cannot concatenate multiple file paths as values of the environment variable. + +If you want to inject multiple CAs or certificate chains into your `.pem` file, +you must first convert them into `.pem` format and then concatenate them into a single file. ==== . Create a secret containing the CA. . Mount the secret into {product-very-short} environment. @@ -37,8 +40,3 @@ You can only use the file path of the CA as a mount path. Setting the CA directly as an environmental value is not supported. ==== - - - -//If you want to inject multiple CAs or certificates chains, you have to: extract all certificates and certificate chains convert them into .pem format concatenate them into a single file -create a secret with the concatenated file mount the secret set NODE_EXTRA_CA_CERTS to the .pem file mount path. From 76900e89ed34146d63b8f44de64975b2b53e27e6 Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 14:44:59 +0200 Subject: [PATCH 09/14] RHDHBUGS-2260 --- .../assembly-rhbk-metrics.adoc | 14 ++++++++++++++ ...k-plugin-metrics.adoc => ref-rhbk-metrics.adoc} | 10 +++++----- 2 files changed, 19 insertions(+), 5 deletions(-) create mode 100644 assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc rename modules/shared/{ref-keycloak-plugin-metrics.adoc => ref-rhbk-metrics.adoc} (84%) diff --git a/assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc b/assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc new file mode 100644 index 00000000000..f4112e47992 --- /dev/null +++ b/assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc @@ -0,0 +1,14 @@ +:_mod-docs-content-type: ASSEMBLY +ifdef::context[:parent-context: {context}] + +[id="rhbk-metrics_{context}"] += {rhbk-brand-name} metrics for {product} +:context: rhbk-metrics + +[role="_abstract"] +Use {rhbk-brand-name} ({rhbk}) metrics to troubleshoot authentication issues. + +include::../modules/shared/ref-rhbk-metrics.adoc[leveloffset=+1] + +ifdef::parent-context[:context: {parent-context}] +ifndef::parent-context[:!context:] diff --git a/modules/shared/ref-keycloak-plugin-metrics.adoc b/modules/shared/ref-rhbk-metrics.adoc similarity index 84% rename from modules/shared/ref-keycloak-plugin-metrics.adoc rename to modules/shared/ref-rhbk-metrics.adoc index 33452fd7a25..621c328d07a 100644 --- a/modules/shared/ref-keycloak-plugin-metrics.adoc +++ b/modules/shared/ref-rhbk-metrics.adoc @@ -1,16 +1,16 @@ :_mod-docs-content-type: REFERENCE -[id="keycloak-plugin-metrics_{context}"] -= Keycloak plugin metrics +[id="rhbk-metrics_{context}"] += {rhbk-brand-name} metrics [role="_abstract"] -Monitor Keycloak fetch operations and diagnose issues by using OpenTelemetry metrics with Prometheus or Grafana. +Monitor {rhbk-brand-name} ({rhbk}) fetch operations and diagnose issues by using OpenTelemetry metrics with Prometheus or Grafana. -The Keycloak backend plugin supports OpenTelemetry metrics that you can use to monitor fetch operations and diagnose potential issues. +The {rhbk} backend plugin supports OpenTelemetry metrics that you can use to monitor fetch operations and diagnose potential issues. == Available Counters -Keycloak metrics: +{rhbk} metrics: [cols="60%,40%", frame="all", options="header"] |=== From 7705d95543b6880a11f8421d9bc6d8a504f0e15d Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 14:46:38 +0200 Subject: [PATCH 10/14] RHDHBUGS-2260 --- titles/observability_monitoring-and-logging/master.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/titles/observability_monitoring-and-logging/master.adoc b/titles/observability_monitoring-and-logging/master.adoc index f5a1706cc4c..640107c509c 100644 --- a/titles/observability_monitoring-and-logging/master.adoc +++ b/titles/observability_monitoring-and-logging/master.adoc @@ -21,3 +21,5 @@ include::assemblies/observability_monitoring-and-logging/assembly-enable-observa include::assemblies/observability_monitoring-and-logging/assembly-monitoring-and-logging-rhdh-on.adoc[leveloffset=+1] include::assemblies/observability_monitoring-and-logging/assembly-monitor-and-log-with-in-rhdh.adoc[leveloffset=+1] + +include::assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc[leveloffset=+1] From 89c828dcdc3338889c88ba76975840dcbb0f972e Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 15:11:52 +0200 Subject: [PATCH 11/14] RHDHBUGS-2260 --- modules/shared/proc-enable-authentication-with-rhbk.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/shared/proc-enable-authentication-with-rhbk.adoc b/modules/shared/proc-enable-authentication-with-rhbk.adoc index e8e784c82b5..559c6ea76f1 100644 --- a/modules/shared/proc-enable-authentication-with-rhbk.adoc +++ b/modules/shared/proc-enable-authentication-with-rhbk.adoc @@ -152,7 +152,7 @@ Enhance security and prevent potential misuse of older tokens by enabling a refr . From the *Realm Settings* page, click the *Tokens* tab. . From the *Refresh tokens* section of the *Tokens* tab, toggle the *Revoke Refresh Token* to the *Enabled* position. ==== - +. Optional: Enable xref:assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc[{rhbk} metrics]. . To disable the guest login option, in the `{my-app-config-file}` file, set the authentication environment to `production`: + [source,yaml] From 53fc07644caee5f3de7f389441fe0e555611ada3 Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 15:32:32 +0200 Subject: [PATCH 12/14] RHDHBUGS-2260 --- ...igure-trust-for-corporate-certificate-authority-in-rhdh.adoc} | 0 .../assembly-configure-trust-for-corporate-ca-in-rhdh.adoc | 1 - 2 files changed, 1 deletion(-) rename assemblies/configure_configuring-rhdh/{assembly-configure-trust-for-corporate-ca-in-rhdh.adoc => assembly-configure-trust-for-corporate-certificate-authority-in-rhdh.adoc} (100%) delete mode 120000 titles/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc diff --git a/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-certificate-authority-in-rhdh.adoc similarity index 100% rename from assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc rename to assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-certificate-authority-in-rhdh.adoc diff --git a/titles/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc b/titles/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc deleted file mode 120000 index 3a2c715f6f6..00000000000 --- a/titles/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc +++ /dev/null @@ -1 +0,0 @@ -assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc \ No newline at end of file From 8285bdcf9777137b66c9a9c9e271a44fab5e855a Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 15:39:22 +0200 Subject: [PATCH 13/14] RHDHBUGS-2260 --- titles/configure_configuring-rhdh/master.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/titles/configure_configuring-rhdh/master.adoc b/titles/configure_configuring-rhdh/master.adoc index 1631f23873f..d4b63804b11 100644 --- a/titles/configure_configuring-rhdh/master.adoc +++ b/titles/configure_configuring-rhdh/master.adoc @@ -34,7 +34,7 @@ include::assemblies/configure_configuring-rhdh/assembly-configure-high-availabil include::assemblies/configure_configuring-rhdh/assembly-run-rhdh-behind-a-corporate-proxy.adoc[leveloffset=+1] -include::assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-ca-in-rhdh.adoc[leveloffset=+1] +include::assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-certificate-authority-in-rhdh.adoc[leveloffset=+1] include::assemblies/configure_configuring-rhdh/assembly-use-the-dynamic-plugins-cache.adoc[leveloffset=+1] From 4b2611b504f8f42e9a16f5679ad723e464877716 Mon Sep 17 00:00:00 2001 From: deerskindoll Date: Wed, 20 May 2026 17:12:11 +0200 Subject: [PATCH 14/14] RHDHBUGS-2260 --- ...ure-trust-for-corporate-certificate-authority-in-rhdh.adoc | 2 +- ...-rhbk-metrics.adoc => assembly-rhbk-metrics-for-rhdh.adoc} | 4 ++-- ...orate-certificate-authority-with-node-extra-ca-certs.adoc} | 2 +- modules/shared/proc-enable-authentication-with-rhbk.adoc | 2 +- titles/observability_monitoring-and-logging/master.adoc | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) rename assemblies/observability_monitoring-and-logging/{assembly-rhbk-metrics.adoc => assembly-rhbk-metrics-for-rhdh.adoc} (83%) rename modules/configure_configuring-rhdh/{proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc => proc-configure-trust-for-corporate-certificate-authority-with-node-extra-ca-certs.adoc} (94%) diff --git a/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-certificate-authority-in-rhdh.adoc b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-certificate-authority-in-rhdh.adoc index 66bb5b29185..17b9ad11399 100644 --- a/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-certificate-authority-in-rhdh.adoc +++ b/assemblies/configure_configuring-rhdh/assembly-configure-trust-for-corporate-certificate-authority-in-rhdh.adoc @@ -10,7 +10,7 @@ ifdef::context[:parent-context: {context}] [role="_abstract"] Set up trust for certificates issued by corporate Certificate Authority (CA) in your {product} deployment. -include::../modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc[leveloffset=+1] +include::../modules/configure_configuring-rhdh/proc-configure-trust-for-corporate-certificate-authority-with-node-extra-ca-certs.adoc[leveloffset=+1] :context: {previouscontext} :!previouscontext: diff --git a/assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc b/assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics-for-rhdh.adoc similarity index 83% rename from assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc rename to assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics-for-rhdh.adoc index f4112e47992..7b8fc8a00d0 100644 --- a/assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc +++ b/assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics-for-rhdh.adoc @@ -1,9 +1,9 @@ :_mod-docs-content-type: ASSEMBLY ifdef::context[:parent-context: {context}] -[id="rhbk-metrics_{context}"] +[id="rhbk-metrics-for-rhdh_{context}"] = {rhbk-brand-name} metrics for {product} -:context: rhbk-metrics +:context: rhbk-metrics-for-rhdh [role="_abstract"] Use {rhbk-brand-name} ({rhbk}) metrics to troubleshoot authentication issues. diff --git a/modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc b/modules/configure_configuring-rhdh/proc-configure-trust-for-corporate-certificate-authority-with-node-extra-ca-certs.adoc similarity index 94% rename from modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc rename to modules/configure_configuring-rhdh/proc-configure-trust-for-corporate-certificate-authority-with-node-extra-ca-certs.adoc index 16f1def0178..10c081635fd 100644 --- a/modules/configure_configuring-rhdh/proc-configure-trust-for-ca-with-node-extra-ca-certs.adoc +++ b/modules/configure_configuring-rhdh/proc-configure-trust-for-corporate-certificate-authority-with-node-extra-ca-certs.adoc @@ -1,6 +1,6 @@ :_mod-docs-content-type: PROCEDURE -[id="configure-trust-for-certificate-authority-with-node-extra-ca-certs_{context}"] +[id="configure-trust-for-corporate-certificate-authority-with-node-extra-ca-certs_{context}"] = Configure trust for corporate Certificate Authority with `NODE_EXTRA_CA_CERTS` [role="_abstract"] diff --git a/modules/shared/proc-enable-authentication-with-rhbk.adoc b/modules/shared/proc-enable-authentication-with-rhbk.adoc index 559c6ea76f1..e6c3ba1ff42 100644 --- a/modules/shared/proc-enable-authentication-with-rhbk.adoc +++ b/modules/shared/proc-enable-authentication-with-rhbk.adoc @@ -152,7 +152,7 @@ Enhance security and prevent potential misuse of older tokens by enabling a refr . From the *Realm Settings* page, click the *Tokens* tab. . From the *Refresh tokens* section of the *Tokens* tab, toggle the *Revoke Refresh Token* to the *Enabled* position. ==== -. Optional: Enable xref:assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc[{rhbk} metrics]. +. Optional: Enable xref:assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics-for-rhdh.adoc[{rhbk} metrics]. . To disable the guest login option, in the `{my-app-config-file}` file, set the authentication environment to `production`: + [source,yaml] diff --git a/titles/observability_monitoring-and-logging/master.adoc b/titles/observability_monitoring-and-logging/master.adoc index 640107c509c..5ba7f6d9f90 100644 --- a/titles/observability_monitoring-and-logging/master.adoc +++ b/titles/observability_monitoring-and-logging/master.adoc @@ -22,4 +22,4 @@ include::assemblies/observability_monitoring-and-logging/assembly-monitoring-and include::assemblies/observability_monitoring-and-logging/assembly-monitor-and-log-with-in-rhdh.adoc[leveloffset=+1] -include::assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics.adoc[leveloffset=+1] +include::assemblies/observability_monitoring-and-logging/assembly-rhbk-metrics-for-rhdh.adoc[leveloffset=+1]