keycloak integration - PKIX path building failed

[pbagona]

Hello, I am using AKHQ helmchart on k8s cluster, version&appVersion are 0.24.0.

My goal is to connect it with Keyclaok on different k8s cluster.

I have prepared configuration, but when I try to start AKHQ with new configuration and oidc enabled + micronaunt.security.oauth2 enabled, I'm getting into error with certificate.
Without that, AKHQ works fine, mounts everything to specified path and is able to connect to Kafka.

For different applications, I had to provide root ca certificate (for example when integrating with Grafana, I had to mount cert to /etc/ssl/certs path or with OpenSearch I specifically defined root_ca path which I mounted) and after that it worked.

However not sure how to achieve same thing here, as I believe it's reason why AKHQ pod fails to start when I add oidc configuration.

I tried mounting it to path /etc/ssl/certs but AKHQ doesn't start, I tried subpath /etc/ssl/certs/cacert (to not loose all default certs on /etc/ssl/certs path) and didn't help, also completely custom path didn't help either.

Here are errors I'm getting, configuration is bellow:

2024-06-03 13:29:07,582 ERROR main       i.m.runtime.Micronaut      Error starting Micronaut server: Bean definition [io.micronaut.security.oauth2.client.DefaultOpenIdProviderMetadata] could not be loaded: Error instantiating bean of type  [io.micronaut.security.oauth2.client.DefaultOpenIdProviderMetadata]

Message: javax.net.ssl.SSLHandshakeException: No X509TrustManager implementation available
Path Taken: DefaultOpenIdProviderMetadata.openIdConfiguration(OauthClientConfiguration oauthClientConfiguration,OpenIdClientConfiguration openIdClientConfiguration,OpenIdProviderMetadataFetcher openIdProviderMetadataFetcher)
	at io.micronaut.context.DefaultBeanContext.initializeContext(DefaultBeanContext.java:1921)
	at io.micronaut.context.DefaultApplicationContext.initializeContext(DefaultApplicationContext.java:249)
	at io.micronaut.context.DefaultBeanContext.readAllBeanDefinitionClasses(DefaultBeanContext.java:3326)
	at io.micronaut.context.DefaultBeanContext.finalizeConfiguration(DefaultBeanContext.java:3684)
	at io.micronaut.context.DefaultBeanContext.start(DefaultBeanContext.java:341)
	at io.micronaut.context.DefaultApplicationContext.start(DefaultApplicationContext.java:194)
	at io.micronaut.runtime.Micronaut.start(Micronaut.java:75)
	at io.micronaut.runtime.Micronaut.run(Micronaut.java:323)
	at io.micronaut.runtime.Micronaut.run(Micronaut.java:309)
	at org.akhq.App.main(App.java:27)

Here is example of my configuration:

# imagePullSecrets:
#  - name: my-repository-secret
image:
  repository: tchiotludo/akhq
  tag: "" # uses Chart.AppVersion by default

# custom annotations (example: for prometheus)
annotations: {}

podAnnotations: {}

# custom labels
labels: {}
  # custom.label: 'true'

podLabels: {}

## You can put directly your configuration here... or add java opts or any other env vars
extraEnv: []

## Or you can also use configmap for the configuration...
configuration:
  akhq:
    server:
      access-log:
        enabled: true
        name: org.akhq.log.access
    connections:
      some-kafka:
        properties:
          bootstrap.servers: "kafka-adress:443"
          sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="akhq-user" password="somepassword";
          sasl.mechanism: SCRAM-SHA-512
          security.protocol: SASL_SSL
          ssl.endpoint.identification.algorithm: ""
          ssl.keystore.location: /credentials/keystore.jks
          ssl.keystore.password: somepassword
          ssl.truststore.location: /credentials/truststore.jks
#... and secret for connection information
existingSecrets: ""
# name of the existingSecret
secrets:
  akhq:
    security:
      default-group: no-roles
      basic-auth:
        - username: reader
          password: "somepasswordhash"
          groups:
          - reader
      oidc:
        enabled: true
        providers:
          keycloak:
            label: "Login with Keycloak"
            username-field: preferred_username
            # specifies the field name in the oidc claim containing the use assigned role (eg. in keycloak this would be the Token Claim Name you set in your Client Role Mapper)
            groups-field: roles
            default-group: reader
  micronaut:
    security:
      enabled: true
      default-group: no-roles
      oauth2:
        enabled: true
        clients:
          keycloak:
            client-id: "akhqclient"
            client-secret: "clientsecret"
            openid:
              issuer: http://keycloakadress/realms/test
              configuration-path: "/.well-known/openid-configuration"
      token:
        jwt:
          signatures:
            secret:
              generator:
                secret: "SUPERSECRET"

kafkaSecrets: []
#Provide extra base64 encoded kubernetes secrets (keystore/truststore)

# Any extra volumes to define for the pod (like keystore/truststore)
extraVolumes:
- name: credentials
  secret:
    secretName: akhq
    items:
    - key: truststore.jks
      path: truststore.jks
    - key: keystore.jks
      path: keystore.jks
    - key: tls.crt
      path: tls.crt
    - key: tls.key
      path: tls.key
    - key: ca.crt
      path: ca.crt
- name: cacert
  secret:
    secretName: cacert
    items:
    - key: custom-cert.pem
      path: custom-cert.pem
# Any extra volume mounts to define for the akhq container
extraVolumeMounts:
- name: credentials
  mountPath: "/credentials"
  readOnly: true
- name: cacert
  mountPath: "/etc/ssl/certs/cacert"
  readOnly: true

# Specify ServiceAccount for pod
serviceAccountName: null
serviceAccount:
  create: false

# Add your own init container or uncomment and modify the example.
initContainers: {}

# Configure the Pod Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext: {}

service:
  enabled: true
  type: ClusterIP
  port: 80
  managementPort: 28081
  #httpNodePort: 32551
  #managementNodePort: 32552
  labels: {}
  annotations:
    # cloud.google.com/load-balancer-type: "Internal"

ingress:
  enabled: true
  ingressClassName: ""
  annotations: {}
  paths:
    - /
  pathType: "ImplementationSpecific"
  hosts:
    - someakhqhost
  tls: []
  #  - secretName: akhq-tls
  #    hosts:
  #      - akhq.demo.com

### Readiness / Liveness probe config.
### ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
readinessProbe:
  enabled: true
  prefix: "" # set same as `micronaut.server.context-path`
  path: /health
  port: management
  initialDelaySeconds: 5
  periodSeconds: 10
  timeoutSeconds: 5
  successThreshold: 1
  failureThreshold: 3
  httpGetExtra: {}

livenessProbe:
  enabled: true
  prefix: "" # set same as `micronaut.server.context-path`
  path: /health
  port: management
  initialDelaySeconds: 5
  periodSeconds: 10
  timeoutSeconds: 5
  successThreshold: 1
  failureThreshold: 3
  httpGetExtra: {}

networkPolicy:
  enabled: true