From 0b95c35072bb5bbddc6fd4954a61cf91adbeb5ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20=C5=81askawiec?=
 <sebastian.laskawiec@defenseunicorns.com>
Date: Fri, 18 Apr 2025 11:50:56 +0200
Subject: [PATCH 1/3] Keycloak FIPS support

---
 .../chart/templates/secret-kc-realm.yaml       |  1 +
 src/keycloak/chart/templates/statefulset.yaml  | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
index 8288dbfd0c..8b3e9f9ead 100644
--- a/src/keycloak/chart/templates/secret-kc-realm.yaml
+++ b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -34,3 +34,4 @@ data:
   MFA_ENABLED: {{ or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED | toString | b64enc }}
   MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
   ENABLE_REGISTRATION_FIELDS: {{ .Values.themeCustomizations.settings.enableRegistrationFields | toString | b64enc }}
+  FIPS_ENABLED: {{ .Values.fips }}
diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml
index fbd6aee13a..dca5dfdb07 100644
--- a/src/keycloak/chart/templates/statefulset.yaml
+++ b/src/keycloak/chart/templates/statefulset.yaml
@@ -82,7 +82,14 @@ spec:
             {{- end }}
             # This will only import the realm if it does not exist
             - "--import-realm"
+            # FIPS Mode
+            {{- if .Values.fips }}
+            # Full configuration might be found at https://www.keycloak.org/server/fips
+            - "--features=preview,fips"
+            - "--fips-mode=strict"
+            {{- else }}
             - "--features=preview"
+            {{- end }}
             - "--proxy-headers=xforwarded"
             - "--http-enabled=true"
             - "--hostname-strict=false"
@@ -137,6 +144,11 @@ spec:
               value: DEBUG
             - name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL
               value: TRACE
+            # Crypto information, primarily for FIPS debugging
+            - name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_COMMON_CRYPTO__LEVEL
+              value: TRACE
+            - name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_CRYPTO__LEVEL
+              value: TRACE
           {{- end }}
           {{- if eq (include "keycloak.postgresql.config" .) "true" }}
             # Infinispan cache configuration
@@ -178,12 +190,6 @@ spec:
                 secretKeyRef:
                   name: {{ include "keycloak.fullname" . }}-postgresql
                   key: password
-            # FIPS Mode
-            {{- if .Values.fips }}
-            # https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index
-            - name: JAVA_TOOL_OPTIONS
-              value: "-Dcom.redhat.fips=true"
-            {{- end }}
           {{- end }}
           {{- if .Values.insecureAdminPasswordGeneration.enabled }}
             - name: KEYCLOAK_ADMIN

From 970af2641ca689259f804f248105abef86e96eea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20=C5=81askawiec?=
 <sebastian.laskawiec@defenseunicorns.com>
Date: Fri, 18 Apr 2025 12:19:06 +0200
Subject: [PATCH 2/3] Fixed Helm error

---
 src/keycloak/chart/templates/secret-kc-realm.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
index 8b3e9f9ead..d7fadff480 100644
--- a/src/keycloak/chart/templates/secret-kc-realm.yaml
+++ b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -34,4 +34,4 @@ data:
   MFA_ENABLED: {{ or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED | toString | b64enc }}
   MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
   ENABLE_REGISTRATION_FIELDS: {{ .Values.themeCustomizations.settings.enableRegistrationFields | toString | b64enc }}
-  FIPS_ENABLED: {{ .Values.fips }}
+  FIPS_ENABLED: {{ .Values.fips | b64enc }}

From 5650bb95a7d96a84c494eb98aa386e90b5002075 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20=C5=81askawiec?=
 <sebastian.laskawiec@defenseunicorns.com>
Date: Fri, 18 Apr 2025 12:28:34 +0200
Subject: [PATCH 3/3] More Helm fixes

---
 src/keycloak/chart/templates/secret-kc-realm.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
index d7fadff480..d6d1f63fd3 100644
--- a/src/keycloak/chart/templates/secret-kc-realm.yaml
+++ b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -34,4 +34,4 @@ data:
   MFA_ENABLED: {{ or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED | toString | b64enc }}
   MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
   ENABLE_REGISTRATION_FIELDS: {{ .Values.themeCustomizations.settings.enableRegistrationFields | toString | b64enc }}
-  FIPS_ENABLED: {{ .Values.fips | b64enc }}
+  FIPS_ENABLED: {{ .Values.fips | toString | b64enc }}