KeycloakClient Secret

kfox1111 · October 28, 2021, 9:44pm

What is the recommended way to safely CI/CD KeycloakClient objects?

You shouldn’t put secrets in non Kubernetes Secret objects. The ‘secret’ property of the CRD is not safe as it refers to the plaintext secret, not a Kubernetes secret containing the actual secret.

It also doesn’t work to variable substitute into the vault with that property.

If you don’t specify it in the CR, it seems to randomly generate a new secret. Which is not so useful for reproducibility.

Precreating the Kubernetes secret that keycloak-operator generates doesn’t seem to work. It gets overwritten.

There a trick I’m missing?

Thanks,
Kevin

javefang · December 1, 2022, 2:39am

One option would be to update the KeycloakClient to allow users to specify the source to read the ‘secret’ from, similar to how the k8s Pod allows setting environment variable from a value in a k8s Secret.

e.g.

client:
  clientId: my-client
  secretValueFrom:
    secretKeyRef:
      name: mysecret
      key: mysecretkey

Topic	Replies	Views
Secrets in KeycloakRealmImport CR Getting advice	330	January 5, 2023
Keycloak client secrets populated into pods and used in the keycloak adapter config Securing applications authentication	338	April 27, 2021
Generate secret for user credential through keycloak admin client Getting advice	302	December 2, 2023
Access keycloak secrets (clientIds, tokens, ldap etc) from hashicorp vault Configuring the server authentication , ldap , oidc	665	November 22, 2021
Integrating Hashicorp Vault as a way to obtain the client secret Getting advice	344	July 20, 2021

KeycloakClient Secret

Related Topics