What is the recommended way to safely CI/CD KeycloakClient objects?
You shouldn’t put secrets in non Kubernetes Secret objects. The ‘secret’ property of the CRD is not safe as it refers to the plaintext secret, not a Kubernetes secret containing the actual secret.
It also doesn’t work to variable substitute into the vault with that property.
If you don’t specify it in the CR, it seems to randomly generate a new secret. Which is not so useful for reproducibility.
Precreating the Kubernetes secret that keycloak-operator generates doesn’t seem to work. It gets overwritten.
There a trick I’m missing?