Secrets in KeycloakRealmImport CR

mlhartme · January 5, 2023, 9:13am

I’d like to use the Keycloak Operator and its Realm Importer (Keycloak Realm Import - Keycloak), i.e. the realm would be configured in a KeycloakRealmImport customer resource

My question: can I store secrets (e.g. the client secret of openid-connect clients) in a Kubernetes Secret and somehow reference them from the KeycloakRealmImport CR?

It would feel much better to keep secrets separated in secrets resources. And my company setup enforces me to do so: all kubernetes resources - except secrets – are readable by every employee, so I’d kind disclose them by placing them in a customer resource.

dgaulin · May 23, 2024, 1:20pm

Did you ever find out how to do this? Looking at the same issue right now.

djordje · May 27, 2024, 1:08pm

Hi, you can enable:
-Dkeycloak.migration.replace-placeholders=true

Then, in order to replace your value in realm.json file:
…
“clientSecret”: “${ENV_SECRET}”,
…

For local setup you will use Dockerfile:
ENV CUSTOMER_SECRET=“SECRET”

And for other envs, you can just override this value.

Topic		Replies	Views
KeycloakClient Secret Getting advice	1	728	December 1, 2022
Problem environment variable in realm.json Configuring the server authentication , identity-brokering	1	2072	June 16, 2021
Keycloak - injecting secrets into keycloak container on realm import	1	949	December 13, 2021
Suggestions on keeping secrets out of Dockerfiles Configuring the server	6	313	February 15, 2024
Keycloak client secrets populated into pods and used in the keycloak adapter config Securing applications authentication	0	379	April 27, 2021

Secrets in KeycloakRealmImport CR

Related topics