Make Keycloak Realm Operator write Keycloak k8s secrets into different namespaces
35 views
Skip to first unread message
Kevin Reis
Feb 9, 2023, 5:06:59 AM2/9/23
to Keycloak Dev
Hi everyone,
I'm currently taking a look at the Keycloak Realm Operator. It looks promising. However, if you let the operator manage Keycloak Clients, it will write their secrets into k8s Secrets in the namespace which the operator is watching only. This can be a bit inconvenient if you have apps that are secured by Keycloak and spread across multiple namespaces.
I haven't found a way to let the operator write Keycloak Secrets into different namespaces yet. A workaround would be to replicate the Secrets in other namespaces, either by kubectl or using a service like kubernetes-replicator.
I suggest to add this kind of replication feature to the Keycloak Realm Operator, and to the new Keycloak Operator at some other point. A replication could be triggered by e. g. annotating a target namespace with information about the realm and the client whose secrets should be written to the targeted namespace. Then, the operator would scan all namespaces and check if the annotation is set. If that's the case, then it creates the k8s Secret containing the desired client's secret in the detected namespace.
A possible example:
apiVersion: v1
kind: Namespace
metadata:
name: myproject
annotations:
{
"my-realm": ['my-client']
}
Here, you could specify any clients of a realm whose secrets you need to have injected into 'myproject' namespace.
Cheers,
Kevin
Kevin Reis
Feb 14, 2023, 3:56:22 AM2/14/23
to Keycloak Dev
I could try to propose an implementation for the Keycloak Realm Operator. Also, I came across this design documentation of the Keycloak.X Operator https://github.com/keycloak/keycloak-community/pull/330, and maybe it might be worth mentioning that in the document if we can agree on this feature?
Václav Muzikář
Mar 24, 2023, 1:54:05 PM3/24/23
to Kevin Reis, Keycloak Dev
Hello and sorry for a late reply.
Unfortunately, we do not plan to add this functionality to the Realm Operator which currently acts as our temporary solution for the missing CRs. We will consider this for the new Operator, when we add support for Client CRs.
Thank you for your understanding.
Regards,
Václav Muzikář
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/6ed9be04-996c-4967-a612-7d8a5813f670n%40googlegroups.com.
Václav Muzikář
Senior Software Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.
Senior Software Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.
Reply all
Reply to author
Forward
0 new messages